eidas enabled student mobility n.
Skip this Video
Loading SlideShow in 5 Seconds..
Sustainability in the Higher Education Domain PowerPoint Presentation
Download Presentation
Sustainability in the Higher Education Domain

Sustainability in the Higher Education Domain

229 Vues Download Presentation
Télécharger la présentation

Sustainability in the Higher Education Domain

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. eIDAS-enabled Student Mobility Sustainability in the Higher Education Domain Cost Benefit Analysis Aljosa Pasic 2ESMO Workshop (Trondheim, June 3rd 2019) GRANT AGREEMENT UNDER THE CONNECTING EUROPE FACILITY (CEF) - TELECOMMUNICATIONS SECTOR AGREEMENT No INEA/CEF/ICT/A2017/1451951

  2. Index ESMO Sustainability in the Higher Education Domain (Ross)

  3. ESMO Open Source Project • ESMO GW Development (today) • Developed in privateGitLabovermultiple repos per microservice • Publish ESMO GW as Open-Source Software (endofproject) • Open-source license to study, change, and improve its design • GitHub • Whatisavailable • Allcommonmicoservicesimplementingthe GW core modules • ProtocolSpecificmicroservicesimplementing interfaces toSP,sIdPs, APs (SAML 2, eIDAS SAML, OAuth 2, OIDC, GWT etc.) • Target Community • HigherEducationInstitutesdevelopingtheirStudentInformationSystemsthat can benefit from usereIDASauthentication + DSAs • Promote ESMO throughthe Open SourceUniversity Alliance (EWP Initiative) • EU Projectsworkingon similar solutionsforenablingstudentmobility and convergenceofeIDAS and studentidentities

  4. Joiningthe ESMO OSS Community • Subscribing to the mailing list for the project on GitHub • GitHub Project repo willprovide • Access to source code, • builds, • issues, • wiki description • resources etc. • Listofentities that are hosting ESMO GWs and able to be contacted for connecting to

  5. HEI ServiceProvider – Joining ESMO • Who could be interested: • HEI SPswantingtoadaptenduserservicestopromotestudentmobilitybyenablingcross-bordereIDASauthentication and academicattributeretrieval (e.g. Admissions, Moodles, StudentInformationSystems) • Join ESMO GitHub Project • Become familiar with ESMO onthe wiki & itsresources • Consideralternativesthatbestsuityourneeds • Connecttoanexisting ESMO GW (contactentitypublishedon GitHub) • Deployowninstanceofthe ESMO GW withprotocolspecificmicroservicesforyourowninstituteoraffiliation • Developadditionalmicroservicesforanyspecificprotocols/functionsneeded and contributeittothe ESMO OSS repo. • Benefit from communityknowledgee.g. bycreatinganissueonthe repo toresolveanintegrationissue

  6. HEI AttriuteProvider – Joining ESMO • Who could be interested: • HEI APsconnectedto EWP thatwanttomaketheirattributesavailableforenduserstudentservicesliketheywishforotherHEIstoreciprocate • nationalfederations and eduGAINthat can benefitbymakingtheiruserattributesavailableto HEI SPsforservicesthatrequiretheir data and enable HEI SPsto link this data withtheuser´seID (ESMO delegatedeIDASauthentication) • Join ESMO GitHub Project • Become familiar with ESMO onthe wiki & itsresources • Choosethealternativethatbestsuitsyourneeds • Connecttoanexisting ESMO GW (contactentitypublishedon GitHub) • Deployowninstanceofthe ESMO GW withprotocolspecificmicroservicesforyourowninstituteoraffiliation • Developadditionalprotocols/functionsneededforyourspecificgoals • Benefit from and contributetocommunityknowledge • ActivelycontributetoanAcademicAttributes repo forpublishing standard attribute sets • Forumforthecommunitytoraiseissueswith atributes and make new proposals as requiredbythe SP services.

  7. Integrateto EWP Network • EWP provides a trustedregistrytoestablish trust between HEI entitiesforbackendAPIs, and wasidentified as ideal solutiontoprovidethe trust between ESMO GWs • Thebenefitofconnectingover EWP isthatall HEI ServiceProviders are thenawareofpublished ESMO APIs and ableto consume them • So EWP Hosts couldqueryacademic atributes overthe ESMO GW byconsumingan ESMO API and thendiscoveringits DSA query API • Thatsaid, forHEIstoget full benefitofthe ESMO GW today, whereHEIs can connectwiththeirnative SP/AP interfaces and performeIDASauthenticationthisneedsdirect interface to ESMO GW • ESMO Project has collaboratedwith EWP and todayweconnect ESMO GWsoverourowninstanceof EWP • Thenext step istointegratewiththe EWP Productionnetwork after our final productiontestingisconcluded • Collaborationwith EWP iskeytoreachingouttothegreater HEI community in Europe and makingthe ESMO GW servicesavailabletoall • Future ESMO GW development can considertomake more ESMO APIsavailableover EWP, so EWP Hosts can directly consume eIDASAuthenticationservice and DSA queries in thenativeprotocolssupportedbytheirSPs

