3.3User Studies
Current – June 2004
We will complete the student user survey and in-depth interviews in the spring of 2003. We will then begin to analyze the type of security and risky behavior common among student-users, as well as their knowledge and awareness of computer security issues. Using this data we will also begin to identify the types of activities users would like to engage in, but currently must do so in an unsecure way (e.g., delegate authority and control of a specific action, such as check-in, to another actor which currently requires users to share passwords). We will make our analyses generalizable to the higher education community more generally by using national data on student computer use from the Higher Education Research Institute’s CIRP study and other national data to adjust the Dartmouth sample to be representative of the national student population.
This summer we will conduct the next phase of the user survey by sampling staff members about their security behavior and knowledge, as well as the types of activities that currently require unsecure actions. Finally, in the fall of 2003 we will survey faculty members. Combining data from the three survey populations (students, staff and faculty) will enable us to provide a comprehensive analysis of user security behavior in higher education, i.e., help us to understand what users actually do, and why they do what they do.
3.3.2JSTOR Pilot Evaluation
September 2003 – December 2003
Work with the deployment team to evaluate the usability of accessing JSTOR via PKI certificates and keys. As more users begin to access the JSTOR system via PKI, we will evaluate users’
perceptions of ease of use, and satisfaction with the method. We will also evaluate the extent and type of questions to the Help Desk for help with the method.
3.3.3Understanding Users’ Conceptual Models of Security
June 2003 – July 2004
We will work with the research team to evaluate how a variety of users (including neophyte end-users as well as knowledgeable computer “experts”) understand and conceptualize the technological systems underlying a range of digital exchanges. We seek to answer the following questions: How do users conceptualize digital exchanges and the systems through which they occur? What do they think happens when they sign an electronic document, when they send private information across an SSL connection to a website, or when they access their private information via a secure web server? Do their conceptual models lead them to over-estimate (or under-estimate) the security of the system? How do users’ conceptual models of the computer interface system affect how effectively they use the system, and what if any steps they take to increase security?
3.3.4Estimating the Scale and Scope of Security Risk from Users in Higher Education
January 2004 – August 2004
This part of the User Study project seeks to estimate the scale and scope of network security exposure
resulting from user behavior. More specifically, we will estimate the
overall extent of security exposure resulting from user behavior, the
risk of a security breach resulting from the level of exposure, as well as the
administrative costs of preventing and fixing security exposure, and any security breaches that result. Further we will attempt to estimate the potential overall
cost of different types of security breaches (e.g., including a broader definition of “cost” to include items such as, “public relations” costs or liability exposure), as well as the “
value” of the user behavior that causes security vulnerability and exposure, in order to assess the overall cost-benefit ratio resulting from our estimation of user-induced security vulnerability to the network.
Estimating the risk and cost of security exposure caused by user behavior will allow HE institutions to: evaluate the importance and value of system administration support of security-related activities; evaluate the need for and potential effect of various user policies (e.g., standards for passwords, forced password changes, etc); better estimate the value of new technology for limiting security exposure and security breaches resulting from user behavior; and determine alternative practices that allow valued activity while preventing network security exposure.
3.4Outreach Plan Phase 2
We have added a Project Leader staff member specifically to address PKI Lab outreach. Mark Franklin started in this role in early May 2003. He will help deploy the PKI Lab’s applications, first at Dartmouth and then nationally. He will assume overall responsibility for our national deployment activities, but the rest of the group will be involved in this work. Effective outreach that results in real applications is going to have to be a team effort. The knowledge and contacts within an organization to make a large remote project happen are distributed within the team. It has taken many months to develop the technical expertise and transferring it is still complex. Mark and other new personnel will need to work closely with the existing team and be able to contribute to developing products that work for our partners.
The following sections describe specific activities we plan for national deployment.
3.4.1Web Reference Information
The PKI Lab web site has been a successful way to distribute information about the project. There is a somewhat continuous stream of new material being added. We will distribute the work to date sections of this report there. The elements of a “PKI Cookbook” have been taking shape, and we will assemble a complete version of this idea. We will add sample code derived from the existing Dartmouth web applications using PKI authentication along with an expanded section for PKI development tools and information. We will continue to put extra effort into making this information suitable for consumption outside Dartmouth.
