A while back an internal audit focusing on IT administrative systems, in particular two areas, Human Resource Management and Student administration, was conducted. The audit tried to establish whether the university’s policy with regard to administrative system users complied with prescribed best practices and whether adequate processes are in place to manage access rights.

It was found that there was a need for a formal Identity and Access Management (IAM) policy, more regulated processes and one central source from which identities (see definition below) should be managed.

The current practice of issuing multiple electronic identities per business application or per individual associated with the university for access to administrative systems, lends itself to the fraudulent use of both electronic identities and information – a high risk at an academic institution.

The audit findings were considered and as a result thereof an all-encompassing Identity and Access Management  Project (IAM Project) was initiated to mitigate both known and potential risk  around system and resource (i.e. Library ) access.

In an effort for better control on creating identity the following three systems will be the only recognised systems from which both identity and electronic identity can originate.

1. Student Administration – Registration of students including Short Course registrations
2. Human Resource (HR) – All SU staff that needs to be reported on for statutory purposes or for whom a payroll needs to be run.
3.  SUNid-  used for any person that forms an affiliation with SU, but cannot be classified as either student or staff. The current classification for this group of person is either that of external worker or visitor.

IAM aims to addresses 95% of the audit findings by establishing a central system from which one electronic identity can be issued via an automated process with full audit on who has access to which system and who approved the request. A future deliverable from this project would be a formal definition of roles (e.g. Payroll clerk) from system function (program) access patterns to facilitate role-based access request management.

An Electronic Identity Validation Regulation has already been approved and can viewed here.

The IAM project is one of continuous improvement and development. It’s more than just putting systems in place, but also about understanding the university’s organisational behaviour and processes to ensure these systems will increase productivity and function optimally.

To keep you up to date on upcoming IAM projects, we will be running a series of articles from this week. In our next article we’ll be looking at AIS. 

If you’re still in the dark as to how SunID works, refer to your wiki for detailed instructions or read our previous blog articles.

If you prefer a more hands-on approach, we’ll also be hosting a few informal sessions where you’ll be guided through the process step-by-step and also have the opportunity to air all your complaints and questions. If you’re like to attend one of these sessions, please contact Petro Uys at puys@sun.ac.za.

Definitions

Identity – the capturing of all personal information and creating a unique 8 digit Stellenbosch university number also commonly referred to as student number, staff number, ut_number, su_number.
    Electronic Identity – refers to username and password associated to an identity record 

`n Tydjie gelede is `n interne oudit met die fokus op IT administratiewe stelsels, spesifiek Menslike Hulpbronnebestuur en Studente-administrasie, uitgevoer. Die doel van die oudit was om vas te stel of die universiteit se beleid oor administratiewe stelselgebruikers voldoen aan voorgeskrewe beste praktyke en of voldoende prosesse in plek is om regte te bestuur. 

Daar is bevind dat `n behoefte bestaan vir `n formele  Identiteit- en toegangsbestuurbeleid (IAM), beter gereguleerde prosesse en een sentrale bron waaruit identiteite (sien definisies onder) bestuur moet word. 

Die huidige praktyk reik veelvuldige eletroniese identiteite uit vir toegang tot administratiewe stelsels en doen dit per besigheidstoepassing of per individu geassosieer met die universiteit. Hierdie proses kan maklik blootgestel word aan die misbruik van elektroniese identiteite en informasie – `n hoë risiko vir `n akademiese instansie.

Die ouditbevindinge is in ag geneem en op grond daarvan is `n oorkoepelende Identiteit- en toegangsbestuurprojek (IAM Projek) geloods om bestaande en potensiële risikos rondom stelsel- en brontoegang (byvoorbeeld die Biblioteek) aan te spreek. 

In `n poging om beter kontrole te handhaaf wanneer identiteite geskep word, sal die volgende drie stelsels die enigste erkende stelsels wees waarop identiteit en elektroniese identiteit geskep kan word.

1. Studente-administrasie – Registrasie van studente, insluitende Kortkursusregistrasies
2. Menslike Hulpbronne – Alle US-personeel wat wetlik oor rapporteer moet word of op die Universiteit se salarisrol is.
3.  SUNid –  Gebruik vir enige persoon wat geaffilieerd is met die US, maar nie geklassifiseer kan word as student of personeel nie. Die huidige klassifikasie is die van eksterne werker of besoeker.*

IAM poog om 95% van die ouditbevindinge aan te spreek deur `n sentrale stelsel te vestig waarvandaan een elektroniese identiteit uitgereik kan. Dit sal uitgereik word deur middel van `n outomatiese proses met `n volledige oudit van wie toegang to watter stelsel het en die aansoek goedgekeur het.

 Een van die doelwitte van hierdie projek sal `n formele definisie wees van rolle (byvoorbeeld Salarisrolklerk), onttrek uit stelselfunksie bestuurspatrone om rolgebaseerde toegangsversoekbestuur toe te pas.

`n Elektroniese Validasie Reglement is reeds goedgekeur en kan hier besigtig word.

