1 A Case for Collaborative Identity Management in a Complex Decentralized Environment Andrea Beesing Assistant Director, IT Security and David Yeh Assistant.

Slides:



Advertisements
Similar presentations
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Advertisements

1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.
NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
1 The Evolving Definition of "Student": Identity Management at Duke University Klara Jelinkova Director, Computing Systems Office of Information Technology.
Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.
Identity Management: Some Basics Mark Crase, California State University Office of the Chancellor CENIC - March 9, 2011.
Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Peter Deutsch Director, I&IT Systems July 12, 2005
Planning the Implementation of Campus Community. Rules for Campus Community  Keep an open mind  Understand other’s processes  Realize the impact on.
Identity and Access Management
© 2011 The University of Chicago InCommon Silver Implementation at UChicago Tom Barton 1.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
LDAP Management at Stony Brook Making Active Directory and PeopleSoft Work Together SUNY Technology Conference Rochester, New York Monday June 12, 2006.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
1 EDUCAUSE Midwest Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit Mark.
NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.
Andrea Beesing Karen Schultz Thomas Black. 2 Cornell Case Study: Student Identity Life Cycle Andrea Beesing Assistant Director, IT Security Cornell University.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
State of Information Technology Presentation for Faculty Council November 14, 2013 Mike Carlin Vice Chancellor for IT and CIO.
Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO.
The InCommon Federation The U.S. Access and Identity Management Federation
Integrating Applications with the Directory Andrea Beesing CIT/Integration and Delivery June 25, 2002.
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.
Dr. Mark Allen Poisel Vice President for Student Affairs Georgia Regents University Today’s Transfer Students: Building a Foundation of Success Transfer.
Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.
IAM Overview and Self-assessment Exercise Keith Hazelton, UW-Madison & Internet2 MACE Renee Shuey, Penn State & InCommon TAC Co- chair InCommon CAMP, Columbus,
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
NMI-EDIT CAMP Synopsis, ISCSI Storage Solution, Linux Blade Cluster, And Current State Of NetID By Jonathan Higgins Presentation Template available from.
IAM REFERENCE ARCHITECTURE BRICKS EMBEDED ARCHITECTS COMMUNITY OF PRACTICE MARCH 5, 2015.
 What is intranet What is intranet  FeaturesFeatures  ArchitectureArchitecture  MeritsMerits  applicationsapplications  What is ExtranetWhat is.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
Outsourcing Student and Other Collaboration Services John Calkins Assistant General Counsel Northwestern University Office of General Counsel (OGC)
Shibboleth as Attribute Delivery for Authorization Renee Shuey Penn State University June 27, 2006.
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
State of e-Authentication in Higher Education August 20, 2004.
Information Technology Current Work in System Architecture January 2004 Tom Board Director, NUIT Information Systems Architecture.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Implementing a Role Management System Mair é ad Martin Carrie Regenstein Internet2 Fall Meeting September 20, 2005.
University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.
Towards a Unified Authentication, Authorisation and Accounting Infrastructure Patrick Kirk Chief Technical Officer (YHGfL) Lifelong Learning Infrastructure.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Federations: The New Infrastructure Speaker Name Here Date Here Speaker Name Here Date Here.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
SEPARATE ACCOUNTS FOR PROSPECTS? WHAT A HEADACHE! Ann West Assistant Director, InCommon Assurance and Community Internet2 at Michigan Tech.
1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Your Presenters Andrea Beesing Assistant Director, IT Security, Cornell University Liz Salley Product Manager, Identity.
John O’Keefe Director of Academic Technology & Network Services
Red Flags Rule An Introduction County College of Morris
PASSHE InCommon & Federated Identity Workshop
Shibboleth as Attribute Delivery for Authorization
Identity Management at the University of Florida
Presentation transcript:

1 A Case for Collaborative Identity Management in a Complex Decentralized Environment Andrea Beesing Assistant Director, IT Security and David Yeh Assistant Vice President and University Registrar

2 Shared Secrets, Shared Vision, Shared Governance, Shared Technologies Life-cycle: A Shared Vision Policies and practices Reusable and scalable infrastructure and tools Governance Needs Everyone – not just an IT concern

3 A Life Cycle Point of View High school to Undergraduate to Alumni to Graduate to Employee and Friends > 100,000 applicants > 350,000 alumni, friends, guests! Around-the-world sites – Ithaca, NY; New York City, and Washington, D.C. Doha, Qatar, Singapore, Beijing; Paris, France; Rome, Italy; Seville, Spain; London, England; Dublin, Ireland; and Geneva, Switzerland and Geneva, NY, and others. Around-the-world connecting points – faculty collaborators; students, employees, alumni, parents