3.4.2Seminars and Webinars
In the next twelve months, Dartmouth plans to host a PKI summit where we will bring together top influencers in the security community with HEI and industry CIOs to explore the state of the art in PKI technology and its application toward solving real world problems.
A mix of lectures, tutorials and demonstrations of PKI solutions will provide a rich environment for evangelizing PKI.
Dartmouth will plan and execute a series of Webinars to disseminate the results of its research in PKI technology and solutions. In addition we will provide a series of tutorials to educate the community at large on PKI technology and systems/network infrastructure deployment required to support PKI, perhaps in conjunction with EDUCAUSE and I2.
3.4.3Public Relations (press and analysts)
Dartmouth plans to mount an aggressive PR campaign for dissemination of our PKI activities and to position itself as an authority on PKI technology and solutions. We will utilize campus media resources coupled with external PR professionals to develop a well balanced campaign. We will solicit analysts by positioning ourselves as an authoritative source for PKI technology expertise and system integration. We expect to generate roughly one article every other month from our research and deployment activities and plan to target popular IT press publications in addition to the more traditional research and higher education venues. In addition to spreading the word about Dartmouth’s accomplishments, we plan to help generate demand for PKI by educating users about the capabilities, potential, and current state of PKI and how Dartmouth can help them adopt it. We will continue to propagate our results by writing papers and presenting at conferences and workshops.
3.4.4Tools and Infrastructure Development
One of the barriers to PKI deployment is the need to have the ability to generate certificates before one can even start to experiment with applications. Following up on an idea generated in discussions at the spring Internet2 middleware meetings, the PKI Lab will ensure that a suitable external test and development certificate authority exists to give potential PKI adopters in the investigation phase the ability to generate their own certificates on our system and use them with PKI Lab or other applications for evaluation and proof of concept work. Campus IT personnel will be able to enroll and obtain keys and certificates. This should lower the hurdles required to get them to the “test drive” stage and thus ease their path to PKI deployment. Certificates from this system will be for non-production purposes only and certificates generated by it are not to be trusted. We can also provide sample PKI enabled web and mail servers for testing and evaluation purposes. These services will enable demonstrating PKI enabled applications in a local deployment which seems to be crucial to helping campus administrators perceive the value of PKI enabled applications in a local deployment obtaining their support. At the same time, local IT personnel will gain first hand experienced with PKI technology. The PKI Lab will use these test and evaluation services as important components of our outreach program for educating potential PKI users at other institutions and for helping them climb the PKI learning curve.
The PKI Lab has created simple “certificate viewer” and “signer” tools which we will make available for others to use.
As we assist other institutional deployments of PKI, we will continue to refine the process needed to deploy a local PKI. A turn-key type of solution is our goal, though we may not completely achieve this in the short term. The deployment team has packaged our customizations to SunONE for example to simplify reinstalling them locally or remotely and plans to continue similar efforts. Our long-term hope is to be able to supply other HEIs with a package of documentation and/or open source CA tools which amount to “PKI in a box” to be deployed in a straightforward fashion at other schools with the possible addition of a commercial CA product. In the near term, we will continue to enhance our documentation to accompany a commercial CA product for our “PKI in a box” solution.
As mentioned previously, the Dartmouth group has experience with a number of different CA products. Depending on the interests of partners, other products may become important. The deployment team may need to develop additional expertise with other products. Traditionally there is a lot of interest in Higher Education community in Open Source software solutions. We intend to investigate and perhaps contribute to development of additional open source alternatives.
3.4.5HEBCA
As mentioned earlier, Dartmouth has been an active participant in the prototyping and development of plans for a HEBCA. At the very least, Dartmouth will be interested in applications that work with the HEBCA. Projects to contribute to the development of necessary software modifications to support use of the HEBCA may be interesting projects in which the PKI lab could become involved. These efforts would require either additional resources or follow the previously described projects.
The deployment of bridges by Higher Education and the Federal Government however could become a very significant driver for PKI deployments within Higher Education. The Federal Government for example is proceeding with plans for a common mechanism for electronic submission of grant applications. In general a widely available infrastructure for inter-institutional PKI such as the HEBCA could significantly enhance the desirability of local PKI deployments. This will be an important area to monitor and perhaps devote effort toward in this project.
Dartmouth is presently working with EDUCAUSE to create the HEBCA.
