Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Management Systems: Components and Constituents

Published byMarylou Wilkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Management Systems: Components and Constituents"— Presentation transcript:

1 Identity Management Systems: Components and Constituents
Renee Frost University of Michigan/Internet2 Ann West, EDUCAUSE/Internet2/ Michigan Tech

2 Copyright Renee Frost and Ann West, 2004
Copyright Renee Frost and Ann West, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. SAC - 11 August 2004

3 Topics Introduction to Identity Management Concepts
Business Drivers, Policy, and Governance Technology Components Discussion Implementation Framework Wrap up and More Information SAC - 11 August 2004

4 Introduction to Identity Management
SAC - 11 August 2004

5 Some of What We are All Trying to Accomplish
Enable online service for our constituents earlier in their affiliation with us, wherever they are, and on an ongoing basis (entire life cycle) Deliver services to new constituents Simplify that end user access to multitude of online services Facilitate operation of those services by IT organizations Re: inter-organizational. Think shib for libs et al., eScience (remote instrumentation, VOs) SAC - 11 August 2004

6 Some of What We are All Trying to Accomplish (cont)
Increase security Resolve tension between appropriate privacy and security regulations Accommodate increased demand for integration across traditional data sources Participate in new, inter-organizational, collaborative architectures and environments SAC - 11 August 2004

7 Why Identity Management
The enterprise-wide, policy-driven infrastructure enables Scalability Consistency Integrity Integration Collaboration SAC - 11 August 2004

8 Definitions Identity –
set of attributes about, and identifiers referring to, a subject (person, service…) Authentication – process used to associate a subject with an identifier Authorization – process of determining if policy permits an intended action to proceed Credentials– attributes of a subject used to identify (authentication) or make access decisions (authorization) about what it can do in a particular context Authn - Produces a security context. Authz Efficacy is limited by availability of subject attributes and by how faithfully policy is incorporated into the infrastructure or the application. SAC - 11 August 2004

9 Definitions (cont) Identity Management System –
a policy-driven infrastructure (policies, procedures, standards, & technologies) which Consolidates identity information about individuals from multiple authoritative sources Makes data available to multiple applications and other services with need to access it Integrates the implementation of access policy and security Delete?? Not sure I like this definition SAC - 11 August 2004

10 Identity Management Factors
Drivers Constituent Requirements Institutional Goals Policy & Governance Standards Budget Project Management Practices Identity Management Ability to Implement Technology Staff Skills/Expertise Products SAC - 11 August 2004

11 Policy and Governance Recognize Business Drivers
Map to Institutional Environment and Goals/Strategy Consider Constituent Requirements and Processes Goal: Outline the need for policy and governance Provide a sample list of policies and related issues Offer ideas of how to address them in the discussion SAC - 11 August 2004

12 Sample Business Drivers
Legislation and Regulation FERPA, HIPAA, GLB Shrinking budgets and increasing demands for online services Security/protection of resources for ethical and business reasons Participation in an electronic consortium What speaks to your campus? SAC - 11 August 2004

13 Map the Drivers to Institutional Environment for Policies
Are there existing policies that can be leveraged to cover identity management? What resources are available and what partnerships (e.g., IT, legal, internal audit, police, student affairs) are in place to support policy development and implementation? What institutional goals and core principles guide the use of data to be stored in the IdM system? Can institution leverage & extend existing data administration policies & processes? SAC - 11 August 2004

14 Map the Drivers to Institutional Environment for Security and Privacy
How does this IdM infrastructure connect with broader security and privacy goals? Are there special security issues that must be considered when extending the IdM to a system (e.g. single sign-on, ERP)? What security will be in place to protect the IdM infrastructure? SAC - 11 August 2004

15 Consider Governance Issues
How will the University operate its identity management infrastructure? What is the balance between centralized and distributed operation? Who will determine whether to put new information in the common infrastructure, and how it will be represented? If necessary info is not already collected, who will determine whether business processes should be changed to do so? RWF: overlap with technology Aw- yup and should condense the policy/process slides…reduce detail - Could be architecture issues SAC - 11 August 2004

16 Effective Identity Management
Requires policy and governance to exist and work well on an on-going basis to ensure appropriate access, privacy, and security; to establish trust What are your risks? What do you value? RWF: merge with previous? SAC - 11 August 2004

17 Example: Access to Protected Resources
Risk and trust requirements are determined by the resource holder as well as the user who considers personal privacy risk. Taken together, these requirements determine the technologies and policies implemented. Risk management measures Authentication and authorization standards Security practices Risk assessment Change management controls Audit trails RWF: how much detail?? SAC - 11 August 2004