  8. Index ESMO Sustainability in the Higher Education Domain (Ross) Cost benefit Analysis (Aljosa)

  9. Cost-Benefit AnalysisObjectives • Contribute to the potential of the eID DSI “to generate revenue”, form the perspective of domain specific eID gateway • Assess possibilities of ESMO GW to “become progressively self-standing or reliant on alternative sources of public funding or on a mix of private and public financing”, especially in the post-CEF period (long-term sustainability) • Assessing a range of different solutions from cost-benefit view and operational scenarios offered when interconnecting the eIDAS infrastructure (e.g. national versus sectorial e-ID brokers, academic federations or university hubs) • Assess the needs and requirements in terms of governance, operations, financing and architecture of the stakeholders involved • Calculate combined savings of administrative and technical costs enabled by CEF eID for student mobility in general and ESMO GW in particular • Estimate demand for cross-border e-services in HEI domain and their reliance on high assurance e-ID (e.g. transfer of academic achievements and diploma issuing related services), • Identify conditions for gradually achieving the target of economically viable operation and maintenance of the services • Identity motivational factors to join eIDAS “ecosystem” and incentives for other public and private stakeholders (e.g. ICT industry developing information systems and IAM solutions for HEI community)

  10. Objectives (2) • Estimate non-monetary benefits for the wider community or third party e-services (e.g. cross-border availability of academic data for Human resource departments) • Propose a model apt to be replicated in other sectors/domains, related sectorial governance of trust combined with eIDAS connectivity • Estimate value of component reuse and abstraction of complexities related to the discovery of attribute and service providers, • Compare costs related to the SP integration and interoperability in eIDASeID services, with and without ESMO • Address uncertainty of the eIDAS nodes’ business models which are intertwined with service providers operational costs (e.g. National nodes that impose registration or transaction fees) • Address other possible risks related to eIDAS an ESMO GW adoption, and propose a contingency plan (e.g. bypass eIDAS infrastructure for the domain specific attribute transfer) • Estimate benefits from increased assurance level through CEF eID

  11. “The Viability Triad” is Desirability, Feasibility, and Sustainability • Desirability • Is target audience aware of current technology and market trends? • Will there be recurring demand? • Can it be differentiated (value proposition etc)? • Will it be valued? • Feasibility • Is the offering and implementation achievable from a technical perspective? • Are resources available for support (maintainance, marketing etc)? • How realistic is user adoption and acceptance on a short term? • Can it be done? • Sustainability • Will it result in profit and when? • Can it be reused, repeated and at what cost ? • Is there open source community that could reduce maintenance cost? • Should it be done?

  12. Desirability: demand and market size • Facts: 4,000 higher education institutions, with over 19 million students (of these almost 3 million are in countries participating in the project, Spain, Greece and Norway) and 1.5 million staff. • Norway eID gateway common login solution for public services online number of logins is estimated at almost 70 million. • GÉANT 2020 Framework Partnership Agreement (FPA) has focus on authentication and it claims to have nearly 27,000,000 students and 2800 identity providers worldwide • In Austria mobile ID activation was 15 times higher than traditional eID card activation. • Predictions: At the time of Stork project the number of Erasmus students that would use e-ID was projected to grow to 40.000 in Spain by 2015 • Erasmus + supporting four million students in their cross-border learning mobility, and is expected to grow 20% by 2020 • Habits and trends: Student cards are most commonly used in Denmark, Sweden (both 11%), and least used in Italy (2%). The Erasmus student network card (ESNCard), in the meantime, increased this figure significantly (over 200.000 students in 40 countries) • Remote cross-border learning students (students who seek global education at local cost), More than two fifths (43 %) of the students from abroad studying at tertiary education level in the EU in 2016 were from Europe, 30 % were from Asia and 12 % were from Africa. • Compliance impact: Eurostat mentions that 74% are public sector HEIs, although sources from 2015 EUA report claim that 92% of HEI are public.