3.4.6Partnership Deployment Projects with Remote Campuses
We will carefully select two to four partner HEIs with which we will work in much greater depth and for longer than the consultations in the activity above.
Other successful deployments are key to demonstrating that the Dartmouth effort can be a model. The initial focus will be on production applications and supporting PKI deployments at a limited number of partners with whom we will work closely. To do this we must bring together several elements. Partners must be willing to make solving the problems that PKI can address a high priority. Currently this will be easiest with a partner that has already experimented with PKI. The local political process must be navigated to allow resources to be committed by the partner to start to implement solutions. It is crucial that this commitment be sustained for a sufficient time to demonstrate positive results. A path to production deployment must be made to complete the process. Additional examples of successful PKI applications and the deployment of supporting infrastructure will very likely be the best way to attract the interest of more campuses.
Dartmouth’s collected and documented PKI deployment experience should significantly shorten the time needed for completion of an external deployment, and Dartmouth’s completed applications can serve as models and/or may be directly exportable to our partner HEIs.
Steps:
-
Working from our current best information, identify likely partners. We should initially seek to identify two serious partners. We can expand to others once we have substantial progress at the initial partners and personnel resources are available for more partners. Partner buy-in needs to include both the Technical and CIO levels.
-
For each partner HEI:
-
Jointly select a PKI application and determine what is needed to deploy it. This includes defining the details of the application and identifying suitable software and the support environment. Identify needed partner HEI resources such as people, equipment, and funding.
-
Determining the specifics of a suitable PKI architecture. The PKI must fit in with existing infrastructure, such as directories, be acceptably priced, and be supportable and sustainable by the partner HEI.
-
Develop the details of the Application with staff at the HEI. It must fill a perceived need. It would be easiest to choose an application that Dartmouth has already developed, e.g. Web authentication to Banner/Oracle. Otherwise we need to select something similar, such as Web authentication to PeopleSoft. Other primary possibilities are authentication to Library Resources/Shibboleth or local web services. Secure e-mail, electronically signed documents or wireless network authentication are also possible with some additional development by the Lab.
-
Develop the details of the PKI with the staff at the HEI. It would be easiest to base it on products that Dartmouth has already used, e.g. SunONE, AOL/Netscape or Entrust. Otherwise we need to find something else suitable to local needs, e.g. Microsoft CA services.
-
Develop a working relationship with Technical staff at the HEI to assist the remote project as needed, e.g. knowledge transfer, investigate alternative products, support local application development. This must include continuing interaction to catalyze progress.
Specific activities required to assist particular partners will derive from their diverse needs and environments and are therefore hard for us to detail further.
3.4.7External Partnerships and Vendor Influence
Many commercial products have features to support the use of PKI, but few products support it well. PKI features are typically added after the fact and are often not well integrated with the rest of the product. And they often have poorly-designed user interfaces, obscure error messages, omissions, oversights, and bugs. The PKI Lab will strive to persuade and help the vendors to improve their products.
By establishing itself as a recognized authority of PKI technology and solutions coupled with Dartmouth’s network and computing infrastructure resources, Dartmouth is well positioned to collaborate with industry on development and validation of key PKI technologies and system solutions. Over the next twelve months, Dartmouth will target and establish collaborative relationships with at least two leading industry players to integrate PKI technology in their product portfolio. .
3.5Conclusion
All PKI Lab activities contribute to our overarching goal of making PKI really happen at Dartmouth and other Higher Education institutions. Our research and development team tests for inadequacies in existing solutions, develops
solutions for problems found, and generates new and more secure techniques, tools, and platforms for PKI implementations. It reports its findings for all to use. Our deployment team focuses on the practical “nuts and bolts” matters of institutional PKI usage, implementing large-scale PKI at Dartmouth, assisting other HEIs as they deploy PKI, productizing the output of the research team, helping vendors refine PKI technology, and conducting a number of outreach activities to promote the use of PKI through: education, dissemination of working solutions with “how to” documentation, and participation in technical committees,
conferences, and special interest groups. Our User Studies team studies the ways people actually use PKI solutions and their perceptions of security, providing feedback to the research and deployment teams so they can adjust their products accordingly. Our Phase 2 work will continue to orchestrate all these activities so that they compliment and build upon and amplify each other while we deliver viable and compelling PKI solutions for both Dartmouth and Higher Education in general.