Mark McConahay Delivering, Sourcing, and Securing Services Throughout the Student Identity Life Cycle Student Life Cycle and Identity Management Mark McConahay Sr. Associate Registrar Indiana University Bloomington
Student Life Cycle and Identity Management Description Transitions Security and Services Identity Life Cycle Establishing a Relationship Identity Proofing Levels of Assurance Credentials Roles/Provisioning Security Administration Federating Deactivation/De-Provisioning Governance Management “Advantages” SSO (Single sign-on) Uniform admin of security
STUDENT LIFECYCLE Prospect Donor Admitted Alumni Enrolled Graduate Prospective Student Admitted to Indiana University Enrolled Student Graduate of Indiana University Indiana University Alumni Donor to Indiana University Enrolled STUDENT LIFECYCLE http://www.indiana.edu/~oem/
Student Life Cycle at IU Prospective Student Initial Contact (e.g., 8th Grade Soccer Camp) Hot Prospect (Submitted Test Scores, interest) Applicant Admitted to Indiana University Admitted – not committed Admitted – Paid Admitted - Registered Enrolled Student Undergraduate/Graduate Affiliations (Arts and Sciences, Business) Institutional employee Candidate for Degree Graduate of Indiana University Commencement Candidate Former Student Inactive Student (Non operational) Indiana University Alumni Programs and affiliations Donor to Indiana University
Place in life cycle defines: Student Life Cycle Yeah – So What! Place in life cycle defines: Services Offered Admin Access Security Laws Regulations Policies Unique Circumstances & Problems
Relationship, Services and Access Student Life Cycle and Relationship, Services and Access
Relationship, Services and Access Student Life Cycle and Relationship, Services and Access
Relationship, Services and Access Student Life Cycle and Relationship, Services and Access
Relationship, Services and Access Student Life Cycle and Relationship, Services and Access
Student Life Cycle Place (Affiliation/Role) in life cycle defines: Services Offered Provision(s) Admin Access Security Laws Regulations Policy Unique Circumstances & Problems Digital Identity Definitions and Specifications
Student “Identity” Management An integrated system of business processes, policies, and technologies that enable organizations to facilitate and control their users access to online applications and resources, while protecting confidential personal and business information from unauthorized users. (IU IdM) Identity and access management (IdM) ensures that the right people access the right services. (AACRAO/EDUCAUSE)
Student “Identity” Management Why? From: EDUCAUSE/AACRAO-TECH Workshop Security - Centralized management of identity information gets sensitive personal information such as SSNs out of localized departmental databases. Reduces Duplicate Identity Information — Because IdM consolidates identity and related identifiers, it helps to reduce or eliminate the instance of individuals having duplicate identifiers across campus applications. Seamless Services — Students experience faster access to new services as they move through their relationship life cycle from applicant to enrolled student to alumni. (SSO) Consistent Application of Policy—IdM provides a central point for the application of access-related policy. Save Time and Money —IdM saves money by reducing redundancy in supporting multiple identity databases. Positioning for the Future —In today’s electronic environment, new opportunities will continue to surface to conduct business on-line. A robust IdM system will enable new ways for providing on-line services in a secure fashion as well as enabling seamless access to third-party applications.
Student “Identity” Management Definitions (IU IdM Meetings) Authentication Establish that a particular request is associated with a specific real-world individual. Authorization Services or information the individual is entitled to access based upon their role or affiliation with the enterprise. Directory The aggregation of individuals along with their associated attributes and information germane to enterprise. Identifiers An identifier is a character string that connects individual to a set of computerized data
Student “Identity” Management Definitions (IU IdM Meetings) Credentials The set of unique attributes that enable authentication of an individual to a specific application system. Typically, the classic combination of a user account number or name and a secret password. Provision To allocate services and information based upon an individual’s Authority, attributes and identifiers. Middleware A broad array of software tools and data that help applications use networked resources and services.