  13. Worldof Erasmus and beyond • Top Down data collectionfromdifferentsourcescontrastedwith data from ESMO partners • Use ofeduROAM and othercross-border

  14. Worldofeduroam and eduGAIN Presentationby Lucas Hammerle (SWITCH) from sept 2016

  15. ESMO demandassessment

  16. Benefit analysis • Student perspective: saving time in doing procedures, incl flexible timetables, • travelling time (ifabroad) • travelling time (ifalready in other country) • waiting time • facetoface ID verification and durationofprocess – 10 min • doc and attributecollection (1 day) • Admin perspective: avoiding manual entry of data (time plus less errors) • 30 min/per user + copy cost • reduction of processing cost • Indirect and qualitative benefits: lower tuition fees, richer knowledge sources / educational content presentation, more results-oriented and pragmatic learning , enhanced chances of employability, breaking barriers across European HEIs, reputation benefits, direct for HEI digital inputs, save on info processing

  17. WiderBenefitsContext EUROPEAN SINGLE DIGITAL MARKET eIDAS regulation on electronic identifications & trust services High security requirements “be digital, open and cross-border by design” Andrus Ansip, European Commission Vice-President for the Digital Single Market Harmonizedeuropeanregulations Individual Government Business Transparency and accountability Building up trust and speeding up the transition to a digital economy Juridical value

  18. Feasibility – three alternatives • Establishment of new HEI-specialized eIDAS brokers for specific groups of e-services, or specific group of HEI • Addition of ESMO functionalities to an existing eID brokerage platform • Convergence of ESMO functionalities with the related projects or results

  19. Cost analysis • Howmuchwoulddevelopmentof a NEW eIDASconnectivitybroker and/orattribute Exchange hub (i.e. howmucheffortdidwespenton ESMO)? • Howmuchwould HEI e-servicecustomisation and integrationwitheIDAScost? • Howmuchwouldoperation and maintainancecostforbothstakeholders: ESMO huboperator and for HEI admin of e-services? Minimum 10-15 PM Minimum 2,5-4 PM About 2-4 PM and 0,5-1 PM respectively

  20. Motivationforserviceproviderstojoin ESMO Completeness I need a complete solution for eIDAS connectivity and Education attribute aggregation from various EU member states Reliability & Scalability I need a reliable and scalable software solution, able to handle steady growth and peaks in authentication and aithorization 1 2 Compliance I need to be compliant with the eIDAS regulation and adaptable to the future ones. Smooth integration I need an easy integration withmyexistingstudent information system and do not want to worry about cost of adaptation. 4 3

  21. Index ESMO Sustainability in the Higher Education Domain (Ross) Cost benefit Analysis (Aljosa) Risks and SWOT analysis (Francisco)

  22. SWOT: Strengths • Unbound Attribute Aggregation • Multi-protocol translation • Scalability by design • Security and Privacy by design • Modularity and flexibility • Minimise impact and costs on existing services and APs • Network has flexible topology • Network can be exported or extended to other sectors

  23. SWOT: Weaknesses • Willingness to adhere strongly dependent on existing APs and published data • Attribute set availability and compatibility across APs • Specific solutions depend on the availability of specific data, even having an AP does not guarantee it will agree on implementing and sending a needed attribute. • Potential uses still not mature enough among stakeholders, despite interest is arising (the complex use cases we solve, have a low incidence). • Being a too general solution so we cannot coordinate a specific response • No specific AP interfaces, just recycling. No agreement on it (openAPI?, Open banking:PSD2) • Complex solution, many jumps and actors. • Generic and non-optimised user experience (too abstract concepts of attribute, data source, etc.). • Multiple authentication

  24. SWOT: Opportunities • DG-CNECT has started considering the potentials of DSA over eIDAS network, our solution is a candidate for a gradual and flexible adoption. • SURFNET was considering a use case of academic attribute transfer that can be resolved using ESMO. • Engage on similar communities, like Simple Saml PHP, Keycloack or FIWARE, as we can offer a compatible solution with added value. • EWP will become mandatory, so their network will increase usage. Publishing our Service APIs there is key in positioning and in following the Single Point of Entry doctrine. • Being a front-channel process facilitates compliance with GDPR and is aligned with the single marked strategy. • eIDAS profile: add personal data, especially biometrics: photo, fingerprint...

