Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005
3 IAM Drivers Compliance Collaboration Outreach Network security Gorilla applications Your driver here...
4Compliance External regulations FERPA, HIPAA Funding agency reqs: DoE, DoD, etc State-agency regulations Federal e-authentication contractual Internal policies Privacy Financial controls
5 Privacy compliance support HIPAA, FERPA, local privacy regs, etc It's simple: control who can see what Process: classify data (eg protected health info) identify business processes, “need to know” control access methods and data locations identify and authenticate users log and audit access (as needed) manage policy expression, evolution
6 Infra Requirements Identity management anti-sharing controls, support process/system/service identities Authorization management translate need-to-know, data classes into containers, ACLs, roles integrate with biz processes (medical, teaching,...) Log/audit/reporting support Privacy implementation guidance
7 US E-Authentication program Broad initiative supporting e-government both citizen-facing and internal based on NIST technical authentication guidelines, including 4 “levels of assurance” using SAML protocol base (Shibboleth compatible) most agencies must run compliant app in 2005 operating “Federal federation” of participating applications and credential providers standards, practices will be widely used outside of government as well
8 E-Authentication and us Universities and CAF compliance indicate “institutional authority” LoA requirements for: identity proofing, activation, revocation, password strength, good user practice facility control, config/software management helpdesk, password reset practice record-keeping, audit, etc initial assessments done by GSA future compliance via inter-federation peering will support peering to other areas (eg financial)
9 Inter-institutional Collaboration Much large-scale funded research is inter- institutional funding vehicles are multi-institution projects, aka virtual organizations (VOs) institutional VO support is key to being in the game not just facilities and networking any more often international in scope many other collaborations at all scales licensed content via consortia institutes, centers, special programs, and our own departments and colleges
10 Collaboration requirements Tools mailing list, storage, web pub, calendar,... identity mgt, roles, groups, authz mgt, privacy and all must work inter-institutionally network access federated identity, or many sponsored accts policy flexibility e.g., “must be employee” support VO policies, IAM technologies
11 Institutional Outreach New initiatives lead to new populations alumni, retirees applicants, prospects K-12 regional medicine, patients distance learning, int'l campuses regional colleges
12 Supporting Outreach Identity management low-cost or no-cost identity proofing new lows in level of assurance, eg passwords new process state changes, eg applicant->student, employee->retiree patient process is likely high LoA Authorization campus netid does not mean “campus user” users not entitled to “regular service bundle”
13 Network access security High security, high access keep viruses, worms, sniffers, spammers out accomodate visitors, conferences with wireless Support identity management for machines network-layer authentication device support, constrained net environment easy access to (shared?) ids or registration new policy considerations
14 Big application integration ERP, Portal, LMS, Grid you're not just buying an app, you're buying infrastructure and your deployers may treat them as infrastructure, ie creating their own processes for IAM etc may be OK, but not likely to be general-purpose open-source packages are new opportunities uPortal, Sakai, Kuali, Globus many challenges same as with vendor packages good integration examples can be infectious
15Conclusion the perils of success apps and orgs now come to infra providers seeking support, expecting advanced services we still have to evangelize budgets not going up exponentially... architecture and integration know what the pieces do and don't do justify up-front costs, but focus on design wins