January 5, 2006Common Solutions Group Winter Duke CSG - Policy Discussion Identity Management Practice Bruce Vincent, Stanford Gary Chapman,

Slides:



Advertisements
Similar presentations
Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,
Advertisements

Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.
NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
1 The Evolving Definition of "Student": Identity Management at Duke University Klara Jelinkova Director, Computing Systems Office of Information Technology.
1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board, NUIT.
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
1 Identity Management and Access Control Status UNITS Forum, June 2006 Tom Board, NUIT Info Systems Architecture.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
© 2011 The University of Chicago InCommon Silver Implementation at UChicago Tom Barton 1.
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
1 Data Strategy Overview Keith Wilson Session 15.
National Association of College and University Attorneys 1 November 11, 2009 NACUA Fall 2009 Workshop November 2009.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Copyright Copyright Ian Taylor This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009 Mark Scheible Manager, Identity.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Use case: Federated Identity for Education (Feide) Identity collaboration and federation in Norwegian education Internet2 International Workshop, Chicago,
1 A Case for Collaborative Identity Management in a Complex Decentralized Environment Andrea Beesing Assistant Director, IT Security and David Yeh Assistant.
Staff Structure Support HCCA Special Interest Group New Regulations: A Strategy for Implementation Sharon Schmid Vice President, Compliance and.
Gary Brown, Senior Systems Developer, Portal Development Team Identity Management Toolkit a JISC sponsored project.
InCommon Michigan State Common Solutions Group, January 2011 Matt Kolb
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,
University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy
PIV 1 Ketan Mehta May 5, 2005.
NMI-EDIT CAMP Synopsis, ISCSI Storage Solution, Linux Blade Cluster, And Current State Of NetID By Jonathan Higgins Presentation Template available from.
GatorLink Password Management Policy March 31, 2004.
The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
Red Flag Training IDENTITY THEFT PREVENTION PROGRAM OVERVIEW AUTOMOTIVE.
Identity and Access Management Roadmap Presentations for Committee on Technology and Architecture March 21, 2012 Amy Day, MBA Director of GME IAM Committee.
1 Standard Student Identification Method Jeanne Saunders Session 16.
Advanced CAMP: BoF Summaries. 2 Role-based Access Control (RBAC)
The State of Identity Management on Your Campus Session Moderators Jacob Farmer, Indiana University Theresa Semmens, North Dakota State University November.
MEDBIQUITOUS ANNUAL MEETING 5/11/2011 The Data Commons Theresa RoselliKirke Lawton NBMEAAMC
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007.
More Allergic Reactions Some Potential Next Steps Tom Barton University of Chicago.
Project Presentation to: The Electronic Access Partnership July 13, 2006 Presented by: Tim Cameron, Meteor Project Manager The.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Portal Services & Credentials at UT Austin CAMP Identity and Access Management Integration Workshop June 27, 2005.
Identity Management and RIAS November 2010 Don Smith OIT, Rutgers University.
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Information Resource Stewardship A suggested approach for managing the critical information assets of the organization.
U.S. Department of Agriculture eGovernment Program eAuthentication Initiative eAuthentication Solution Screens Review Meeting October 7, 2003.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
OpenRegistry MACE-Dir 5/18/09 1 OpenRegistry Initiative Revisiting the Management of Electronic Identity Benjamin Oshrin Rutgers University May 2009.
OpenRegistry LSM 10/7/09 1 OpenRegistry Revisiting the Management of Electronic Identity Benjamin Oshrin Rutgers University July 2009.
Identity and Access Management
OpenRegistry Initiative
Current Campus Issues – From My Horizon
CSG - Policy Discussion Identity Management Practice
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
PASSHE InCommon & Federated Identity Workshop
Identity Management at the University of Florida
Appropriate Access InCommon Identity Assurance Profiles
Technical Issues with Establishing Levels of Assurance
Data, Policy, Stakeholders, and Governance
Getting the Green Light on the Red Flags Rule
OU BATTLECARD: Oracle Identity Management Training
Presentation transcript:

January 5, 2006Common Solutions Group Winter Duke CSG - Policy Discussion Identity Management Practice Bruce Vincent, Stanford Gary Chapman, NYU Tom Barton, University of Chicago

January 5, 2006Common Solutions Group Winter Duke The Question at Hand… How do [we] verify a person is who they say they are…at first and over time?

