According to Greek philosophers, the first law of thought is that “each thing is the same with itself and different from another” otherwise known as a law of identity. This is a common idea within information security, where the designation of one participant apart from another affects the spectrum of operations and data elements available to each. In William Shakespeare’s famous tragedy ‘Romeo and Juliet,” Juliet asks the question “What is a name?” when she questions Romeo’s family name of Montague, noting it is not the hand, foot. arm, nor face of a person: “What’s in a name? That which we call a rose by any other name would smell as sweet.”
While the opposition Romeo and Juliet faced in this classical prose remains inviolate, we find similar challenges when addressing data services that can be shared or curtailed through rights assignment within the authentication system available to State data consumers. Before we can consume the product of a Shared Service across multiple campuses and agencies, we first must agree upon a common mechanism to identify authorized requests for access from those requested by unauthorized agents – whether software or human.
Public educational settings have the challenge to include full time staff and faculty, together with a pool of student accounts constantly in flux as new classes are added and released, alongside semi-permanent administrative and service accounts used by various equipment and research agents. To this is added the far more varied research partners, colleagues from other campuses, and visiting professors from all over the world. In addition to the relatively-straightforward matter of user provisioning, many International researchers and students bring not only expectations for access, but may in many cases bring access expectations from their government that inject software into the enterprise, such as the QiHoo 360 browser required by the Chinese Government for its international researchers and learners – this package, once loaded onto a destination system, takes control of many aspects of the normal system operations, redirects search terms, and even uploads updates claiming they are “from Microsoft” and digitally signing them using the proper digital signatures but which then can only be removed by a full erase and re-image of the workstation systems.
With so many expectations and requirements, it is dizzying to consider any resource that can be made available to any subset of requests without risking full exposure by too lax a security policy. When integrating across multiple campuses and several agencies, few services, such as the wireless EDUROAM system can manage to integrate locally-controlled authentication services for each enterprise segment. When attempting to provide access control protections, it is all well and fine for Romeo to deny his heritage and declare: “…I will be new baptized, Henceforth I never will be Romeo.” but for the fine people of the Sate of Texas, they must be integrated into a standard service sitting ‘above’ all other services, whose purpose is to provision, authenticate and provide access controls within all other measures. And, yes, the tradition of personal name transition following marriages and divorces continue to churn these waters even further.
Before Texas can take advantage of truly Shared Services, it will first have to address this far more fundamental matter of “What is a name?” and where that will be stored and how it will be referenced to see if it is “…same with itself and different from another…”