Policy and Technology in Enterprise Directory and Authentication Services No Room to Swing a Cat Michael Gettes, MACE, Duke University Keith Hazelton,

Slides:

Advertisements

Similar presentations

How Will it Help Me Do My Job?

Advertisements

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

CAMP Med Welcome to CAMP Med: Identity and Access Management for Medical Applications Workshop Morgan Passiment AAMC Ann West NMI-EDIT EDUCAUSE/Internet2.

Copyright Ann West This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Technical Primer: Identifiers Internet2 Base CAMP Boulder, Colorado June, 2002.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

Identity Management: Some Basics Mark Crase, California State University Office of the Chancellor CENIC - March 9, 2011.

Enterprise Directory Services: Project Planning A. Michael Berman, VP, Instr. & Info Tech, Cal. Poly, Pomona Keith Hazelton, Sr. IT Architect University.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

The Business of Identity Management Barry R. Ribbeck Director Systems Architecture & Infrastructure Rice University

UNLV Data Governance Executive Sponsors Meeting Office of Institutional Analysis and Planning August 29, 2006.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

1 Tuesday, August 16, 2005 W E B C A S T August 16, 2005 Policy Development Theory & Practice: An Emphasis on IT Pat Spellacy Director of Policy & Process.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

Emergency Communications Management Jonathan Rood CIO and Associate VP, San Francisco State University Laine Keneller Business Continuity Planner & Project.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Peer Information Security Policies: A Sampling Summer 2015.

1 EDUCAUSE Midwest Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit Mark.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.

University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy

Sierra Systems itSMF Development Days Presentation March 4 th, 2014 Colin James Assyst Implementation Specialist.

Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.

EDUCAUSE Midwest Regional March 24, 2003 Copyright Ann West This work is the intellectual property of the author. Permission is granted for this.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Middleware: Addressing the Top IT Issues on Campus Renee Woodten Frost Internet2 and University of Michigan CUMREC May 13, 2003.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

IBIS-Admin New Mexico’s Web-based, Public Health Indicator, Content Management System.

Internet2 Middleware Initiative. Discussion Outline  What is Middleware why is it important why is it hard  What are the major components of middleware.

Institutional Considerations

FEDERATIONS Clair Goldsmith, Ph.D., Associate Vice Chancellor and CIO September 27,

1 The World Bank Internet Services Program Rajan Bhardvaj

Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.

Outsourcing Student at USC Institute for Computer Policy and Law Cornell University, August 2008 Asbed Bedrossian Director of Enterprise Applications.

The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Digital Diversity: Multi- institutional Access to Distributed Course Resources Barry Ribbeck UT HSC - Houston.

Advanced CAMP: BoF Summaries. 2 Role-based Access Control (RBAC)

Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.

A Word from the Sponsors NMI-EDIT comprises Internet2 and EDUCAUSE –NSF Middleware Initiative (NMI)-Enterprise and Desktop Integration Technologies Consortium.

Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

NSF Middleware Initiative Purpose To design, develop, deploy and support a set of reusable, expandable set of middleware functions and services that benefit.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

Information Resource Stewardship A suggested approach for managing the critical information assets of the organization.

Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware.

NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Renee Woodten Frost Internet2/University of Michigan.

Bringing it All Together: Charting Your Roadmap CAMP: Charting Your Authentication Roadmap February 8, 2007 Paul Caskey Copyright Paul Caskey This.

NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.

Welcome to CAMP Directory Workshop Ken Klingenstein, Internet2 and University of Colorado-Boulder.

California Department of Public Health / 1 CALIFORNIA DEPARTMENT OF PUBLIC HEALTH Standards and Guidelines for Healthcare Surge during Emergencies How.

Collaborative Findings for BCE CRM Final Meeting 26th March 2010, York Group 2.

NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Mark Luker, EDUCAUSE Copyright Mark Luker, This work is the intellectual.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

1 EDUCAUSE Mid-Atlantic Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit.

Middleware: Addressing the Top IT Issues on Campus

University of Texas System

Middleware: Addressing the Top IT Issues on Campus

Privilege Management: the Big Picture

PASSHE InCommon & Federated Identity Workshop

Presentation transcript:

Policy and Technology in Enterprise Directory and Authentication Services No Room to Swing a Cat Michael Gettes, MACE, Duke University Keith Hazelton, MACE, University of Wisconsin - Madison Carrie Regenstein, University of Wisconsin - Madison Ann West, NMI-EDIT Outreach, EDUCAUSE/Internet2

SERC, June 7, 2004 A Word from the sponsors: What is NSF interested in?  Analogous to building the NSFnet  NSF Middleware Initiative (NMI) –Scientists and engineers can transparently use and share distributed resources, such as computers, data, and instruments –Research and education communities can effectively collaborate using advanced communications tools –Internet users around the world can benefit.

SERC, June 7, 2004 What is NMI-EDIT?  NMI-Enterprise and Desktop Integration Technologies Consortium (NMI-EDIT) –Internet2, EDUCAUSE, and SURA –Project Goals  Create a common, persistent and robust core middleware infrastructure for the R&E community  Provide tools and services in support of inter- institutional and inter-realm collaborations  Focus on intra and inter-institutional identity and access management and related services

SERC, June 7, 2004 Range of Motion: Cat Swinging  Definition of key terms  Context  Strategies for success  Moving it forward

SERC, June 7, 2004 Today’s goal: Focus on people, service and functionality!  To support the synergistic relationship among technologists, policy folks, and administrators as an ongoing modus operandi (m.o.)  A perspective or methods of managing, deploying and maintaining future infrastructures, IT and more.

SERC, June 7, 2004 Key terms  Enterprise Directory  Authentication  Authorization Taken together constitute “Identity Management System” (IdM)

SERC, June 7, 2004 “Identity Management System”  Suite of campus-wide security, access, and information services –Integrates data sources and manages information about people and their contact locations –Establishes electronic identity of users –Issues identity credentials –Uses administrative data and management tools to assign affiliation attributes –…and gives permission to use services based on those attributes

SERC, June 7, 2004 Key terms: Enterprise Directory Services Enterprise Directory Services - where electronic identifiers are reconciled and institutional identity is established and maintained for all entities of interest –Very quick lookup function –Machine address, voice mail box, box location, address, campus identifiers

SERC, June 7, 2004 More key terms  Authentication (AuthN) –Process of proving your identity by “presenting” an identity credential –In IT systems, often done by a login process  Authorization (AuthZ) –Process of determining if policy permits a requested action to proceed using attribute & group information –Often associated with an authenticated identity, but not always and not necessarily

SERC, June 7, 2004

Context

SERC, June 7, 2004 Context: What’s the problem?  Accommodate increased demand for integration across traditional data sources  Deliver services to new populations  Resolve tension between appropriate privacy and security regulations

SERC, June 7, 2004 Context: Viewing angles  User view –One stop –Presentation similarities –Accurate data  Developer view –One source –Ease of development

SERC, June 7, 2004 Context: What happens?  Traditional data sources integration –Updating information –How soon can we serve new staff, students? –Adding individuals to identity management system

SERC, June 7, 2004 Context: What happens?  New constituencies –Beyond faculty, staff, and students –Alumni, retirees, new kinds of learners –A portal for parents  Challenge to “the join”  Can’t ask for the key linking attributes like DoB  Students vouch for them? Separate DB??

SERC, June 7, 2004 Strategies for Success

SERC, June 7, 2004 Strategies for Success Know your environment Establish core principles Oversight Real Life Topics to consider

SERC, June 7, 2004 Strategies: Know your environment! Guiding questions  Is campus governance centralized or distributed?  How has central administration demonstrated commitment to policy leadership?  What partnerships are in place to support policy development among, e.g., IT, Legal, internal audit, police, Student Affairs?

