Presentation is loading. Please wait.

Presentation is loading. Please wait.

Applying Data Governance in Identity Management: To Serve and Protect

Published byTobias Willis Modified over 6 years ago

Similar presentations

Presentation on theme: "Applying Data Governance in Identity Management: To Serve and Protect"— Presentation transcript:

1 Applying Data Governance in Identity Management: To Serve and Protect
Copyright Brendan Bellina This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Brendan Bellina Identity Services Architect Information Technology Services University of Southern California

2 Distributed Data = Leaks
Security Breach SSN Name User Error Date of Birth Intentional Gender Inadequate Training Ethnicity Equipment Theft Address Recycled Equipment Phone

3

4 Development of the Person Registry (PR)
Establishes authoritative Person ID - USCID Real-time communication with primary SORs (SIS, AIS, iVIP, USCard) Stores/matches identifying data - name, Date of Birth, Social Security Number Required agreements on: Common data definitions (DOB and SSN), Data ownership hierarchy for updates Policies for merging identities and USCIDs SOR: System of Record

5 Development of the Global Directory Service (GDS)
GDS “cloud” includes PR, MU, the interfaces to them: GDS LDAP and Shibboleth; and metadirectory processes Nightly updates to active person, account, and groups information based on inputs from MU, the PR, and group exceptions Provides authentication, authorization, attributes, and group services through LDAP and Shibboleth Required agreements on: Standard schema definitions (eduPerson, eduCourse), Access controls for anonymous and authenticated queries Request process for data access and group definitions Policies on addition of new data elements and types The Shibboleth referred to here is the 1.3 IdP (to be upgraded to 2.0 in summer/fall 2008) which relies upon the GDS LDAP, NOT the Shibboleth 1.2 IdP which relies upon the deprecated ldap.usc.edu LDAP directory populated by MU.

6 Data Governance brings together cross-functional teams to make interdependent rules or to resolve issues or to provide services to data stakeholders. These cross- functional teams - Data Stewards and/or Data Governors - generally come from the Business side of operations. They set policy that IT and Data groups will follow as they establish their architectures, implement their own best practices, and address requirements. Data Governance can be considered the overall process of making this work.

7 When to use formal Data Governance
When one of four situations occur: The organization gets so large that traditional management isn't able to address data-related cross-functional activities. The organization's data systems get so complicated that traditional management isn't able to address data-related cross- functional activities. The organization's Data Architects, SOA teams, or other horizontally-focused groups need the support of a cross- functional program that takes an enterprise (rather than siloed) view of data concerns and choices. Regulation, compliance, or contractual requirements call for formal Data Governance.

8 Data Governance Principles
Eight Principles: Integrity All data requests are reviewed in committee, including central IT requests No rubber-stamping. No railroading. No exceptions. Transparency Committee meetings are open and held during lunch hours. Policies are posted on GDS website Auditability All Data Requests are retained and tracked in the USC Wiki Accountability Data Access is granted only following approval. No technical overrides.

9 Stewardship Checks-and-Balances Standardization Change Management
Data Stewards must review and approve all data requests. Department IT leaders are engaged in the review process. Checks-and-Balances ITS Architect attends all meetings but does not vote. All requests go through a meeting with ITS prior to committee to ensure all appropriate questions are considered. ITS makes no production changes for data release without committee approval. Standardization Establish sub-committees and spin-off efforts to determine standardization on role definitions and data usage. USC is an active participant in relevant collaborative standards development (MACE-Dir, Internet2, EDUCAUSE, InCommon working groups). Change Management Requests are maintained in the USC Wiki Access control changes are maintained as prior versions for historical review

10 IAM Data Governance Committees
All committees are chaired by the Director of the Office of Organization Improvement Services, Margaret Harrington. Directory Steering Committee - management committee meets every 3 weeks focuses on policy regarding data acquisition and release, integration, and communication attendees include senior management representatives from academic schools, administrative departments, IT Security Office, General Counsel GDS Executive Committee - management committee every other week focuses on technical and staffing issues affecting direction and prioritizations attendees include management representatives from SOR’s and GDS team Data Team - technical committee meets every 3 weeks focuses on operational issues affecting SOR’s and PR/GDS attendees include representatives from SOR’s and GDS team

11 Diagram produced by the National Middleware Initiative (NMI), the Middleware Architecture Committee for Education (MACE), and Dr. Thomas Barton, University of Chicago

12 Data Team

13 GDS Executive Committee

14 Directory Services Steering Committee

15 Role of Central IT in Data Governance
Central IT is NOT a data steward Central IT is a subject matter expert regarding technology Central IT is implementer, NOT policy maker Central IT provides an enterprise view, providing a counter-balance to department-centric development Central IT acts as a representative of the institution in the development of external standards

