Release Date: January 2021
This release is one of the biggest releases of EZproxy to date. It introduces powerful new features that improve your library’s security posture, offer significant time savings, and provide more continuous access to your e-resource subscriptions.
This release includes the following features:
See more details about these features below.
EZproxy now uses sophisticated security rules engine to automatically detect and disable compromised single sign-on credentials in real-time. It uses a consistent syntax and is designed to:
Previously, you may have been notified of compromised single sign-on credentials after the fact by IT or a content provider, potentially interrupting access. To find them, you had to manually search log files. This manual work is no longer necessary, and you can partner better with IT to proactively mitigate data breaches that interrupt access and compromise patron privacy.
New detection triggers provide a more secure operating environment
While some detection triggers already exist in EZproxy, the following new detection triggers will be added by this feature:
Read more information for the new detection triggers here.
Enforce rules to either log or block end user accounts when triggered
The new security rules engine has two enforcement modes:
End user accounts that have been blocked can be unblocked at any time or exempted from rules if needed.
The security rules engine will be sent out with a combination of both “logged” and “blocked” enforcement modes. Read more information for the default enforcement modes here.
Augment rules to support your library’s unique security needs and goals
Security rules can be tuned to meet your library’s workflows. Read more information on tuning your rules here.
We have added new pages and capabilities to the EZproxy Administration site so your library can take full advantage of the new security rules engine. You can now access a “View security rules” page and corresponding subpages in the “Current Activity” section to:
These updates to the EZproxy Administration site help you effectively manage the new security rules engine to enhance network security, partner better with IT, and provide a more seamless end user experience.
View a summary of rules and tripped events on the “Security Rules” page
The new “Security Rules” page provides a summary of your library’s security rules. You also have the ability to view more detailed information about tripped events for each rule in the “Tripped” column.
Note: You can only change security rules in the Config file. See the documentation for more information.
View and manage rule exemptions on the “Security Exemptions” page
The new Security Exemptions page provides a summary of your library’s security rule exemptions. You can update or delete an existing exemption by clicking on the user ID in the User column and add a new exemption by clicking Add Exemption.
User ID and expiration date are required fields to add a new exemption, and you can optionally add a comment to record the exemption reason.
Better understand tripped rule events on the “Tripped Security Rules” page
The new Tripped Security Rules page provides a comprehensive view of tripped security rule events. Here, you can see information like who tripped a rule, when, and how many times. Click an event number in the Observed column to see more detailed security evidence.
You can also filter tripped events by rule enforcement mode and other categories. Read more information about the security rules administrative pages here.
You can now enable a pseudonymous user identifier feature in EZproxy to resolve security issues faster and streamline access. If enabled, a pseudonymous user identifier is sent with every EZproxy request via an HTTP header to content providers that have signed a data protection agreement with OCLC. It has been developed to preserve patron privacy. Read more here.
This optional feature saves you time and streamlines access by:
Previously, content providers may have turned off database access to protect licensed e-content when they suspected a data breach, interrupting access for all library users. Then, you had to manually search log files to find the compromised credentials. If this feature is enabled, content providers can better determine an unauthorized user, avoid turning off database access for all library users, and share a unique identifier to help you find the compromised credentials faster.
The pseudonymous user identifier feature requires configuration to enable
To enable this feature you will need to set the Identifier Secret.
For hosted sites, your library will first have to agree to new OCLC Terms and Conditions prior to OCLC setting the Identifier Secret. OCLC will contact hosted sites for details on the process.
For self-hosted sites, your library will have to agree to new OCLC Terms and Conditions presented on the OCLC web site as you download EZproxy V7.1 prior to you setting the Identifier Secret.
We have added new pages and capabilities to the EZproxy Administration site so your library can take full advantage of the pseudonymous user identifier feature. You can now access a “View identifiers” page to enter an identifier in the search box and find compromised single sign-on credentials.
If you have the pseudonymous user identifier feature enabled, this update helps you more quickly find compromised credentials and contact library users so they can reset their passwords or follow other security protocols.
1. Potential rules trip if site uses Shibboleth authentication and usernames are not set in shibuser.txt.
If the EZproxy session variables login:loguser and login:user are not set in shibuser.txt, then the default username for all users using SAML authentication becomes “shibboleth.” In this case, since groups are tripped at the username level, false trips of rules may occur.
2. Rules with longer watch periods will consume more disk space to store evidence.
Increasing the watch period from 60 minutes or longer will consume more disk space in the /security directory to store the required evidence in the security database. Please monitor the disk usage in the /security database.
Some of the default rules shipped in EZproxy 7.1 contain monitoring periods longer than 60 minutes. If you find you are having disk space constraints, consider commenting out those rules.