4 Simplify connecting people in our community Provide access for the right people to the right information, anytime, any place Process entry and access to information services, securely and efficiently Connecting from the very beginning

5 Link people and services – Anytime, Anywhere, Securely Adopting commonly developed technology tools – Shibboleth, InCommon – Grouper, Signet, Federated IdM Inter-institution collaboration – faculty research, document transmission, international exchange and study abroad Business partners – Inter-Library Services (ILIAD), National Student Clearinghouse, Law School Admissions Council (LSAC), Veterinary Medical College Application Service (VMCAS), American Medical School Application Service (AMCAS), CollegeBoard, Educational Testing Service, and others

6 Improve management of risk Provide appropriate level of access into transactional systems Facilities and other resource access Protect university and college reputation

7 Reusable and Extendable Tools Provision identity from the beginning Common policies and procedures Reusing best practices and technologies

8 Use Case: Student Identity Life Cycle

9 Identity Management goals for student services “Instant” onboarding –Establish applicant/student relationship with Cornell as early as possible –No lines on day 1 for students Replace paper-based, manual processes with online self-service options Improve user experience when accessing services –Across Cornell administrative units and colleges –Across institutional boundaries Protect security and privacy

10 Infrastructure in support of these goals Policy Technology Authentication of IT Resources Information Security of Institutional Data Training and awareness Account management Identification and registration Authentication Authorization & Access Mgmt Provisioning Directory Services Ensuring students have ready access to information and resources they are entitled to Data access standards Business process Organization Governance Data Stewardship and Custodianship Access to Student Information Federation Infrastructure

11 Student identity life cycle Applicant Accepted applicant Deposited applicant Student Alumnus Business Challenges Delivery of ID and initial password Service entitlements at each step Data access decisions at each step Seamless transition from one step to the other Correct handling of people with multiple relationships Anticipating future business needs such as federated access to services Understanding where business process and organizational changes are needed Building awareness among staff with the need to know

12 Applicant onboarding: business view Business needs Fast, cost-effective, reliable way of conveying ID and password Ease of transition from applicant to student Online access to application status and financial aid award Online access to other services in future anticipated Players Director of Admissions University Registrar IT Security Director Data Steward Identity Management IT staff Business decisions Use centrally-issued ID which can be used for multiple applications NetID reserved for community members and is for life ApplicantID is unique, but temporary Applicants can only access information about the status of the application until risk concerns associated with delivery method addressed Consider change in business process to require applicants to answer security questions during application process Begin exercise to map constituent groups to service entitlements

13 Applicant onboarding: IT implementation Security considerations NetID as “gold” standard, implications for federated access Clear-text passwords via represents risk Resetting forgotten passwords for this large a group in remote locations Service providers require means to authorize applicants for access IT implementation Create applicantID in separate Kerberos database (realm) Issue one-time activation code in lieu of password Create self-service application for activating and managing applicantID Create applicant permit (group) and make available to campus service providers for read-only access Provide campus service providers with mechanism for creating their own groups “Reserve” NetID through naming convention of applicantID

14 Student onboarding: business view Business needs Student gets NetID as soon as deposit paid and has access to student services Student must be aware of IT policies and their responsibilities before accessing services Players College student services staff University Registrar’s staff IT Security Director IT Policy Director Faculty Advisory Group Identity Management IT staff Business decisions Require each student to take an online tutorial and quiz to introduce policies and network citizenship Deliver NetID in US mail until risk concerns adequately addressed

15 Policy and business process AuthenticationAuthorization Kerberos CUWebLogin Radius Active Directory Permit Server Grouper Signet Federation Infrastructure Single sign-on with NetID rfc32 for all services Intra-campus online services Identity repositories PeopleSoft LDAP directory Inter-campus online services External partners ILiad Delivering online student services in a distributed environment InCommon Shibboleth

16 Policy and business process AuthenticationAuthorization Kerberos CUWebLogin Radius Active Directory Permit Server Grouper Signet Federation Infrastructure Single sign-on with NetID for all services Intra-campus online services Identity repositories PeopleSoft LDAP directory Inter-campus online services External partners ILiad Delivering online services to all Cornell users InCommon Shibboleth