The online information landscape is complex, with essential digital resources present in almost every industry – from academic to corporate research, healthcare to government. An organization’s collection of e-resources is central to its success. Any disruption in access can have a serious impact on business and on end users.
But where subscription-based content is available to the world at large, unscrupulous actors will invariably try to gain access through a variety of methods – anywhere from spoofing IP addresses to using social engineering techniques to obtain legitimate login details.
IP recognition has long been the most common method of accessing information from within organizational networks. However, this approach is subject to a number of limitations – particularly around security, transparency, and flexibility – explored in a new white paper from our partner, OpenAthens, 'Approaches to authentication: the importance of information security’.
In an environment where users were reliably located within an organization’s network, IP recognition worked well as a means of gaining access to secure information such as journal subscriptions – it was a straightforward approach that was widely embraced by institutions and identity and service providers alike. However, as internet access has become more ubiquitous and the amount of information available online has increased, the limitations and flaws of the system have become more apparent – IP recognition serves basic requirements for granting access to resources, but it is not designed from the ground up to address today’s challenges of security and transparency, or for the wider variety of usage scenarios that institutions and identity and service providers are asked to support.
“In working with a variety of publishers, partners, customers, and libraries; we frequently see access to research resources provided to members as a benefit of their affiliation. Part of this arrangement is typically that the institution or library will want to use their membership database to provide access to these resources. IP recognition simply doesn’t work in these situations. A comprehensive single sign-on solution is needed to connect multiple systems. If there is not a SAML based system to carry this authentication, publishers often have to implement stopgap measures or workarounds to prevent unauthorized usage. This results in struggles for the customer as well as an impedance on a good end user experience.”
-Timothy Lull, VP of Sales, Software as a Service, EBSCO Information Services
IP recognition also opens systems up to unique security risks: for example IP fraud, where a third party’s IP range is added to a legitimate subscription, granting them ‘free’ access to those resources without the knowledge of either the publisher or subscribing institution.
Due to its reliance on the user being within a physical network environment, or using proxy services (where traffic from within an organization is routed through a single IP address) to emulate that environment, IP authentication limits the mobility of your users which can in turn encourage bad behaviour like the use of open proxies, as well as severely limiting traceability. This can prove to be a problem if you need to investigate cases of persistent misuse of resources from an IP within your organization. Without further transparency, it is difficult – if not impossible – to track that misuse to an individual’s actions.
These limitations around tracking usage and gaining insight into user activity can also prevent making more informed purchasing decisions. In particular, proxy services make it impossible to track usage beyond the top-most level within a network, resulting in a lack of granularity that has serious ramifications for businesses that need to allocate subscription charges to particular cost centers. Further issues arise if there is more than one subscribing organization within an IP range, such as hospital groups; in these cases, IP authentication is not able to manage licenses for each individual institution. There is a similar problem if the subscribing organization has dynamic IP ranges in place.
Featuring commentary from industry experts, the white paper expands on the possibilities of SAML-based approaches for identity and access management.