Identity Management Systems: Components and Constituents

Slides:



Advertisements
Similar presentations
How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.
Advertisements

Data: Application requirements, data flow, and person registry Tom Barton University of Chicago.
Data, Policy, Stakeholders, and Governance Amy Brooks, University of Michigan – Ann Arbor Bret Ingerman, Vassar College Copyright Bret Ingerman This.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Copyright Ann West This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
On Beyond Z Building a Directory Service educause presentation #074 University of Colorado at Boulder Deborah Keyek-Franssen Marin Stanek Paula J. Vaughan.
1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.
Campus Authentication: Identification Process and Related Policy Tom Barton University of Chicago & Internet2.
Starting Your Roadmap: Concepts and Terms Paul Caskey, The University of Texas System Copyright Paul Caskey This work is the intellectual property.
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Enterprise Directory Services: Project Planning A. Michael Berman, VP, Instr. & Info Tech, Cal. Poly, Pomona Keith Hazelton, Sr. IT Architect University.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Identity Management: The Legacy and Real Solutions Project Overview.
GatorAid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure
UNLV Data Governance Executive Sponsors Meeting Office of Institutional Analysis and Planning August 29, 2006.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
1 Data Strategy Overview Keith Wilson Session 15.
Management Track Monday afternoon … 1.Tom Barton – The Model: Policy & Politics 2.Amy Brooks & Bret Ingerman – Data, Policy, Stakeholders, and Governance.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Beyond the Campus Gates: Bringing Alumni, Parents, and Prospects into the Campus Portal William P. Wilson Mark R. Albert John C. Duffy Gettysburg College.
Peer Information Security Policies: A Sampling Summer 2015.
1 EDUCAUSE Midwest Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit Mark.
NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Georgia State University Case.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Agenda 1. Definition and Purpose of Data Governance
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
Value & Excitement University Technology Services Oakland University Information Technology Strategic Planning Theresa Rowe October 2004 Copyright Theresa.
EDUCAUSE Midwest Regional March 24, 2003 Copyright Ann West This work is the intellectual property of the author. Permission is granted for this.
Enterprise Directories: Design, Implementation, and Operational Strategies Dr. Tom Barton.
Welcome to CAMP: Charting Your Authentication Roadmap Mike Grady Senior Technology Architect and Strategist Campus Information Technologies and Educational.
University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy
Middleware: Addressing the Top IT Issues on Campus Renee Woodten Frost Internet2 and University of Michigan CUMREC May 13, 2003.
Directory Design: Campus Identifiers and Namespace Tom Barton University of Chicago.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
Policy and Technology in Enterprise Directory and Authentication Services No Room to Swing a Cat Michael Gettes, MACE, Duke University Keith Hazelton,
Institutional Considerations
University and IT Policies: Match or Mis-match? Marilu Goodyear, Vice Provost for Information Services and CIO Jenny Mehmedovic, Coordinator of IT Policy.
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Information Resource Stewardship A suggested approach for managing the critical information assets of the organization.
NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Renee Woodten Frost Internet2/University of Michigan.
Bringing it All Together: Charting Your Roadmap CAMP: Charting Your Authentication Roadmap February 8, 2007 Paul Caskey Copyright Paul Caskey This.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Mark Luker, EDUCAUSE Copyright Mark Luker, This work is the intellectual.
Ad-hoc Lists / Opt-In Problem Definition Access rules for many applications and services cannot be derived from an authoritative source and must therefore.
1 EDUCAUSE Mid-Atlantic Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
University of Southern California Identity and Access Management (IAM)
Principles of Good Governance
Middleware: Addressing the Top IT Issues on Campus
Data Architecture World Class Operations - Impact Workshop.
John O’Keefe Director of Academic Technology & Network Services
Middleware: Addressing the Top IT Issues on Campus
University of Southern California Identity and Access Management (IAM)
PASSHE InCommon & Federated Identity Workshop
Presentation transcript:

Identity Management Systems: Components and Constituents Renee Frost University of Michigan/Internet2 Ann West, EDUCAUSE/Internet2/ Michigan Tech

Copyright Renee Frost and Ann West, 2004 Copyright Renee Frost and Ann West, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. SAC - 11 August 2004

Topics Introduction to Identity Management Concepts Business Drivers, Policy, and Governance Technology Components Discussion Implementation Framework Wrap up and More Information SAC - 11 August 2004

Introduction to Identity Management SAC - 11 August 2004

Some of What We are All Trying to Accomplish Enable online service for our constituents earlier in their affiliation with us, wherever they are, and on an ongoing basis (entire life cycle) Deliver services to new constituents Simplify that end user access to multitude of online services Facilitate operation of those services by IT organizations Re: inter-organizational. Think shib for libs et al., eScience (remote instrumentation, VOs) SAC - 11 August 2004

Some of What We are All Trying to Accomplish (cont) Increase security Resolve tension between appropriate privacy and security regulations Accommodate increased demand for integration across traditional data sources Participate in new, inter-organizational, collaborative architectures and environments SAC - 11 August 2004

Why Identity Management The enterprise-wide, policy-driven infrastructure enables Scalability Consistency Integrity Integration Collaboration SAC - 11 August 2004

Definitions Identity – set of attributes about, and identifiers referring to, a subject (person, service…) Authentication – process used to associate a subject with an identifier Authorization – process of determining if policy permits an intended action to proceed Credentials– attributes of a subject used to identify (authentication) or make access decisions (authorization) about what it can do in a particular context Authn - Produces a security context. Authz Efficacy is limited by availability of subject attributes and by how faithfully policy is incorporated into the infrastructure or the application. SAC - 11 August 2004

Definitions (cont) Identity Management System – a policy-driven infrastructure (policies, procedures, standards, & technologies) which Consolidates identity information about individuals from multiple authoritative sources Makes data available to multiple applications and other services with need to access it Integrates the implementation of access policy and security Delete?? Not sure I like this definition SAC - 11 August 2004

Identity Management Factors Drivers Constituent Requirements Institutional Goals Policy & Governance Standards Budget Project Management Practices Identity Management Ability to Implement Technology Staff Skills/Expertise Products SAC - 11 August 2004

Policy and Governance Recognize Business Drivers Map to Institutional Environment and Goals/Strategy Consider Constituent Requirements and Processes Goal: Outline the need for policy and governance Provide a sample list of policies and related issues Offer ideas of how to address them in the discussion SAC - 11 August 2004

Sample Business Drivers Legislation and Regulation FERPA, HIPAA, GLB Shrinking budgets and increasing demands for online services Security/protection of resources for ethical and business reasons Participation in an electronic consortium What speaks to your campus? SAC - 11 August 2004

Map the Drivers to Institutional Environment for Policies Are there existing policies that can be leveraged to cover identity management? What resources are available and what partnerships (e.g., IT, legal, internal audit, police, student affairs) are in place to support policy development and implementation? What institutional goals and core principles guide the use of data to be stored in the IdM system? Can institution leverage & extend existing data administration policies & processes? SAC - 11 August 2004

Map the Drivers to Institutional Environment for Security and Privacy How does this IdM infrastructure connect with broader security and privacy goals? Are there special security issues that must be considered when extending the IdM to a system (e.g. single sign-on, ERP)? What security will be in place to protect the IdM infrastructure? SAC - 11 August 2004

Consider Governance Issues How will the University operate its identity management infrastructure? What is the balance between centralized and distributed operation? Who will determine whether to put new information in the common infrastructure, and how it will be represented? If necessary info is not already collected, who will determine whether business processes should be changed to do so? RWF: overlap with technology Aw- yup and should condense the policy/process slides…reduce detail - Could be architecture issues SAC - 11 August 2004

Effective Identity Management Requires policy and governance to exist and work well on an on-going basis to ensure appropriate access, privacy, and security; to establish trust What are your risks? What do you value? RWF: merge with previous? SAC - 11 August 2004