Die IAM-projek word deurlopend ontwikkel en verbeter. Dis meer as net ‘n proses om stelsels in plek te sit, maar vereis ook begrip vir die Universiteit se organisatoriese werkverrigting en prosesse om te verseker dat stelsels produktiwiteit sal verhoog en optimaal kan funksioneer.

Om jou op hoogte te hou van toekomstige IAM-projekte sal ons ook voortaan `n reeks artikels bied. Ons volgende een fokus op AIS.

 * Indien SUNid steeds vir jou Grieks is, kyk gerus op ons wiki vir `n uiteensetting of lees ons vorige blog-artikel. Indien jy `n meer praktiese aanslag verkies, sal ons binnekort `n paar informele sessies aanbied waar jy stap-vir-stap daardeur geneem sal word en ook die geleentheid sal kry om al jou vrae te vra. Stuur asseblief e-pos aan Petro Uys by puys@sun.ac.za indien jy belangstel om `n sessie by te woon. 

Definitions

    Identity – the capturing of all personal information and creating a unique 8 digit Stellenbosch university number also commonly referred to as student number, staff number, ut_number, su_number.
    Electronic Identity – refers to username and password associated to an identity record 

CAPTCHA,  or “Completely Automated Public Turing” is a type of reaction test generally used in the computing environment to establish whether the user is human or not. The term includes all technological tools used to distinguish humans from computers during online interaction.

The main purpose of CAPTCHA text is to prevent automatic computer processes from abusing e-mail systems by repeatedly entering passwords or from overloading or causing security problems on network services.

The most common example of CAPTCHA can be seen below and consists of a series of distorted or cross-hatched letters and numbers users have to retype. These distorted letters hidden in letters are easily recognised by humans, but computers find it difficult.

Unfortunately computers and CAPTCHA code hacking algorithms are becoming more sophisticated and subsequently the CAPTCHA codes also become more distorted and difficult for people to recognise.

The term was first used in 2000 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper of the Carnegie Mellon University and John Langford of IBM. The most popular CAPTCHA was invented by Mark D. Lillibridge, Martin Abadi, Krishna Bharat and Andrei Z. Broder. This type of CAPTCHA prompts the user to retype letters displayed on a distorted image, sometimes also overshadowed by a series of other letters or numbers on the screen.

Seeing that this test, unlike the standard Turing test which is conducted by a person, is performed by a computer, it is often referred to as a reverse Turing test.

The CAPTCHA identification process for users has been heavily criticised, especially by disabled users, but also by other users who feel that their daily work is slowed down by distorted illegible words, even for people without disabilities.

Read more on CAPTCHA on the official website.

[SOURCE: http://www.webopedia.com/DidYouKnow/_index.asp and www.wikipedia.org]

CAPTCHA, of “Completely Automated Public Turing” is `n tipe reaksietoets gebruik in die rekenaaromgewing om vas te stel of die gebruiker `n persoon is. Die term omvat alle tegnologiese middele wat gebruik word om mense van rekenaars te onderskei gedurende aanlyn interaksie. 

Die hoofdoel van CAPTCHA teks is om te verhoed dat outomatiese rekenaarprosesse e-pos stelsels misbruik deur herhaaldelik wagwoorde in te tik, of om onnodige stremming of sekuriteitsprobleme te veroorsaak vir netwerkdienste.

Die algemeenste voorbeeld van CAPTCHA kan onder gesien word en behels dat die gebruiker `n reeks verwronge of kruisluik (“cross-hatched”) letters en syfers herken en tik.  Mense kan verwronge letters wat weggesteek word in `n beeld maklik herken, terwyl rekenaars dit besonder moeilik vind.  

Ongelukkig word rekenaars en algoritmes wat CAPTCHA-kodes kraak meer gesofistikeerd en gevolglik raak die CAPTCHA-kodes ook meer verbuig en moeiliker vir mense om te herken. Sekuriteitspesialiste is voortdurend opsoek na nuwe CAPTCHA tegnieke wat robot-gedrewe misbruik kan voorkom sonder om die gewone gebruiker te benadeel. 

Die term is die eerste keer in 2000 deur Luis von Ahn, Manuel Blum, Nicholas J. Hopper van die Carnegie Mellon Universiteit en John Langford van IBM gevestig. Die algemeenste CAPTCHA is die eerste keer uitgevind deurMark D. Lillibridge, Martin Abadi, Krishna Bharat en Andrei Z. Broder. Dié tipe CAPTCHA vra van die gebruiker om die letters van `n verwronge beeld, wat soms ook oorskadu word deur `n reeks letters of syfers op die skerm, weer te gee.

Omdat die toets, anders as die standaard Turing-toets wat deur `n persoon gefasiliteer word, deur `n rekenaar uitgevoer word, word daarna soms verwys as `n omgekeerde Turing-toets. 

Hierdie identifikasieproses vir gebruikers is al hewiglik gekritiseer, veral deur gestremde persone, maar ook deur ander gebruikers wat voel dat hul daaglikse take belemmer word deur verwronge woorde wat onleesbaar is, selfs vir mense met geen gestremdhede.

Lees meer oor CAPTCHA op hulle amptelik webwerf

[BRON: http://www.webopedia.com/DidYouKnow/_index.asp en www.wikipedia.org]