On that long list of venerable institutions primed for a high-tech overhaul, higher education is near the top. Its shortcomings are much discussed: universities are expensive, inaccessible, inflexible, and out of touch with the needs of students and the world economy. A diploma that demands four (or more) years on campus, long lectures, fend-for-yourself homework, and massive final exams seems as much a relic of the 19th century as of the 20th. Educating the millions of people that our future depends on will require not just a productivity boost but something fundamentally different.
These days “something fundamentally different” usually involves the Internet. Decades of desultory experiments with “computer-aided education” have now yielded exciting, scalable, measurably effective innovations in presentation and content. The Web is full of educational resources for students of all ages. You may have audited a class at AcademicEarth.com or brushed up your math skills at the Khan Academy. I was recently one of 160,000 students enrolled in Stanford’s phenomenally successful online class in artificial intelligence. We watched streamed video presentations by the two faculty members, studied digital texts, submitted our homework (and got our grades) electronically, and chatted online with fellow students all over the world. It was the best learning experience I’ve ever had. Stanford and other universities are following up with additional offerings, and the movement has earned itself an acronym: MOOC, for “massive open online courses.”
But providing free content to recreational learners is only a first step. If online education is to go big time, it will have to be a commercial venture where things like tuition payments, lab fees, textbook rentals, grades, credits, and diplomas are in play. This means some serious security around rights management, copyright protection, electronic payment processing, and identity management. This last item is the subject of this article.
Who Are These People and What Do They Get from Us?
Web-based enterprises need to be able to identify their users. This is critical for providing continuity, customizing views, displaying personalized information, and, in a for-profit situation, making sure that everybody pays for what he receives. Enterprises dealing in educational assets want users who approach them to get exactly what they are entitled to. So every time they are asked to deliver an asset, they need to know:
- Is this a student in good standing, officially enrolled in a certain institution and a certain course?
- Is she entitled to open this e-textbook, view this video, take this test?
- Does the homework grade, the test grade, and the course credit attach to the student who has actually earned it?
- Is the user a faculty member, and what privileges does this role entail?
- When students and faculty interact online, are they all whom they claim to be?
- Is the person requesting confidential information — a transcript perhaps — authorized to see it?
If credentials earned in a virtual educational environment are to have any meaning, the institution has to be as confident of a user’s identity as if that person had visited the registrar with an ID in hand and sat in a classroom week after week.
User Identification Across Multiple Enterprises
User identification in an online educational setting is a challenge because multiple enterprises are involved. What appears to the user as a holistic experience provided by the University of Wherever most likely involves, behind the scenes, a whole federation of autonomous enterprises that provide content and perform assessments. Most of the electronic course materials that a class uses — e-textbooks, videos, online quizzes, virtual labs, animations, and interactive models — actually come from third-party publishers and producers.
Up until a few years ago, students had to visit the websites of each of these providers in order to purchase and access assigned materials. It was a digital version of the campus bookstore, except that you had to make a special trip every time you wanted to look at your textbook, often with an ID and credit card in hand. Increasingly, though, schools are using online learning management systems (LMSs) to provide course-specific Web environments that assemble and integrate digital materials from a variety of sources. The materials may come bundled into the class fee and appear automatically on the digital “bookshelves” of all enrolled students — no separate payment required. Access may be so seamless that the student has no sense of interacting with separate enterprises, as in the following sequence:
- Open the History 301 Web page that describes today’s assignment.
- Click on a link, and the e-textbook (from provider A) opens right to today’s reading.
- Launch an embedded video (from provider B).
- Pop open a quiz (from provider C) to make sure the material has been mastered.
Frictionless inter-enterprise collaboration means a wider range of options for the course designer, a guaranteed client base for the asset provider, and a richer educational experience for the student. However, all this requires a sophisticated identity management architecture that crosses enterprise boundaries. If the user is not to be repeatedly challenged for credentials, and if possibly hundreds of individual asset providers are to figure out exactly what to deliver to each user under what terms, the network will have to be passing identity information around behind the scenes.
[For more from the author on alternative approaches for handling authentication and authorization in a multi-enterprise educational environment, see “Identity Management in Technology-Assisted Educational Systems,” Cutter IT Journal, Vol. 25, No. 4. Some of these techniques are generic and will be familiar to IT security architects working in other fields; others use standards and tools specialized for education.]