SERC, June 7, 2004  Are there best practices already defined for your campus? Processes to create best practices?  Are there existing policies that just need to be interpreted to cover the e-World?  What resources are available to support policy development and implementation? Strategies: Know your environment! Guiding questions

SERC, June 7, 2004 Strategies: Core principles  Guiding philosophy of new infrastructure  Defined before design and implementation phases  Criticality of service: 24x7 operations. All apps must be dir enabled?  Rooted in view of data as a strategic resource –Enterprise directory  Link to all people of interest ..and all the needed identity information

SERC, June 7, 2004 Strategies: Core principles  Sample core principles –Data infrastructure serves more than one institutional application –Data is protected and requires permission for its use unless declared “public” by the data custodians or owners –Access to private directory data must be granted for each application and be approved by the data custodians. –Applications using that data should meet the security and data definition guidelines put forth by the technical service administrators. –Data will be made available for all valid administrative and educational purposes

SERC, June 7, 2004 Strategies: Oversight  Oversight and ownership  Data and technical service may be different  Application and infrastructure may be different –Create, read, update, and delete (CRUD) –On-going legal, source system, and policy changes  Requires business functions to be involved  Requires changes in the infrastructure

SERC, June 7, 2004 Strategies: Oversight Sample Oversight functions:  Access and use of the data and compliance with University policy  Access and use of service for performance and security implications  Dissemination of directory maintenance information and changes  Documentation of applications and attribute use  Changes in requirements, procedures, and applications using the directory once per year

SERC, June 7, 2004 Strategies: People Issues  Whom did you include?  Whom did you forget?  In what order did you include them?  What did you hope for or expect from each one to bring to the table?  Where are the more difficult interactions/relationships?

SERC, June 7, 2004 Strategies: Real life  Cultural / technical assumptions vs. reality –“Public directories will be mined by spammers”  Honeypot: “Does it really happen?”  Nope! (How we show data matters) –Centralization vs. flexibility  Distributed management tools  Be careful what you ask for –Most anything can be done -- cost??

SERC, June 7, 2004 Strategies: Topics - 1  When should a policy be developed vs. a technical fix?  What are some strategies for creating polices on-the-fly? When should this be done?  How does a technical person know when a policy decision needs to be made?

SERC, June 7, 2004 Strategies: Topics - 2  How might we modify services to encourage high-level customers/stakeholders to work more effectively on policy issues?

SERC, June 7, 2004 Strategies: Topics - 3  What should we do with special cases or exceptions? –Title entries in white pages  Chancellor, Provost, VP, EVP, etc –Vanity netIDs? –Nicknames? –Privacy opt-in, opt-out?

SERC, June 7, 2004 Moving it Forward

SERC, June 7, 2004 Forward: Applying what we learned?  Consider the problem, scope, and alternatives –Big P Policies –Little p policies

SERC, June 7, 2004  Big P policies –FERPA FERPA FERPA –USA Patriot Act  Policy supports compliance  Practice includes guidelines for operational staff –HIPAA  Defining Health Care Components (HCCs) on campus  How can a central IT organization support compliance? Forward: Compliance with Federal regulations- Due Diligence and the central IT organization

SERC, June 7, 2004 Forward: Compliance with State regulations- Due Diligence and the central IT organization  Big P policies –Electronic Records Management –Education and communication Example: home.htm

SERC, June 7, 2004 Forward: Core principles  Big P policies –Data and service as strategic resources –Data and service ownership and stewardship –Use of infrastructure –Attribute privacy

SERC, June 7, 2004 Forward: Local considerations  Little p policies –Relates to environment, role, and culture  NetID –Assignment, self-selection, activation, password management  Physical access security (devices) –Assignment, activation, and implementation  Others?

SERC, June 7, 2004 Resources  middleware.internet2.edu   EDUCAUSE/Cornell Institute for Computer Policy and Law

SERC, June 7, 2004 end

SERC, June 7, 2004 Tech and Policy Tracks

SERC, June 7, 2004