Identity and Access Management IAM A Preview

2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that – Improves the user experience – Increases our security and audit capability – Opens the door to different levels of access

3 How will IAM help us? Streamlining business processes through workflow Reducing the need to hire additional technology staff to manage new applications Supporting collaboration, both internal to and external to the University.

4 Drivers for IAM The drivers from both inside and outside the University promoting the implementation of this infrastructure include: – interdisciplinary and inter-institutional research and collaboration – Changing needs of teaching and learning – Fund raising and outreach – Digital library access – Increasing budgetary pressures – Interactions with government agencies

5 The IAM Infrastructure The Business Case – 7 Major Outcomes It will reduce the number of credentials that constituents must know to perform the actions for which they are authorized It will reduce the implicit denial of service experienced by new members of the University. – Accounts are not currently set up in a timely manner because processes – both manual and automated – may not function properly.

6 IAM – The Business Case It will reduce the operational and management overhead of enabling our constituents to perform actions for which they are already authorized and the incremental cost of implementing a new online service. It will reduce the operational and management overhead of disabling authorization for former constituents (individuals no longer in a relationship with the University) who should no longer have access to University services and resources.

7 IAM – The Business Case It will enable the University to quickly modify a constituent ’ s access permissions as the his/her role, and therefore his/her set of authorizations, change It will improve the quality of auditing actions across the University by using persistent identifiers common to all applications

8 IAM – The Business Case It can provide an environment in which the University ’ s confidence that the credential presented by someone to perform an authorized action is presented by the person to whom the credential was issued. – By centralizing identity proofing and establishing appropriate policies on how an individual can prove who he says he is. – The middleware infrastructure stores the credential in a secure manner. Today credentials are stored in a variety of systems, rather than a central one, with sometimes questionable levels of security.

9 IAM – Benefits Significant benefits can be reaped from the deployment of an IAM infrastructure – Enhanced Security IAM reduces the management of user access to a single system Who is active is deterministic since the identity information about individuals emanates from the University ’ s key administrative systems Identity data is stored in a single protected data repository with data encryption and single sign-on capability Relatively small staff to manage it

10 IAM – Benefits – Enhanced Security (continued) Provides a mechanism to express access control policies – Supports authorization services to applications Supports better logging and audit capability – User login identifiers are identical across systems so we are better able to track activity. – Improves support for after-the-fact audit analyses

11 IAM – Benefits Simplified Network and Online Service Access – Enables unified access to multiple applications – Enables initial-sign-on, also called single-sign-on – With initial-sign-on, it is a straightforward step to a campus portal

12 IAM – Benefits Economies of Scale – The identity information that is populated into the identity and access management infrastructure comes from administrative systems like the Human Resources and Student Administration systems – Additional identity information will be populated from other systems or interfaces as required. These entries will have explicit expiration dates associated with them.

13 IAM – Benefits Provides better application standards around authentication and authorization Not only are applications using a common directory for identification, but a standard (single) interface to authenticate Applications will be easier to build, will be more consistent with each other, and provide a common user experience around authentication and authorization

14 IAM – Benefits – Economies of Scale continued Provides a unified means of enabling and disabling access to a wide range of online services infrastructure for access control information – It requires more support staff to have each application maintain its own accounts and access privileges Since all applications authenticate and authorize against the same directories, the training costs are reduced (and users are more comfortable as well) It is easier to outsource an application that are compliant to our standards since we would not need the vendor to provide access control

15 IAM – The Proposal The model that we are pursuing to solve the IAM problem is based on the work of the National Science Foundation Middleware Initiative and Internet 2. We are committed to an open standards solution. We are committed to an extensible solution.

16 IAM – The Proposal We will address initial sign-on for web applications We will attempt to address initial sign-on for desktop/client applications We will address the affiliate user issue and provide mechanisms for adding such users to the database to allow access to only those services that they should receive

17 IAM – The Proposal The next slide shows the roadmap for the identity and access management infrastructure for UConn. – This will be adapted as necessary during the project, but is strongly based on the recommended roadmap from the NSF Middleware Initiative.

18

19 IAM – Who? The design of the Identity Management component of the IAM infrastructure will require both technical staff from UITS and functional staff from a variety of areas – The functional staff will provide the business processes by which we can eliminate duplicate identities for the same person, determine the roles we care about, and help us to understand where besides the Human Resources and Student Administration Systems we must look for identities.

20 IAM – Who continued? The Identity Management component will also require technical staff with expertise in identity management, programming, and database administration. The Provisioning Engine will require either a purchased product or some programming staff. This component will also require system and application administrators.

21 IAM – Who needs to be involved? The Access Management component requires programmers, system administrators, identity management experts, and application administrators.

22 IAM – Where do we start? Our goal is to carve out a manageable piece of this huge project and build for extensibility. – We have initiated a short project to investigate what is available in the market. – RFIs are in – we just got them and we need to start reviewing them.