January 5, 2006Common Solutions Group Winter Duke IdM Practice - Scope of Discussion Reflecting on… Institutional processes and tools to assure that identity and identifiers are linked; initially and over time. How schools verify that a person is who they say they are…as long as it matters. What assurances are good enough.

January 5, 2006Common Solutions Group Winter Duke "Getting to know you, getting to know all about you". How does our government identify the domestic population? How do universities manage identity about populations/individuals? Other major institutions?

January 5, 2006Common Solutions Group Winter Duke Federal and State Government Birth certificates & other municipal credentials Federated ID - State Driver’s License REAL ID Act and State ID requirementsREAL ID Act –Standardizes bootstrapping documentation –Establishes common practice for renewal –Federalizes authority and penalties …and the good old IRS

January 5, 2006Common Solutions Group Winter Duke IdM Business Practice: U.S. Universities Varies between universities and their schools Varies between populations i.e. types of affiliation –Student (academic record) –Foreign student (…+ a U.S. Visa) –Staff (I-9 employment standards) –Faculty (varies by profession)

January 5, 2006Common Solutions Group Winter Duke I-9 Form

January 5, 2006Common Solutions Group Winter Duke IdM Business Practice: Other Institutions FFIEC (Clearinghouse for U.S. Financial Audit Requirements)FFIEC FDIC strongly recommending T-FAT-FA Credit bureaus

January 5, 2006Common Solutions Group Winter Duke Topic 2: How Well Does IT Practice Reflect Policy? Policy? Often IT has created business practice in the absence of policy. For employment, compliance to I-9 is consistent… Where required, more is done to bind identity to identifiers. Central IT is a partner in IdM processes

January 5, 2006Common Solutions Group Winter Duke Examples of University IdM Practice Stanford University New York University University of Chicago

January 5, 2006Common Solutions Group Winter Duke Stanford University IdM Processes Historically separate applications for Student and Faculty/Staff identity Merged populations in 1986 and created UnivID; stopped use of SSN broadly No reuse of identifiers…now 280,000 Recent audit response has password expiry for some roles

January 5, 2006Common Solutions Group Winter Duke

January 5, 2006Common Solutions Group Winter Duke Identifier Management at NYU Identifier Management At NYU Gary Chapman New York University January 5, 2006

Common Solutions Group Winter Duke Identifier Management at NYU 14 schools, colleges and divisions (including professional Schools -- Medicine, Dentistry, Business, Law) 16,000 employees (not including Medical Center) Students: Total: 50,917 Undergraduate: 19,401 Graduate and Professional: 18,990 Non-credit Programs: 12,526 Programs abroad in Florence, Prague, London, France, etc. Some NYU Background

January 5, 2006Common Solutions Group Winter Duke Identifier Management at NYU Person Registry: 1 million records with NetID and University ID assignments; 4 million records in total with University ID assignments; fed by systems of record. Now initiating formal Identity Management program: a series of projects to enhance Identity Management at the institution proof-of-concept phase, with implementation of Sun-One Identity Management Suite, policy and architecture development, staff education, client buy-in progressive phases of implementation: integration of centrally- managed systems with enterprise IdM system for provisioning, access management, privilege management Some NYU Background, con’t

January 5, 2006Common Solutions Group Winter Duke Identifier Management at NYU we authenticate people, so that we can authorize them for electronic capabilities based on our policies and their relationships to the institution. Identifiers are the “handles” we use to link people with their electronic capabilities. We keep track of these identifiers in any number of repositories (such as directories, password files, etc.) NYU has two main identifiers University ID (for tracking everybody) - e.g. N NetID (for electronic use) - e.g. gwc1 Where do “identifiers” fit in?

January 5, 2006Common Solutions Group Winter Duke Identifier Management at NYU Many people have been assigned multiple identifiers; people continue to be assigned multiple identifiers (at a low rate) We haven’t tracked down all the cases We haven’t yet tightened procedures so as to largely eliminate the problem continuing We find out about such discrepancies typically as a consequence of service-level problems (unhappy people!) we are devoting approximately 1 FTE to record clean-up if identifier assignment is at the core of our service provision, and this process is suspect… what risks, if any, do we incur? Our identifier “problem”

January 5, 2006Common Solutions Group Winter Duke Identifier Management at NYU Not bad… if intentional If unintentional, problems arise services are built on the assumption that a person has a single identifier within a domain aggregating systems will not present a unified view tracking or auditing utilization will not be accurate decisions based on the fact that a person is, e.g. both a student and an employee cannot be accurately made: our internal, electronic knowledge of our community will not be accurate (e.g. if you decide all students must opt-in to public directory) actions relating to the person may be misdirected (e.g. person has two addresses, but only uses one, and messages are sent to unused address) So what’s wrong with multiple identifiers?