  25. SWOT: Threats and Risks • eIDAS infrastructure delays/instability • Low levels of eIDAS credentials availability/use among academic population • Not converging with other initiatives with similar goals • Lack of interest from sector governance bodies • Not attracting adopters by not being able to define specific use cases we are a solution to • Not attracting enough data providers

  26. SWOT: Threats and Risks • Need to have trusted relationship with APs so to avoid 2nd login where possible or usability could be an issue • Culture of getting local credentials for all, not overcome yet, nor in the near future • The more complex attributes get, the bigger the semantic inconsistencies. Need for harmonisation work across institutions

  27. Index ESMO Sustainability in the Higher Education Domain (Ross) Cost benefit Analysis (Aljosa) Risks and SWOT analysis (Francisco) ESMO beyondeducationdomain (Aljosa)

  28. Identity Broker service Service Provider 1 Service Provider 1 Service Provider 1 Service Provider 2 Service Provider 2 Service Provider 2 Service Provider 3 Service Provider 3 Service Provider 3 EmergingeIDusagemodels Identity Provider Service Separate Proofing from Authentication Identity Broker Service Identity Provider Infrastr. Identity Provider 1 Identity Provider 1 Identity Provider 2 Identity Provider 2 Identity Provider 3 Identity Provider 3 Identity Provider 1 Identity Provider 2 Identity Provider 3 Approaches • Do not manage the Identities • Not responsible for Identity Proofing, Credential Management and Authentication • Manage the Identities • Responsible for Identity Proofing, Credential Management and Authentication • Manage the Identities • Responsible for Credential Management and Authentication • Not responsible for for Identity Proofing Effect

  29. Whatabout atributes? • What is a market for ESMO? • The product? • Attributes are stored in various databases around the world • Example product: digital badges for professional qualifications • The customers? • The Online Service Providers… but also emerging Attribute Brokers • Example: ID DataWeb ( Attribute Exchange Network (AXN) • In the future we might have e-attributes marketplace • ESMO can play the role of enabler What do we know about attribute release in the physical and cyber world? Peopleare at the centre of theattribute market, and any solution should be user-centric and compliant with GDPR CONTROL • Placessuch as shops, hospitals, factories, offices and the home, influence the way that people release their attributes and interact with the digital and physical service providers. • CONTEXT • Platformsprovide the “closed” spaces for attribute release mainly to enable more personal services, but also community-based services (e.g. sharing) • INCENTIVES

  30. The Roadmap to ESMO adoption Incentives, Awareness Context driven Business Case Cost-benefit analysis ESMO Technology Add-on services Control of Attribute Release

  31. Decisionmakingsupport Transformed experiences Reduced cost • Simplified management – less complexity • Reduce infrastructure & license cost – ESMO is open source • Reduce GW operation and service adaptation cost • Reduce incidents & support cost – shift these the the third party (ESMO GW operator) • Lower initial investment for eIDAS connectivity • Simple use of services by cross-border users with their “native” notified eID • Secure sharing of attributes inside and outside of your business sector. • Simplified help and support from external operator

  32. Why do wealso look beyondEducationdomain? • Value of ESMO concepts (e.g. DSA – Domain specific Attributes or GW2GW), architecture and components is also considerable for other sectors • Contribute to evolution of project results, transferability and scalability • Exploration of opportunities e.g. sector-specific versus universal e-ID brokers • Sustainability through shared (maintenance resources with other communities • Link to other projects or initiatives (SEAL, FIWARE, mobile eID), to increase visibility, or as part of the sustainability and road mapping efforts

  33. BenefitsforFinance sector • Compliance with KYI (Know Your Customer) with assured eIDAS attributes and additional DSAs from trusted network .

  34. Benefitsforany sector

  35. Whereto look forcollaborations? • Public sector • Cross-border service context • Innovation ecosystems (e.g. capability-based access control)

  36. Howtosolveattributereleaseproblem? • In many domains there is an issue of attribute release policy and trusted attribute Exchange. Sometimes there is specific hub and spoke solution, other times user is asked to provide self-asserted attributes • In Digital onboarding attribute collection and aggregation play fundamental role • Challenges are both technical and policy/trust • KYC attributes for example are required for risk, anti-fraud or suitability evaluations • Blockchain could solve issue of accountability for self-asserted data • eIDAS TSP would link real ID with digital ID of self-asserted issuer

  37. Howtoattract AP • Different identity attributes are used for residents and non-residents. • Differences in the verification mechanisms • Manyattributeproviders do nothavemeansormotivationtoconnectto AXN or GW • The GSMA MC4US project focused on a mobile network and financial sector. • − Identifying attributes needed to support processes such as AML and KYC, and to validate the process by which to trust the Operator’s data. • − Mapping eIDAS to US, Canadian, and UK identity frameworks

