ACS CAP IT Security team meeting - April 5, 2011

Attendees: James King (chair), Jonathan Morgan (ACS), Sara Rouhi (ACS), Norah Xiao (USC)

The group first reviewed the notes of the January meeting and agreed that the group was charged with three tasks:

1) What are the industry best practices related to authentication and access?

2) What could change or dramatically affect these best practices in the next 2-3 years?

3) What are the customer ideal expectations when it comes to authentication, access, and abuse mitigation?

Sara suggested that we should add post-cancellation rights to our list of topics to address.

To learn the best practices, we decided to reach out to 10 publishers and gather what we can about their implementations of authentication and access.  The 10 publishers and the team members who will contact them are:

• AAAS (Sara)

• AIP/APS (Norah)

• Elsevier (Norah)

• IEEE (James)

• Nature (James)

• OSA (James)

• PNAS (Sara)

• Royal Society of Chemistry (Norah)

• Springer (James)

• Wiley (James)

Note that Sara will be contacting another ACS CAP member to contact these publishers to reduce potential conflicts.

We also discussed what we want to gather from each of the publishers and agreed to the following:

1) What IP blocking techniques to you use? (Jonathan will provide a list of the top four and we will also include an “other” option)

2) What authentication methods do you support (IP authentication,OpenID, etc. – what other ones to add?)

3) If a potential abuse is flagged, how do you respond?

     a. Notify primary POC

     b. Block access to that address

     c. Block access to entire domain

     d. Throttle access down

     e. ?

4) If a block is implemented, what is the process to restore access?

5) How do you support non-IP based access?

6) How are you supporting mobile device access to content?

7) How are you supporting remote access to content?

😎 How do you handle post-cancellation rights?

     a. Lose access to all online content

     b. Provide a disk with subscribed content

     c. Retain online access to specific years and titles subscribed during online subscription term

     d. Retain online access to all titles from online subscription start date until cancellation date

     e. Retain online access to all current and archival content up through last subscription year

9) How has new technology like federated search and download harvesters like Quosa and PubGet affect your access blocking?

We agreed that in return for a publisher sharing their information, we would provide a summary of the best practices we found.  This summary will be reviewed and vetted by the team (and ACS) first.

Regarding non-IP access, Sara mentioned that Cornell has developed and is starting to use ‘passkey’ (https://confluence.cornell.edu/display/CULLABS/Passkey+Bookmarklet) which looks to be a bookmark that is loaded on the clients computer and embeds the icon on licensed resources.  When clicked and off-site, it prompts for the Cornell Web login.

Finally, Sara is planning a round of customer focus groups and will include a question to librarians about their ideal expectations when it comes to authentication options and responding to online abuse detection.