Example: Access to Protected Resources Risk and trust requirements are determined by the resource holder as well as the user who considers personal privacy risk. Taken together, these requirements determine the technologies and policies implemented. Risk management measures Authentication and authorization standards Security practices Risk assessment Change management controls Audit trails RWF: how much detail?? SAC - 11 August 2004

Policy to Govern Credentials Who should be issued a credential? What assurance level should authentication for each constituency achieve? What constraints may pertain to each? Applicants (student, faculty, staff) Admitted students, accepted faculty or staff Alums Parents Library patrons Guests: visiting academics, conference attendees, hotel guests, arbitrary “friends”, … RWF: compare with next slide SAC - 11 August 2004

Policies to Govern Credentials (cont) How are electronic identity credentials issued? Admin process Technology Is primary electronic identifier unique for all time to the individual? if not, what is the policy for reassignment & timeframe between uses? How is information in electronic identity database acquired and updated? What is public vs private info in the database? Condense this and the last slide SAC - 11 August 2004

Policies to Govern Use of Information What restrictions are placed on use of identity information? What assertions are acceptable for what purposes? SAC - 11 August 2004

Test your policy/process - internally What might your central IT org ask of a peer campus id provider (central Library, Med Center) to decide whether to accept its identity assertions for access to resources that the IT organization controls? What might campus depts ask about the central identity mgmt system if they wanted to leverage it for use with its own applications? SAC - 11 August 2004

Test your policy/process - externally What would you need to know about an electronic identity provider to make an informed decision whether to accept their assertions to manage access to your online resources or applications? What would you need to know about a resource provider to feel confident providing it info it might not otherwise be able to have? SAC - 11 August 2004

Governance Structure Needed to maintain an accurate, secure, and functional service to represent the varied sources of data, to reconcile discrepancies, and to establish guidelines for consistent use and access to interpret and communicate policies and guidelines to ensure that the service supports relevant federal, state, and university laws, regulations, and policies. SAC - 11 August 2004

Governance Structure – Who Stakeholders such as data stewards from major data sources such as HR, Registrar, Alumni, etc representatives from units with responsibility for managing the data or infrastructure such as IT Schools, colleges, and departments who run directory-enabled applications SAC - 11 August 2004

Role of Governance Prioritization of new development Review of data use requests and requests for new data On-going legal, source system, & policy changes Identity Mgmt policy & decision-making Additions of new communities to the IdM infrastructure SAC - 11 August 2004

Role of Governance Development of policy for: Access and use of service for performance and security implications Service maintenance, management, and changes – ie., logging Attribute access and use derived from campus policy Determination of compliance requirements to make certain the IdM meets policy and privacy directives SAC - 11 August 2004

Technology Elements of Identity Management SAC - 11 August 2004

What is an identity management system? Policy-driven infrastructure which Consolidates identity information about individuals in one source Makes data available to applications and other services Provides consolidated spot for the implementation of access policy and security Security could include logging Integration of pertinent information about people from multiple authoritative sources Processes that transform source data, derive affiliation information, maintain status of assigned, entitled, or authorized information resources, and provision resultant data where it can be of use to applications Locus for implementation of policies concerning visibility and privacy of identity information and entitlement policies SAC - 11 August 2004

Consolidates Identity Information Provide a single authoritative source for identity Integrate data from authoritative sources Act as system of record for unique identifier Ensure identity integrity Maintain one-to-one mapping between fundamental identifiers and real-world people Rely on external identifiers to verify: name, birthday… Reconcile identifiers to create one person object Authentication binds identity to a person LOA with the identity related attributes indicates what a person can do It makes sense that Idm is important SAC - 11 August 2004

Identifier Reconciliation Consolidated view of individuals identities Inventory the major source system identifiers Characteristics Who assigns and how? Who/What uses it? Is it persistent? Campus card, student id, library id, SIS, HRS, Finance…. Match up identifiers of the same person and accompanying data Assign/determine the unique identifier under which the source system identifiers and data are held GLB and SSN… SAC - 11 August 2004

