Re: Web Kiosks

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

We are implementing a scheme of "shallow credentials."  This username
and password are constructs in our LDAP directory, and are not in our
Kerberos KDCs.  We're implementing these for parents and other third
parties (representatives from organizations sponsoring students, so they
can pay bills using ACH, for example).  They will be used, essentially,
for anyone without standard IU network Ids accessing our Onestart
portal, and a limited set of services therein.

We are also using "patron" accounts in the Library.  These are
restricted to information resources managed by the Library.  If someone
from off-campus has need for a more unregulated ability to do research,
they can obtain a longer-term unrestricted set of credentials from the
circ desk, by showing a photo id card.

For conferees and other guests, including visiting faculty, we are
providing them access to wireless by creating an isolated set of
accounts in our VPN server.  The conference bureau or a department
representive can (will be able to) access our Account Management Service
to assign one of those accounts to an individual, along with an
expiration date.

There are other things we're working on, but those are the main areas.

One thing that is key is that we don't ever collect any information
about what any of these people do (except in the ACH area, because NACHA
rules require it...).  In almost all other cases, all we know is that a
particular individual held credentials during a certain period.  If at
some point we receive a complaint associated with a device, we would
attempt to connect an individual to that device and event, and go from
there.

M.

-- 
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Marty Hoag [mailto:Marty.Hoag () NDSU NODAK EDU] 
Sent: Friday, August 08, 2003 11:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Web Kiosks


    Steve raised some of the issues we've been dealing with.
We are a Land Grant institution and outreach is a prominent
part of our avowed mission.

    If you want all access authenticated how do folks handle
brief or occassional visitors? Do they issue time restricted
temporary credentials? Do they have kiosks but require the
kiosk (or cyber cafe or whatever) provider to provide the
Internet access independent of the University network?

    In addition to Kiosks this issue comes up with wireless
LANs, public ethernet ports, and multiuse computer labs.
It would be interesting to hear some brief pointers on the
way you handle this.

    Marty

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.