18 Policy to Govern Credentials
Who should be issued a credential? What assurance level should authentication for each constituency achieve? What constraints may pertain to each? Applicants (student, faculty, staff) Admitted students, accepted faculty or staff Alums Parents Library patrons Guests: visiting academics, conference attendees, hotel guests, arbitrary “friends”, … RWF: compare with next slide SAC - 11 August 2004

19 Policies to Govern Credentials (cont)
How are electronic identity credentials issued? Admin process Technology Is primary electronic identifier unique for all time to the individual? if not, what is the policy for reassignment & timeframe between uses? How is information in electronic identity database acquired and updated? What is public vs private info in the database? Condense this and the last slide SAC - 11 August 2004

20 Policies to Govern Use of Information
What restrictions are placed on use of identity information? What assertions are acceptable for what purposes? SAC - 11 August 2004

21 Test your policy/process - internally
What might your central IT org ask of a peer campus id provider (central Library, Med Center) to decide whether to accept its identity assertions for access to resources that the IT organization controls? What might campus depts ask about the central identity mgmt system if they wanted to leverage it for use with its own applications? SAC - 11 August 2004

22 Test your policy/process - externally
What would you need to know about an electronic identity provider to make an informed decision whether to accept their assertions to manage access to your online resources or applications? What would you need to know about a resource provider to feel confident providing it info it might not otherwise be able to have? SAC - 11 August 2004

23 Governance Structure Needed
to maintain an accurate, secure, and functional service to represent the varied sources of data, to reconcile discrepancies, and to establish guidelines for consistent use and access to interpret and communicate policies and guidelines to ensure that the service supports relevant federal, state, and university laws, regulations, and policies. SAC - 11 August 2004

24 Governance Structure – Who
Stakeholders such as data stewards from major data sources such as HR, Registrar, Alumni, etc representatives from units with responsibility for managing the data or infrastructure such as IT Schools, colleges, and departments who run directory-enabled applications SAC - 11 August 2004

25 Role of Governance Prioritization of new development
Review of data use requests and requests for new data On-going legal, source system, & policy changes Identity Mgmt policy & decision-making Additions of new communities to the IdM infrastructure SAC - 11 August 2004

26 Role of Governance Development of policy for:
Access and use of service for performance and security implications Service maintenance, management, and changes – ie., logging Attribute access and use derived from campus policy Determination of compliance requirements to make certain the IdM meets policy and privacy directives SAC - 11 August 2004

27 Technology Elements of Identity Management
SAC - 11 August 2004

28 What is an identity management system?
Policy-driven infrastructure which Consolidates identity information about individuals in one source Makes data available to applications and other services Provides consolidated spot for the implementation of access policy and security Security could include logging Integration of pertinent information about people from multiple authoritative sources Processes that transform source data, derive affiliation information, maintain status of assigned, entitled, or authorized information resources, and provision resultant data where it can be of use to applications Locus for implementation of policies concerning visibility and privacy of identity information and entitlement policies SAC - 11 August 2004

29 Consolidates Identity Information
Provide a single authoritative source for identity Integrate data from authoritative sources Act as system of record for unique identifier Ensure identity integrity Maintain one-to-one mapping between fundamental identifiers and real-world people Rely on external identifiers to verify: name, birthday… Reconcile identifiers to create one person object Authentication binds identity to a person LOA with the identity related attributes indicates what a person can do It makes sense that Idm is important SAC - 11 August 2004

30 Identifier Reconciliation
Consolidated view of individuals identities Inventory the major source system identifiers Characteristics Who assigns and how? Who/What uses it? Is it persistent? Campus card, student id, library id, SIS, HRS, Finance…. Match up identifiers of the same person and accompanying data Assign/determine the unique identifier under which the source system identifiers and data are held GLB and SSN… SAC - 11 August 2004

31 Abbreviated ID Mapping Table
Fundamental ID Who Assigns? Who Gets One? id Central IT People universal_userID uid guest registrars guests clusterID Shell account opt-ins sisID Registrar Students & instructors hrsID HR Staff frsID Controller Holders of budget roles adsID Marketing & Adv Graduates, other donors aprID Provost Faculty operatorID ERP security principals patronID Library Library patrons SAC - 11 August 2004

32 Consolidates Identity Information
Provide consolidated source for affiliations Which source systems define which affiliations? Student, faculty, staff, Course, program, department … Group memberships Provide one source for other commonly-used valuable data Citizenship, sort name… Developers/Implementers Enables single source Simpler data integration SAC - 11 August 2004

33 Consolidates Identity Information
Provide authentication credentials & contact info Some authoritatively stored Username(s), address(es) Some data sourced elsewhere Phones, USMail addresses, office location, … Provide extra data to verify identity mapping Store secrets to help with initial account claim and password reset scenarios SAC - 11 August 2004