Abbreviated ID Mapping Table Fundamental ID Who Assigns? Who Gets One? id Central IT People universal_userID uid guest registrars guests email clusterID Shell account opt-ins sisID Registrar Students & instructors hrsID HR Staff frsID Controller Holders of budget roles adsID Marketing & Adv Graduates, other donors aprID Provost Faculty operatorID ERP security principals patronID Library Library patrons SAC - 11 August 2004

Consolidates Identity Information Provide consolidated source for affiliations Which source systems define which affiliations? Student, faculty, staff, Course, program, department … Group memberships Provide one source for other commonly-used valuable data Citizenship, sort name… Developers/Implementers Enables single source Simpler data integration SAC - 11 August 2004

Consolidates Identity Information Provide authentication credentials & contact info Some authoritatively stored Username(s), email address(es) Some data sourced elsewhere Phones, USMail addresses, office location, … Provide extra data to verify identity mapping Store secrets to help with initial account claim and password reset scenarios SAC - 11 August 2004

Provisions Directory Services and Applications Data for managing provisioning processes Consumer identifiers Transformations and feeds to directories (LDAP, AD), applications, etc. SAC - 11 August 2004

Central Implementation of Access Policies Implement constraining policy Privacy Internal or external viewing Security & audit Consolidated logging Tracking of authorizations Specialized provisioning requirements Provide authority and mechanisms to allow distributed administration of identity data temporary access Security How does this project connect with broader security and privacy goals? Are there special security issues that must be considered when extending the IdM to a system (e.g. single sign-on and ERP) What security will be in place to protect the IdM infrastructure SAC - 11 August 2004

Physical Components Involved Systems of Record and other data sources Data feeds and transformation processes Business rules Identity reconciliation Person Registry Assignment of unique identifier Life cycle management and record integrity Provisioning processes Target format Published data sources Enterprise directories Management tools Self service Delegated authority SAC - 11 August 2004

SAC - 11 August 2004

A Couple of Architectural Issues: Policy/Technology Overlap What service providers will you need to accommodate? Internal External Federated or tightly coupled or…? What about loosely-affiliated individuals? 7th grade Science Explorations students Parents portal Do more here with overlap points SAC - 11 August 2004

Discussion What are some strategies for creating polices on-the-fly? When should this be done? When should a policy be developed vs. a technical fix? How does a technical person know when a policy decision needs to be made? Do we need a handout on this to give to group? SAC - 11 August 2004

Ability to Implement SAC - 11 August 2004 Goal of section: Intro to roadmap Highlight specific issues with implementing IdM Roadblocks – politics Stragegies for dealing with roadblocks Discussion regarding roadblocks SAC - 11 August 2004

Project Framework Enterprise Directory Implementation Roadmap Broad view of directory services Includes articles and resources for technology, policy, and project management www.nmi-edit.org/getting_started/index.html As important to gettng the technology right is to establish good working relationships between the policy, technology and process/data stewards. SAC - 11 August 2004

Roadmap Focus Areas Do slide with sample outline? SAC - 11 August 2004

SAC - 11 August 2004

Technology/Architecture and Policy/Management Tracks Project Planning P/T - Business case, project plan, resources Directory Architecture Design and Policy Development T - Identifier strategy, architecture and system planning P – Stakeholder communication, policy development Data Flow, Business Process Review, Policy Development T - Service requirements, data flow model, person registry P - Business processes, policy development, communication Directory and Applications Development and Deployment T- Implement data flow architecture, set up operational processes P - Stakeholder testing, governance, communication SAC - 11 August 2004

Key IdM Implementation Points Set up some early wins Be flexible short term and firm in the long term Decide on incremental vs. big bang implementation Overbuild the infrastructure Ensure good performance Accommodate requests as appropriate Get the right people involved at the right levels Keep everyone informed appropriately Champions outside of IT are good Policy and business processes are the hard part Set up core principles before starting Informed - teerminology SAC - 11 August 2004