16 Attribute Access Request Process
Documented at GDS website Chaired by Director of the Office of Organizational Improvement Required for all data requests to GDS content Meeting with ITS and application sponsor occurs prior to Directory Steering Committee Directory Steering Committee reviews all new requests Data Stewards must approve requests Requests must be reauthorized every 2 years

17 Authorization Model Service Provider must explicitly define user population based on attributes in the GDS provided by the SOR’s, or as a discretionary (exception) group recorded in the GDS GDS Authorization Group is used to record the application user population and assign an entitlement for the service Shibboleth (or LDAP) releases attributes to the Service Provider only for users with the entitlement value for the service Authorization to use a service is determined at the Identity Provider based on GDS attributes BEFORE any attributes about the user are released to the service.

18 Challenges

19 Maintaining consistent engagement of departmental leaders
Perception of governance process being a barrier to rapid deployment of services Services without Sponsors Lack of Knowledge Leading to Missteps and Resistance Persisting Contrary IT Practices Departmental portals and proxies grouping users and data Lack of data requirements for projects Allowing major projects to bypass governance and review Fabricated accounts in production to facilitate support Shadow and test systems providing access to production data Administrators taking liberty with data access when pressed

20 Links USC GDS website: http://www.usc.edu/gds
Additional Presentations: Contact the author via

Download ppt "Applying Data Governance in Identity Management: To Serve and Protect"

Similar presentations

Copyright Kathy J. Lang and Ed Mahon, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared.

Copyright Kathy J. Lang and Ed Mahon, This work is the intellectual property of the authors. Permission is granted for this material to be shared.
Data, Policy, Stakeholders, and Governance Amy Brooks, University of Michigan – Ann Arbor Bret Ingerman, Vassar College Copyright Bret Ingerman 2004. This.

Data, Policy, Stakeholders, and Governance Amy Brooks, University of Michigan – Ann Arbor Bret Ingerman, Vassar College Copyright Bret Ingerman This.
© Scordias & Morris, 2005 Virtual Classroom Visits: Using Video Conferencing Technology to Enhance Teacher Education Dr. Margaret Scordias Pamela B. Morris,

© Scordias & Morris, 2005 Virtual Classroom Visits: Using Video Conferencing Technology to Enhance Teacher Education Dr. Margaret Scordias Pamela B. Morris,
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,

Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
Applying Data Governance in Identity Management: To Serve and Protect Brendan Bellina Identity Services Architect Information Technology Services University.

Applying Data Governance in Identity Management: To Serve and Protect Brendan Bellina Identity Services Architect Information Technology Services University.
LDAP-Enabled Privacy at The University of Notre Dame EduCAUSE conference, October 2002 Brendan Bellina Office of Information Technologies University of.

LDAP-Enabled Privacy at The University of Notre Dame EduCAUSE conference, October 2002 Brendan Bellina Office of Information Technologies University of.
Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.

Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.
Identity Management at USC: Collaboration, Governance, Access Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity.

Identity Management at USC: Collaboration, Governance, Access Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity.
1 Collaborators at the Gates of Troy: Extending eServices at USC.

1 Collaborators at the Gates of Troy: Extending eServices at USC.
Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.

Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.
1 LBNL Enterprise Computing (EC) January 2003 LBNL Enterprise Computing.

1 LBNL Enterprise Computing (EC) January 2003 LBNL Enterprise Computing.
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
ECM Project Roles and Responsibilities

ECM Project Roles and Responsibilities
Put Higher Education First Check Egos & Institutional Biases at the Door! Ailish Byrne (Indiana University) Copyright Ailish Byrne 2007. This work is the.

Put Higher Education First Check Egos & Institutional Biases at the Door! Ailish Byrne (Indiana University) Copyright Ailish Byrne This work is the.
1 sm Using E-Business Solutions to Meet Management Challenges: Interoperability & Flexibility Bring Success to the Implementation of Specialized Components.

1 sm Using E-Business Solutions to Meet Management Challenges: Interoperability & Flexibility Bring Success to the Implementation of Specialized Components.
Using Shibboleth as Your WebSSO Authentication System CAMP Shibboleth: Enabling Campus and Federated Single Sign-On June 27, 2006 Brendan Bellina Identity.

Using Shibboleth as Your WebSSO Authentication System CAMP Shibboleth: Enabling Campus and Federated Single Sign-On June 27, 2006 Brendan Bellina Identity.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Application Security Management Functional Project Manager (s) ERP Project Director ERP Campus Executive University & Campus Administration Security Policy.

Application Security Management Functional Project Manager (s) ERP Project Director ERP Campus Executive University & Campus Administration Security Policy.

Similar presentations

Ads by Google