Student “Identity” Life Cycle Establishing a Relationship Identity Proofing Levels of Assurance Credentials Roles Provisioning Security Administration Federating Deactivation/De-Provisioning Re-credentialing
Student “Identity” Life Cycle Establish Relationship Identity “proofing” Levels of Assurance Avoiding Duplication
Student “Identity” Life Cycle Establish Relationship Creation of the digital index and collection of attributes and data that represent an individual. Attributes must represent: The stage in which the student resides to define service allocation. Establish Credentials Questions(?) Who has the authority to: Create a record (in a specific role) Remedy duplicates
Student “Identity” Life Cycle Identity “Proofing” Processes and procedures that link the individual to the digital collection of attributes representing the individual.
Student “Identity” Life Cycle Levels of Assurance Processes and procedures that link the individual to the digital collection of attributes representing the individual. Which is the REAL Mary Beth?
Student “Identity” Life Cycle Levels of Assurance Excepted from the PSU’s report on Levels of Assurance *Note: The matrix above is intended to provide visual representation of what levels of assurance at Penn State might consist of how they might be differentiated. This is not an inclusive list of all data elements collected or vetted.
Student “Identity” Life Cycle Credentials Establish and Notify “Reset” Practices Knowledge Questions Re-credentialing Lost/Forgotten Remote Deactivation
Student “Identity” Life Cycle Roles Collection of common requirements, tasks and business functions performed by individuals using an application support “system”. Based upon these common requirements, specific common services can be allocated. Roles enable consistent allocation of services and administration of security privileges.
Student “Identity” Life Cycle Roles and Security Administration Common Roles Prospective Student Admitted to Indiana University Enrolled Student Graduate of Indiana University Indiana University Alumni Donor to Indiana University Common Roles Instructor School Dean School Recorder Scheduling Officer Financial Officer Registrar Staff “Auxiliary” Staff
Student “Identity” Life Cycle Roles and Security Administration “Devil in the Details” Role “Challenges” Authority Who can decide upon the definitions Who can place individuals into a “role” Role Transitions How does individual move from one role to another? (Admit -> Enrolled student-> Former Student) Multiple Roles Student/Staff Member Student/Instructor Exceptional Roles Research Affiliates Unique Student programs (Correspondence) IDm and Application Security “Handshake” Granularity Issues
Student “Identity” Life Cycle “Federating – The Promised Land” Federating Identity “The beauty of standards is that you can have so many! “You mean I have to login again?” vs “Standards shall set you free!” SSO Everywhere!
Student “Identity” Life Cycle “Federating – The Promised Land” Federation A federation is an association of organizations that use a common set of attributes, practices and policies to exchange information about their users and resources in order to enable collaborations and transactions. Using a standard mechanism for exchanging information provides economies of scale by reducing or removing the need to repeat integration work for each new resource. Since access is driven by policies set by the resource being accessed, higher security and more granular control to resources can be supported. (InCommon)
Student “Identity” Life Cycle “Federating – The Promised Land” Examples: Restricted Library Resources Apple – iTunes U MicroSoft Educause Bookstores National Student Clearinghouse 3rd Party Academic Support Providers Bedtime Story CAMP (Try it) others
Student “Identity” Life Cycle All Good things must come to an end – or do they? De-Provisioning and Deactivation De-provision- remove information services from the individual. Most easily administered if Role-based. Part of transition between roles Must decide the “final resting state” of an “identity” Deactivate - remove ability to authenticate into the system. Decision can made regarding persistence of primary identifier.
Student “Identity” Life Cycle All Good things must come to an end – or do they? De-Provisioning and Deactivation De-provision- remove information services from the individual. Most easily administered if Role-based. Part of transition between roles Must decide the “final resting state” of an “identity” Deactivate - remove ability to authenticate into the system. Decision can made regarding persistence of primary identifier.
Student Life Cycle and Identity Management Governance Who Decides for the institution? Due to breadth of offerings – who has authority, responsibility and expertise to set institutional policy/practice? How are exceptions (e.g., affiliates) handled? Who performs the required review? Who adjudicates problems and conflicts? Who can add users (individuals) into specific roles and/or activate them on the “system”?
Student Life Cycle and Identity Management Case Studies Identity Life Cycle Identity Relationships Security and Roles Local campus context Breakout sessions Governance Panel
Mark McConahay Delivering, Sourcing, and Securing Services Throughout the Student Identity Life Cycle Student Life Cycle and Identity Management Mark McConahay Sr. Associate Registrar Indiana University Bloomington