January 5, 2006Common Solutions Group Winter Duke Identifier Management at NYU Identification is the initial step of creating new identity records and assigning identifiers to individuals. This is not done, for historical reasons, in a consistent and systematic way across the several ways that people are initially recorded in systems. E.g. compare student applicants (not on campus) with prospective employee. Checking to see if a person is already known to university systems is highly variable. So, we have different processes for employees, students, affiliates… yet we assign identifiers and then consider them equally valid and equally “good to go”. Source of our problem

January 5, 2006Common Solutions Group Winter Duke Identifier Management at NYU What to do? Understand entry points and identification processes now in effect Figure out goal state, e.g. reduced number of entry points? more consistent collection of more identity attributes? minimal creation of new identifier problems Develop an identification policy? (Hey, who’s in charge?) Implement new procedures, improved record checking, e.g. matching on more than SSN… Proactively clean-up current record discrepancies as possible Use re-identification opportunities (e.g. password forgotten, ID Card expired, etc.) to vet current data, collect more identity attributes for people

January 5, 2006Common Solutions Group Winter Duke Identity and Identifier Management at NYU What’s next? Identifiers Real-time identifier assignment; further integration with SoM Person Registry Data-cleaning improvements; integration with PASS; on-line ID Card application Directory Services Increased use by applications; augment with groups data; online public directory data available from UDW Groups & Roles Registry groups improvements; track Grouper initiative Account Provisioning Integration with Active Directory implementation Authentication Required, regular password changing; strengthen complexity; two factor authentication Authorization ID Card swipe authorization based on Registry groups/roles; track progress of Signet initiative Federated Identity Track progress of E-Authentication initiative, involvement soon? Planning Planning for an enterprise system: pilot Sun IdM Suite?

January 5, 2006Common Solutions Group Winter Duke IdM “Assurance Classes” Increasing level of assurance (LoA) required for some services –Data classification, other local policies –Response to HIPAA, SOX, GLB, eAuth –other Jones’ to keep up with Minimal LoA required for others –Low bar for loosely affiliateds, but also limited access Typical services lie somewhere in between Determines classes of people by high water mark LoA requirement

January 5, 2006Common Solutions Group Winter Duke Assuring Assurance A single one-size-fits-all authentication service won’t do Range of motion –Additional, stronger, authentication –Multiple authentication services –Multiple accounts or account instances –Accounts assorted into classes –Multiple identity providers Must avoid that last possibility! –Want ubiquitous adoption of netIDs

January 5, 2006Common Solutions Group Winter Duke UFlorida Password Policy Classes P1 : Entry. Vendors, guests, student applicants, HR applicants P2 : Low. Access to information only about yourself. P3 : Medium. Access to information about others. Provide data at unit level. P4 : High. Access to information at the institutional level P5 : Rigorous. Control institution systems.

January 5, 2006Common Solutions Group Winter Duke Password Policies Characteristics –Run-time: length, charset, lifetime, history –Password set/reset process Self-serve, phone, F2F –Account lockout?? Implementation within IdM system –Arrange for assurance obligations of each account to be inferred or tagged –Authentication service support for run-time characteristics?? –Notification processes

January 5, 2006Common Solutions Group Winter Duke Topic 3: Context Changing for Business Practice Regulatory controls increasing (e.g. CALEA, HIPAA, SOX) Risk Management context changing…more online of value Identity theft is a growing problem Individuals demanding more privacy More focus on role-based privileges

January 5, 2006Common Solutions Group Winter Duke cont. Context Changing for Business Practice Federations and digital trust relationships Support transient populations

January 5, 2006Common Solutions Group Winter Duke Where are the gaps? Three different concerns over IdM at our respective institutions: -Gary at NYU [done] -Tom at U of Chicago [done] -Bruce at Stanford

January 5, 2006Common Solutions Group Winter Duke Discussion and Questions …and a parting goal for all of us… “There’ll be no more talking to Who’s who are not!” Dr. Seuss

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.