This presentation was provided by Ralph Youngen of The American Chemical Society, during the NISO event "Changes in Higher Education and The Information Marketplace." The virtual conference took place on June 17, 2020.
Introduction to ArtificiaI Intelligence in Higher Education
Youngen "Secure Remote Access to Scholarly Resources"
1. American Chemical Society
Secure Remote Access to
Scholarly Resources
Ralph Youngen
Senior Director, Digital Strategy
American Chemical Society
Changes in Higher Education & The Information Marketplace
NISO Virtual Conference
June 17, 2020 1
2. American Chemical Society 2
Background
• Community-driven efforts to improve remote access to scholarly resources
have been underway for the past five years.
– June 2015: Corporate librarians from the P-D-R (Pharma
Documentation Ring) hold a special meeting on Authentication
Technologies.
– 2016 – June 2019: NISO and STM sponsor the RA21 initiative.
– July 2019 – now: SeamlessAccess builds an operational service
based upon the findings from RA21.
– December 2019 – now: GetFTR service streamlines pathways to
authentic scholarly content.
5. American Chemical Society 5
Challenge: 1990s Authentication
• Today, the predominant method for
validating access to scholarly content is by
IP address recognition.
“Search and discovery have reached a level of maturity and status quo, yet our shared
systems for authentication are out of step in today’s information economy and reinvented
access controls are in immediate need of our collective attention.”
“I counted more than a dozen talks on link resolvers, RA21, open access and other sales
models. …the buzz of the conference was pointing to a brave new future in access
controls.”
6. American Chemical Society 6
Community Responses
• Two industry efforts are working to modernize authentication pathways:
7. American Chemical Society 7
Federated Authentication
(a.k.a. SAML, Shibboleth, OpenAthens)
GetFTR and
SeamlessAccess
both utilize
federated
authentication.
Key Concept:
Identity providers (e.g.
universities) control
the information about
its users (called
attributes) that get sent
to service providers.
8. American Chemical Society 8
GetFTR
• A new service under development by leading scholarly publishers to simplify
pathways from research discovery tools to authentic scholarly content.
• Provides on-the-fly verification of a user’s entitlement rights based upon the
user’s institutional affiliation.
• Targeted at any service where a researcher might conduct a literature search:
– Research discovery tools
– Scientific collaboration networks
– Library resource management systems
– Etc.
9. American Chemical Society 9
GetFTR (cont.)
• Returns “smart links” customized for the user’s institution.
• These links work regardless of the user’s physical location.
– If connected to a campus network, publisher grants
access based upon IP address.
– If away from a campus network, institutional access
is provided via federated authentication.
11. American Chemical Society 11
SeamlessAccess
• Operational successor to the RA21 initiative.
– RA21 initiative concluded with the
publication of a NISO Recommended
Practice, June 2019.
• SeamlessAccess is now building an
operational service based upon the RA21
recommended practices.
12. American Chemical Society 12
SeamlessAccess: An Improved User
Experience
Information about user’s
institution(s) saved in the local
browser
Trusted service providers are
able to access this institution
data
Reduces the number of times
a user must search for their
institution
14. American Chemical Society 14
COVID-19: Expanding Federated Access
“As you may know, a new outbreak of coronavirus has recently occurred in China. … all students are required to
study online at home. However, now traditional remote access faces significant pressure by the limitation of VPN
capacity … CERNET is actively promoting service providers to join CARSI (CERNET Authentication and Resource
Sharing Infrastructure) to help users access … CARSI bases on the Shibboleth system, it’s among the world’s most
widely deployed federated identity solutions”
February 2020:
March 2020:
15. American Chemical Society 15
ACS Publications’ Experience
Significant increase in federated
access since COVID-19 due to:
• Shift in demand for remote
access due to campus
closures
• Deployment of the
SeamlessAccess user
experience on March 1, 2020
• Expansion of institutions
enabled for federated access
16. American Chemical Society 16
Attributes: Key to Privacy
Many universities send personally identifiable attributes even though ACS doesn’t request them.
– A bug on the ACS site displayed the user’s first name if supplied via attributes:
– Now corrected even if personally identifiable attributes are received:
– SeamlessAccess is sponsoring an Entity Categories and Attribute Bundles Working
Group to help universities select the appropriate attribute set for a given service.