Core Principles Guiding philosophy of new infrastructure Defined before design and implementation phases Collection of related existing and ad-hoc policies and new guidelines Provides framework for decision making Rooted in view of data as a strategic resource Links to all people of interest ..and all the needed identity information SAC - 11 August 2004

Sample Core Principles Data is protected and requires permission for its use unless declared “public” by the data custodians or owners and not protected by the user Data will be made available for all valid administrative and educational purposes Access to private directory data must be granted for each service and be approved by the data stewards Applications using the IdM system must meet the security and data definition guidelines put forth by the governance committee SAC - 11 August 2004

Project Resources People Steering team (policy/governance), core team (design/details), and big team (communication and change management) Project manager, integration lead, directory and database administrators, systems and network administration involvement Champion(s) Cost – Build or Buy? Do the business process/integration work either way Leverage existing vendor relationships, open source… Buy? Write a detailed RFP SAC - 11 August 2004

Common Implementation Roadblocks Selling the infrastructure Terminology Tailored business case The pitch versus the real one Doesn’t security work for everything? Getting the data Data access policies Trust it will be used appropriately Use of the infrastructure Trust that the infrastructure will be run appropriately Lack of knowledge about its function SAC - 11 August 2004

Discussion Roadblocks on your campus? SAC - 11 August 2004

Wrap-up Overview of the entire talk, use SAC - 11 August 2004

Identity Management Factors Drivers Constituent Requirements Institutional Goals Policy & Governance Standards Budget Project Management Practices Identity Management Ability to Implement Technology Staff Skills/Expertise Products SAC - 11 August 2004

Definitions Identity Management – Policy-driven infrastructure which Consolidates identity information about individuals in one source Publishes data in areas where applications and other services can access it Integrates the implementation of access policy and security Security could include logging Integration of pertinent information about people from multiple authoritative sources Processes that transform source data, derive affiliation information, maintain status of assigned, entitled, or authorized information resources, and provision resultant data where it can be of use to applications Locus for implementation of policies concerning visibility and privacy of identity information and entitlement policies SAC - 11 August 2004

Elements of Identity Management Policy issues & governance processes Integrated service strategy & architecture Middleware infrastructure services Business process analysis People relationships Integrated service strategy & architecture Incremental determination of valuable identity information Promotes the high level objectives on slide 9 Systems analysis What business processes might produce the info? Where does/can it enter the IT infrastructure? Do actual semantics fit the perceived value? Middleware infrastructure services Schema, systems design, operation Conveying attributes from sources to where their run-time value is realized Policy issues & governance processes An organization conducive to new types of professional relationships SAC - 11 August 2004

Ultimately… Change Management Things will change - IT Data stewards Service providers Users Policy makers The people relationships formed will be critical to functioning and use of the new infrastructure. SAC - 11 August 2004

More information www.nmi-edit.org Development Getting Started Enterprise Directory Implementation Roadmap Readiness Assessment Tool CAMP Identity Management – Nov 15-17 CAMP Enterprise Authentication – Nov 18-19 SAC - 11 August 2004

What is NMI-EDIT? NSF Middleware Initiative (NMI) Scientists and engineers can transparently use and share distributed resources, such as computers, data, and instruments NMI-Enterprise and Desktop Integration Technologies Consortium (NMI-EDIT) Internet2, EDUCAUSE, and SURA Focus on intra and inter-institutional identity and access management and related services SAC - 11 August 2004

Acknowledgements Thanks to Tom Barton, U of Chicago Mike Berman, CalPoly - Pomona Carrie Regenstein, U of WI – Madison Mark Poepping, Carnegie Mellon And all those we didn’t name… Thanks also to NSF for funding the NMI-EDIT Project SAC - 11 August 2004

Questions? Renee Woodten Frost University of Michigan/Internet2 rwfrost@internet2.edu Ann West EDUCAUSE/Internet2/Michigan Tech awest@educause.edu SAC - 11 August 2004

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.