34 Provisions Directory Services and Applications
Data for managing provisioning processes Consumer identifiers Transformations and feeds to directories (LDAP, AD), applications, etc. SAC - 11 August 2004

35 Central Implementation of Access Policies
Implement constraining policy Privacy Internal or external viewing Security & audit Consolidated logging Tracking of authorizations Specialized provisioning requirements Provide authority and mechanisms to allow distributed administration of identity data temporary access Security How does this project connect with broader security and privacy goals? Are there special security issues that must be considered when extending the IdM to a system (e.g. single sign-on and ERP) What security will be in place to protect the IdM infrastructure SAC - 11 August 2004

36 Physical Components Involved
Systems of Record and other data sources Data feeds and transformation processes Business rules Identity reconciliation Person Registry Assignment of unique identifier Life cycle management and record integrity Provisioning processes Target format Published data sources Enterprise directories Management tools Self service Delegated authority SAC - 11 August 2004

37 SAC - 11 August 2004

38 A Couple of Architectural Issues: Policy/Technology Overlap
What service providers will you need to accommodate? Internal External Federated or tightly coupled or…? What about loosely-affiliated individuals? 7th grade Science Explorations students Parents portal Do more here with overlap points SAC - 11 August 2004

39 Discussion What are some strategies for creating polices on-the-fly? When should this be done? When should a policy be developed vs. a technical fix? How does a technical person know when a policy decision needs to be made? Do we need a handout on this to give to group? SAC - 11 August 2004

40 Ability to Implement SAC - 11 August 2004 Goal of section:
Intro to roadmap Highlight specific issues with implementing IdM Roadblocks – politics Stragegies for dealing with roadblocks Discussion regarding roadblocks SAC - 11 August 2004

41 Project Framework Enterprise Directory Implementation Roadmap
Broad view of directory services Includes articles and resources for technology, policy, and project management As important to gettng the technology right is to establish good working relationships between the policy, technology and process/data stewards. SAC - 11 August 2004

42 Roadmap Focus Areas Do slide with sample outline? SAC - 11 August 2004

43 SAC - 11 August 2004

44 Technology/Architecture and Policy/Management Tracks
Project Planning P/T - Business case, project plan, resources Directory Architecture Design and Policy Development T - Identifier strategy, architecture and system planning P – Stakeholder communication, policy development Data Flow, Business Process Review, Policy Development T - Service requirements, data flow model, person registry P - Business processes, policy development, communication Directory and Applications Development and Deployment T- Implement data flow architecture, set up operational processes P - Stakeholder testing, governance, communication SAC - 11 August 2004

45 Key IdM Implementation Points
Set up some early wins Be flexible short term and firm in the long term Decide on incremental vs. big bang implementation Overbuild the infrastructure Ensure good performance Accommodate requests as appropriate Get the right people involved at the right levels Keep everyone informed appropriately Champions outside of IT are good Policy and business processes are the hard part Set up core principles before starting Informed - teerminology SAC - 11 August 2004

46 Core Principles Guiding philosophy of new infrastructure
Defined before design and implementation phases Collection of related existing and ad-hoc policies and new guidelines Provides framework for decision making Rooted in view of data as a strategic resource Links to all people of interest ..and all the needed identity information SAC - 11 August 2004

47 Sample Core Principles
Data is protected and requires permission for its use unless declared “public” by the data custodians or owners and not protected by the user Data will be made available for all valid administrative and educational purposes Access to private directory data must be granted for each service and be approved by the data stewards Applications using the IdM system must meet the security and data definition guidelines put forth by the governance committee SAC - 11 August 2004

48 Project Resources People
Steering team (policy/governance), core team (design/details), and big team (communication and change management) Project manager, integration lead, directory and database administrators, systems and network administration involvement Champion(s) Cost – Build or Buy? Do the business process/integration work either way Leverage existing vendor relationships, open source… Buy? Write a detailed RFP SAC - 11 August 2004

49 Common Implementation Roadblocks
Selling the infrastructure Terminology Tailored business case The pitch versus the real one Doesn’t security work for everything? Getting the data Data access policies Trust it will be used appropriately Use of the infrastructure Trust that the infrastructure will be run appropriately Lack of knowledge about its function SAC - 11 August 2004

50 Discussion Roadblocks on your campus? SAC - 11 August 2004

51 Wrap-up Overview of the entire talk, use SAC - 11 August 2004

52 Identity Management Factors
Drivers Constituent Requirements Institutional Goals Policy & Governance Standards Budget Project Management Practices Identity Management Ability to Implement Technology Staff Skills/Expertise Products SAC - 11 August 2004