• Authorization Only (no attributes), Anonymous, and Pseudonymous
• Pseudonymous identifiers will be critically important to assist campuses with
credential theft.
17. American Chemical Society 17
Remote Work Drives Sci-Hub Use
• 75% increase in Sci-Hub traffic during COVID-19 (Jan – May 2020).
19. American Chemical Society 19
Sci-Hub’s Scale
“The scale of Elbakyan’s operation has led
experts to conclude that she is not
operating alone and must have the
approval of the Russian government.”
“It’s unclear whether Elbakyan is using
Sci-Hub’s operations in service of Russian
intelligence, but her critics say she has
demonstrated significant hacking skills by
collecting log-in credentials from journal
subscribers, particularly at universities,
and using them to pilfer vast amounts of
academic literature.”
20. ~42%
of compromise is from U.S.
universities*
373
Universities have been
compromised*
>90%
of compromise* is through
Proxy services
Sci-Hub exploits the sentiment around open access to research articles
in order to:
• Get researchers/students to share university login credentials for access to
scholarly research platforms
• Steal & openly share login credentials in dark web forums
Serious Threat to the Research Ecosystem
*April 2019 – March 2020 data
University
#of
successful
breaches
University
#of
successful
breaches
University
#of
successful
breaches
University
#of
successful
breaches
University 1 27450 University 14 6912 University 27 3231 University 40 830
University 2 26240 University 15 6898 University 28 3060 University 41 790
University 3 18212 University 16 6398 University 29 2931 University 42 661
University 4 14807 University 17 5310 University 30 2889 University 43 539
University 5 13149 University 18 5310 University 31 2870 University 44 511
University 6 12936 University 19 4887 University 32 2540 University 45 478
University 7 12453 University 20 4577 University 33 2466 University 46 426
University 8 11988 University 21 4401 University 34 1972 University 47 412
University 9 9430 University 22 4323 University 35 1604 University 48 403
University 10 8497 University 23 4176 University 36 1436 University 49 378
University 11 8303 University 24 3571 University 37 1198 University 50 325
University 12 7715 University 25 3278 University 38 1023
University 13 7318 University 26 3268 University 39 932
21. • During COVID-19,
students and faculty
working remotely are at
increased risk because
they are beyond the
reach of some campus
security measures.
Increased Phishing Risk During COVID-19
24. American Chemical Society 24
Better Data is Needed
• Campus IT often has difficulty identifying the actual user with
potentially compromised credentials based upon information
publishers can provide.
• Pseudonymous identifiers would help dramatically.
– Privacy preserving identifier corresponding to a real university
patron
– Included in federated authentication planning
• Must be enabled by universities
– Sorely needed for proxy users
• Discussions with OCLC underway for EZproxy
25. American Chemical Society 25
Final Thoughts
• Researchers, just like typical Web users, tend toward simple and
straightforward pathways.
• While working remotely, Sci-Hub is often the simplest and most
straightforward pathway to access scholarly content.
• GetFTR and SeamlessAccess are creating pathways that are easier
to use than Sci-Hub.
• Collaboration between the academic library community, campus IT,
and scholarly publishers is key.
This journey to improve remote access to scholarly resources began five years ago.
Ralph
Ralph
Ralph
Ralph
Ralph
Ralph
Ralph
SNSI – Is an example of a collaboration that is already existing. Officially as SNSI, this group has existed since 2017 and is made up of 16 different publishers. Not all shown here…... A combination of forces are needed to protect institutions from cyber-attacks and the threat Sci-Hub poses – that’s why The Scholarly Networks Security Initiative (SNSI) was formed.
The SNSI is made-up of academic publishers, representatives of the librarian community, societies, and trade organizations.
Members of the group are taking legal action, technical steps, and are taking part in various initiatives with universities around the world to address the threat Sci-Hub poses.
Ultimately, we want to work together better to address challenges of balancing security and simple authentication methods from multiple locations and devices to better protect institutions. We hope that others will join us in the collective outreach. We want to work collectively to address questions like: What support do librarians need from publishers. How can we bridge the gap of communications between the library at IT/ITS. How can we effectively balance the need for access and the need for security and data protection? How can we help IT security within institutions in designing systems that meet both researcher and organisational goals?