Identity and Access Management June 9 – 10, 2016 Jared Galbraith and Andrew Hamilton

IAM Our need to store and access data is growing. Job performance and success is impacted by two systems, what identity and how do you get the access needed. A successful community has a flexible heterogeneous environment. The importance of a safe and easy to use identity environment is essential. The essence of an identity environment is safety and ease? If everyone used the same systems it would be easier to manage but more difficult to fill needs.

Current State of Provisioning

Challenges of Current State Complexity Multiple Accounts and passwords In house Development Primary user portal developer left Maintenance of code has been minimal Manual provisioning Spelling typos, dirty data Only Daily syncs from Banner. Long provisioning times

Self Service – User Portal Netid.unm.edu to claim account Users choice Reset passwords Rigid question/answer is hard to remember Missing SMS verification, One time password etc. Initiates synchronize process Communicates with PUB which pushes the accounts and passwords to AD, LDAP et al.

Admin Portals Netid.unm.edu to admin account User verification Reset passwords High load on service desk LAMB Guest account creation Troubleshooting Audits and Logging Unix groups, quota and home directory Others Support Center/Accounts Office has to use other portals to look up information

Authorization Auto populating groups based on Banner data. Correlations based on external factors should be considered Access Requests Workflow process to bridge the gap Manually configured exports Applications use their own code and process for access. Groups create custom mechanisms. Banner system groups expose basic organizational structure. Convenient web portal allows Banner Access Requests and self service. Lobocloud approvals allow oversight of access activities while decreasing the time to production. Better integration with third party tools would eliminate the need for exposing Banner data via exported files. Less need to create custom processes.

Current Authentication The sprawl shown emphasizes how identities are pulled from disparate repositories. What account and how to request access is different for every environment and application.

Authentication - challenges Direct connections to directories No standard or control No administrator/developer guidance as to what technology to use Multiple authentication portals (CAS, AD FS, Shibboleth) Limited flexibility for new technologies (e.g. missing) OpenID OAUTH 2.0 802.1x PKI Many authentication sources are direct connections to LDAP, AD or databases. Standards and direction should be unified Multiple authentication portals are needed which is confusing and susceptible to social engineering.

Future Directions Exploring implementation of off the shelf products Reduced tools required by support staff Closer Integration with Banner Unified Access portal for Authentication Authorizations based on roles Project started to investigate options

Provisioning – goals On Demand Provisioning Automated and error free Just in Time React to changes in identity sources right away instead of daily reconciliation. Reduce dependence on one person’s knowledge Reduction of in-house customized code/scripts Consume multiple identity sources Better prepared for future enhancements Clean up directories/establish property ownership

Future State of Provisioning

Self-Service Enhancements User portal Commercial off the shelf solution Enhanced security features such as SMS, OTP Integration with provisioning system Admin Portal More granular delegation options Fewer places to look for information

Authorization extensibility User access request for resources Web based portal for delegation and registration Role based modeling Provision resources based on business function Workflow Self-service registration with oversite and management approvals Jobs are ‘what’ makes up the tasks, duties, accountabilities, responsibilities, or objectives of position Roles are ‘how’ behavior can accomplish the ‘what’ Two departments may have very similar job postings but have different behavioral expectations. Periodic confirmation of responsibility

Authorization Modeling Person’s account has the responsibility for ‘owning’ or sponsoring an account. What happens when they leave? Notifications, renewals. We need an organizational entity to take over is that person leaves. Part of InCommon and MS federations. Building our own UNM federation with new hosted services. Interested in building a NM federation to ease collaboration with other schools and partners

Predictive Modeling Unstructured data mining Proactive Design Governance Predictive Modeling Unstructured data mining Proactive Design Role-based behavior is the behavior required to perform a specific role within a specific position/job/function, defined within a specific organizational culture. Does someone suddenly have access to something they shouldn’t? Is your account being used somewhere without your knowledge? Do you know how users store and collaborate with others?

Authentication Goals Reduce direct access to Directory Services (AD/LDAP) Single authentication portal for authentication Provide path to enable future authentication services Increased community collaboration through user groups Eliminate direct binds Establish user forums to illicit community feedback an integrate other needs

Unified Experience Official applications should be accessed through an official eSSO

Questions?