53 Definitions Identity Management – Policy-driven infrastructure which
Consolidates identity information about individuals in one source Publishes data in areas where applications and other services can access it Integrates the implementation of access policy and security Security could include logging Integration of pertinent information about people from multiple authoritative sources Processes that transform source data, derive affiliation information, maintain status of assigned, entitled, or authorized information resources, and provision resultant data where it can be of use to applications Locus for implementation of policies concerning visibility and privacy of identity information and entitlement policies SAC - 11 August 2004

54 Elements of Identity Management
Policy issues & governance processes Integrated service strategy & architecture Middleware infrastructure services Business process analysis People relationships Integrated service strategy & architecture Incremental determination of valuable identity information Promotes the high level objectives on slide 9 Systems analysis What business processes might produce the info? Where does/can it enter the IT infrastructure? Do actual semantics fit the perceived value? Middleware infrastructure services Schema, systems design, operation Conveying attributes from sources to where their run-time value is realized Policy issues & governance processes An organization conducive to new types of professional relationships SAC - 11 August 2004

55 Ultimately… Change Management
Things will change - IT Data stewards Service providers Users Policy makers The people relationships formed will be critical to functioning and use of the new infrastructure. SAC - 11 August 2004

56 More information www.nmi-edit.org Development Getting Started
Enterprise Directory Implementation Roadmap Readiness Assessment Tool CAMP Identity Management – Nov 15-17 CAMP Enterprise Authentication – Nov 18-19 SAC - 11 August 2004

57 What is NMI-EDIT? NSF Middleware Initiative (NMI)
Scientists and engineers can transparently use and share distributed resources, such as computers, data, and instruments NMI-Enterprise and Desktop Integration Technologies Consortium (NMI-EDIT) Internet2, EDUCAUSE, and SURA Focus on intra and inter-institutional identity and access management and related services SAC - 11 August 2004

58 Acknowledgements Thanks to
Tom Barton, U of Chicago Mike Berman, CalPoly - Pomona Carrie Regenstein, U of WI – Madison Mark Poepping, Carnegie Mellon And all those we didn’t name… Thanks also to NSF for funding the NMI-EDIT Project SAC - 11 August 2004

59 Questions? Renee Woodten Frost University of Michigan/Internet2
Ann West EDUCAUSE/Internet2/Michigan Tech SAC - 11 August 2004

Download ppt "Identity Management Systems: Components and Constituents"

Similar presentations

How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.

How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.
Data: Application requirements, data flow, and person registry Tom Barton University of Chicago.

Data: Application requirements, data flow, and person registry Tom Barton University of Chicago.
Data, Policy, Stakeholders, and Governance Amy Brooks, University of Michigan – Ann Arbor Bret Ingerman, Vassar College Copyright Bret Ingerman 2004. This.

Data, Policy, Stakeholders, and Governance Amy Brooks, University of Michigan – Ann Arbor Bret Ingerman, Vassar College Copyright Bret Ingerman This.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Copyright Ann West 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Ann West This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
On Beyond Z Building a Directory Service educause presentation #074 University of Colorado at Boulder Deborah Keyek-Franssen Marin Stanek Paula J. Vaughan.

On Beyond Z Building a Directory Service educause presentation #074 University of Colorado at Boulder Deborah Keyek-Franssen Marin Stanek Paula J. Vaughan.
1 Extending Authenticated Online Services with Friend Accounts at Washington State University Brian Foley Technology Architect/Application Developer.

1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.
Campus Authentication: Identification Process and Related Policy Tom Barton University of Chicago & Internet2.

Campus Authentication: Identification Process and Related Policy Tom Barton University of Chicago & Internet2.
Starting Your Roadmap: Concepts and Terms Paul Caskey, The University of Texas System Copyright Paul Caskey 2007. This work is the intellectual property.

Starting Your Roadmap: Concepts and Terms Paul Caskey, The University of Texas System Copyright Paul Caskey This work is the intellectual property.
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.

Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Enterprise Directory Services: Project Planning A. Michael Berman, VP, Instr. & Info Tech, Cal. Poly, Pomona Keith Hazelton, Sr. IT Architect University.

Enterprise Directory Services: Project Planning A. Michael Berman, VP, Instr. & Info Tech, Cal. Poly, Pomona Keith Hazelton, Sr. IT Architect University.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Identity Management: The Legacy and Real Solutions Project Overview.

Identity Management: The Legacy and Real Solutions Project Overview.
GatorAid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure

GatorAid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure
UNLV Data Governance Executive Sponsors Meeting Office of Institutional Analysis and Planning August 29, 2006.

UNLV Data Governance Executive Sponsors Meeting Office of Institutional Analysis and Planning August 29, 2006.

Similar presentations

Ads by Google