Orchestrating an Identity and Access Management Implementation

Panel Bruce Taggart Vice Provost, Library & Technology Services Lehigh University Tim Foley Director, Client Services, Library & Technology Services Lehigh University Aaron Perry President APTEC, LLC Moderator: Sara Rodgers Team Leader, Identity & Access Management Lehigh University Bruce Taggart Vice Provost, Library & Technology Services Lehigh University Tim Foley Director, Client Services, Library & Technology Services Lehigh University Aaron Perry President APTEC, LLC Moderator: Sara Rodgers Team Leader, Identity & Access Management Lehigh University

Q & A Getting in tune with Identity and Access Management

What is Identity and Access Management? Q & A

Lehigh’s Focus Knowing who you are (Identity) and providing access to what you need (Access) –Who Relationship, Affiliation or Role Multiple Roles Transitions/Changes –What Electronic Resources Computing Services

Campus Identity & Access Management (“IAM”) Hosted By The University of Mary Washington NOS/DirectoriesOS (Unix) Systems & RepositoriesApplications ERPCRMHRMainframe Auditing and Reporting Workflow and orchestration StudentsFaculty & Staff SOA Applications Affiliates External Delegated Admin SOA Applications Alumni/ Customers Internal Identity Management Service Access Management Authentication & SSO Authorization & RBAC Identity Federation Directory Services LDAP Directory Meta-Directory Virtual Directory Identity Provisioning Who, What, When, Where, Why Rules & access policies Integration framework Identity Administration Delegated Administration Self-Registration & Self-Service User & Group Management Monitoring and Management StudentFac/Staff

Q & A How important is Identity and Access Management? Administrative/ERP/information systems Disaster Recovery/business continuity Funding IT Identity/access management Infrastructure Security

2008 EDUCAUSE Current Issue Survey Ranking from All Institutions on Strategic Importance 1.Security (2) 2.Administrative/ERP/information systems (3) 3.Funding IT (1) 4.Infrastructure (7) 5.Identity/access management (4) 6.Disaster recovery/business continuity (5) 2007 ranking in parentheses

2008 EDUCAUSE Current Issue Survey Ranking from All Institutions on Potential to Become More Significant 1.Identity/access management (2) 2.Security (1) 3.Funding IT (3) 4.Disaster recovery/business continuity (4) 5.Administrative/ERP/information systems (5) 6.Infrastructure (8) 2007 ranking in parentheses

Q & A To what extent is your institution considering or implementing an identity and access management solution? 1.Not considering 2.Currently evaluating 3.Planned, but won’t start within the next 12 months 4.Plan to start within the next 12 months 5.Implementation is in progress 6.Partially operational 7.Fully operational

Q & A Do you have a dedicated Identity and Access Management team/department? What is the scope of responsibilities for your IAM team/dept.? (computing accounts, library systems, ID cards, building access, parking access)

Case Study Prelude Drivers and Objectives Planning and Procedures Lehigh University Case Study Prelude Drivers and Objectives Planning and Procedures

Current Environment Homegrown system Developed & supported by staff with 20+ years of service Adapted & patched over many years

What we typically see at Higher Education Institutions

Challenges and Issues 15 Supportability Administration performed both centrally and locally Manual, paper-driven processes work, but lack audit ability IT staff is stretched, especially as new projects are defined and started Infrastructure support team has a wide range of responsibility with limited means Growth Use of web-based applications continues to grow Increasing demands for new services Need to support within current spending levels Affiliate community is always growing Institutional Culture Priorities may vary on a per school or campus basis Varied and complex user populations Many institutions “bend over backwards” to provide the highest levels of service to their students Typical HE Challenges and Issues Data No single view of identity data across applications Inconsistent user identity data Multiple repositories of user identity data Lack of defined standards for user attributes Many identity owners & sources

Changing Landscape Expansion – users and resources –Portal Implementation (2002) Complexity –Changing roles –Reduce role inflation –Self service options –Single sign-on –Federated identity management Compliance –Federal Acts (FERPA, HIPAA, GLB) –Privacy (under attack!)

Sustainability – standardized, documented Scalability Easier to extend the solution to other key applications and infrastructure Incrementally add functionality such as workflow, approval processes, and attestation Federation Security Foundation for enterprise application framework Additional/more secure authentication methods Rich auditing and reporting capability Objectives Sustainability – standardized, documented Scalability –Easier to extend the solution to other key applications and infrastructure –Incrementally add functionality such as workflow, approval processes, and attestation –Federation Security –Foundation for enterprise application framework –Additional/more secure authentication methods –Rich auditing and reporting capability

Planning and Preparation Buy vs. Build Determine total cost of ownership Select the vendor, consultants Determine staffing and consulting needs Form internal implementation team

Buy vs. Build Availability of products – does something already exist that meets our needs? Long-term strategic goals – scalable solution –Robust - added functionality –Integration with expanding enterprise system (Banner, Luminis, Enrollment Management) Sustainable, standardized solution –Documented and supported Software quality assurance –Tested, proven

Total Cost of Ownership Software Hardware Training Consulting Internal Staff –Staff Dedicated to IAM –Systems Installation/Maintenance –Programming –Data stewards

Why Oracle? Compatibility –System features in line with our needs –Oracle to Oracle (Banner) –OIM can complement our existing IdM. Auditing features were appealing "Adapter Factory" and out-of-the-box connectors

IdM Solution Approach Small, easy to define projects Defined success criteria and requirements Use of proven “off the shelf” products and technologies where appropriate Risk Avoidance Leverage institution’s existing technology base and skills Recommend a solution that is easily expandable to meet future requirements Pragmatism Recommend products that have predictable licensing and support costs Recommend institution’s internal team take ownership and perform tasks where possible Cost Containment Rapid Value Realization Each project provides immediate value and results, which can be leveraged by other institutional initiatives

Case Study - Our Experience

Lehigh University Case Study OIM Implementation in Two Movements

Implementation Phase I –Discovery –Documentation –Design –Role-based provisioning –Interface with authoritative source Phase II –Development –Testing –Deployment

Lehigh University Case Study Concurrent Harmonies & Dissonance

Resistance to change Trust Issues Data Stewards/Managers Programmers and Systems Analysts Cleaning up our act Improve accuracy, completeness & timeliness of data in Banner – our authoritative source Distributed responsibility Analyze business practices & policies Create customized input forms Improve interpretation of data (work with data stewards, stakeholders) Begin attestation (periodic access audits) Challenges Resistance to change Trust Issues –Data Stewards/Managers –Programmers and Systems Analysts Cleaning up our act –Improve accuracy, completeness & timeliness of data in Banner – our authoritative source –Distributed responsibility –Analyze business practices & policies –Create customized input forms –Improve interpretation of data (work with data stewards, stakeholders) –Begin attestation (periodic access audits)

Lessons Learned Communication is key –Involve stakeholders & data stewards –Consensus building –Make sure everyone who will be involved with the implementation has input on the decision. –Involve early You won’t believe what we found –Trace/Document problems –Explain and re-train Push-pull with those you need most Monday morning quarterbacks

What’s Next? Expanding the scope of our IAM to include systems outside of LTS Multifactor authentication Federated identity management

Contact Information Lehigh University: Bruce Taggart – Tim Foley – Sara Rodgers – APTEC, LLC: Aaron Perry -

Use Case

Lehigh Dev and Testing Environment

Production Environment Recommendation Weblogic 10.3

Changes