Path Forward for Trust and Identity: Conclusions of Summer Planning
By Klara Jelinkova, Vice President & CIO of Rice University and chair of the TIER Community Investor Council
From the TIER Community Investor Council
As we shared with you in July, Kevin Morooney, Internet2 vice president for trust and identity, has conducted several meetings (referred to as “Paths Forward”) to align discussions and expectations regarding Trust and Identity. In particular, we looked at potential sustainable funding models for InCommon, TIER components, and other efforts regardless of how they were initially started (federal grants, membership dues, one-time investments, etc.). My blog post from the July TIER newsletter provides the details.
This article is a summary of the combined findings from those conversations.
The TIER and InCommon Path Forward teams aligned and ended with the same observations and results:
- Internet2/InCommon/TIER have a leadership position in US trust and identity. There is a desire to maintain this position, even in the face of considerable threats.
- The trust and identity solution set(s) for higher education remain sufficiently unique that we need to continue to develop these solutions.
- The InCommon Federation and TIER Program are highly dependent upon one another
- Sustained engagement with both executive and technical community leadership will be necessary for a vibrant trust and identity set of capabilities and vetted campus deployment strategies.
- Services and new capabilities require multiple funding strategies that best suit their contexts.
- Financial subsidization of a service or new capability should be an intentional bridging strategy; otherwise they should stand on their own.
TIER Priorities in Sustaining Funding
- Solidify the newly created role of Vice President of Trust and Identity within Internet2 and move to a permanent governance structure. This will include the move towards a Trust and Identity Program Advisory Group (PAG) and require broad communication and listening across all stakeholders.
- Continue development and achieve sustainability for components that increase velocity and efficiency of the program and expand its reach: de/provisioning, entity registry (person and object), components packaging, components and operations security audit.
- Continue development and achieve sustainability for Shibboleth, Grouper, and application programming interfaces (APIs) for ease of campus integration.
- Continue management of the program and leverage Internet2’s existing strengths (community engagement, communications and marketing, program management, etc.) in other areas to augment these efforts.
InCommon Priorities for Sustainable Funding
- Sustaining the Shibboleth Federating and Single Sign-on software is required for ensuring the evolution of the core federation services (e.g. support for OpenID Connect).
- Hardening and sustaining federation operations is important. We need to achieve an acceptable risk profile reflective of participant dependency on the federation, including disaster recovery and business continuity, software quality assurance processes, and scheduled security reviews.
- Scaling the federation operations and infrastructure for the future to address critical items such as metadata exchange and delivery and adoption of campus requested services such as OpenID Connect.
- Maturing the federation service delivery to ensure a positive participant experience and to enable scaling up to support a broader set of participants, such as a ticketing system and the Steward Program (which allows for increased participation by K-12 through collaboration with regional and state networks).
- Creating and adhering to standards of interoperability, security, and trust practices aligned with the interests of all participant communities to increase the ease of connecting to and value of the federation.
Final Observations about InCommon
- The InCommon Federation is a strategic Internet2 asset. The LLC structure should be examined over time.
- Federation identity providers need to be committed to adherence of common interoperability, security, and trust practices. This is more important than lowering baseline standards in order to encompass participants not motivated by this principle.
- The fee structure must be changed to reflect 1) the mission criticality of the federation and corresponding benefit, 2) deep understanding of the costs to sustain the mission, and 3) mitigating risks to InCommon's trustworthy operation (including Shibboleth).
- Shibboleth is inadequately funded yet is a core element of the InCommon Federation. Evolution and scaling the federation can only occur when they evolve together, such as support for OpenID Connect and other enhancements.
- The value proposition for InCommon higher education and research participants decreases when vendors fail to fully support InCommon standards. For example, what is or should there even be a process for NET+ contracts to opt out of InCommon compatibility? The reverse is also true: the value proposition for sponsored partners decreases when those deploying identity providers don't support InCommon standards.
- The federation's ability to scale and sustain depends only partly on technology. Substantial and sustained effort is required to understand the interests, and then strategically align the practices, of communities of higher education, research organizations, and sponsored partners with InCommon's mission.
There is an increasing recognition of the need to align funding levels with community expectations of functionality and level of service delivery. The community groups confirmed that multiple funding sources will be needed to reach the targets, but one key component will be InCommon fees. InCommon Steering will be discussing this issue over the next few months.