  38. Conclusions • e-ID and DSA exchange can be cross-border business enabler, • There are many risks that prevent investment in eIDAS connectivity from service provider side: • the complexity and volatility of European eID ecosystem • the reliance on governmental infrastructure, • economics of scale, • user acceptance model, • cost of integration and maintenance etc. • ESMO model is based on idea of sector-specific gateways that would be operated by eID brokers Compliance Market growth Flexible configuration For all public sector organisations including public HEI For service providers that have cross-border business or want to expand No need to renew and adapt for each new attribute provider Tech shift Innovation API Economy Get ready for multi-channel e-ID and service provision Attributes are another type of data so data-driven innovation is also a target ESMO business case is related to providing functionalities through API (like Open banking there should be Open EDU API)

  39. Index ESMO Sustainability in the Higher Education Domain (Ross) Cost benefit Analysis (Aljosa) Risks and SWOT analysis (Francisco) ESMO beyondeducationdomain (Aljosa) Recomendations and Roadmap (Francisco)

  40. Roadmap to maximize CEF eID uptake More efficient services More effective services Enabling transformation Additional value propositions: Better Services More users Cost savings CEF eID and ESMOuptake strategy Awareness Interest Credibility Reference institutions adoption Partnerships More promotion Software Maintenance open community

  41. Partner Commitment • Short-term to mid-term sustainability key is us. • Critical tasks in this sense: • Maintain deployed services (at first, INEA requirement) • Maintain the deployed Gateways • Gateway code maintenance/improvement • Facilitate packaging and deployment, generate documentation • But we can use an extra hand • Open Source Community

  42. Roadmap draft • Year 1: • Partner maintenance and minor improvement • Release and distribution of the code • Define network adherence roles, procedures and requirements • Dissemination and contact with potential adopters (bottom-up) • We need to define a strategy where adoption as a SP requires adoption as AP • Alignment with other initiatives (EWP especially, EMREX, EID4U, Studies +) • Collect feedback to improve usability

  43. Roadmap draft • Year 2: • Use results to seek sector governance bodies backing (top-down) • Start a software community around the Gateway • Negotiate the transfer of the Gateway operation to a education sector national level entity (target: NRENS) • Seek to secure additional resources for GW development • Reassess sector needs to plan the improvements over the code • Effective collaboration with EWP and the other initiatives • Promote potential use cases linking academia and job search sector (Linked-IN, EduPass)

  44. Roadmap draft • Year 3+: • Depending on the acceptance, gradually escalate code improvements, and organise community maintenance • Dual approach: keep up with dissemination and contact with potential adopters (bottom-up) and keep pushing for sector governance bodies backing (top-down) • Promote the deployment of other MS GWs • Keep seeking development support and resources • Regularly reassess sector needs to plan the improvements over the code • Keep the contact with the initiatives and plan collaborations accordingly. • Promote yearly assembly to coordinate and disseminate

  45. Recommendations • ESMO • Develop and distribute libraries to facilitate building ESMO microservices • Improve packaging and documentation • There is a knowledge gap on non-technical users • Seek adoption of the nodes by key entities on the sector (target: NRENs) • Seek code support by reference developers and institutions in the identity federation and management sector

  46. Recommendations • eIDAS • Enhance supported data set, include more personal contact info and biometric information (photo, fingerprint pattern) • Promote MS to notify other existing eID schemes, specially those more used/usable by citizens (regardless of being lower assurance) • To the possible extent, promote the adoption of non-targeted identifiers • Reinforce formation actions to close the technological gap on MS eIDs • Promote usage benefits among citizens

  47. Recommendations • Others • EMREX convergence • Provide authentication • Integrate National Point of Contact in Gateway • FIWARE convergence • FIWARE IDM integrated on Gateway • ESMO Gateway as source of profile information • Explore non-EU expansion • With data transfer agreements • Liability problems on the legal framework

  48. How to Join ESMO • Three roles • Developer • Operator of gateway • AP/SP integration • Developer • Contact ESMO team to participate on the steering meetings • Assess the effort that can be devoted and the available prioritised tasks

  49. How to Join ESMO • AP/SP integration • The HEI representative gets in touch with ESMO experts or contact • Joint assessment of needs and requirements about joining and/or deploying ESMO • Depending on the situation, HEI either does its own service adaptation to eIDAS or uses support from ESMO partners • Operator of gateway • Analyse which domain specific attributes are needed for the selected cross-border services • Analyse topology and governance details

  50. Thank you for your attention Francisco Aragó, Ross Little, Aljosa pasic GRANT AGREEMENT UNDER THE CONNECTING EUROPE FACILITY (CEF) - TELECOMMUNICATIONS SECTOR AGREEMENT No INEA/CEF/ICT/A2017/1451951