Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Albert Wu 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Similar presentations


Presentation on theme: "Copyright Albert Wu 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,"— Presentation transcript:

1 Copyright Albert Wu 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Spring Roles: Moving Forward on an Access Management Strategy Albert Wu University of California Los Angeles NMI-EDIT, Internet2 MACE, EDUCAUSE Net@EDU Identity Management Workgroup EDUCAUSE Southwest Regional 2008 Tuesday, April 1, 2008

3 What is Access Management? Surveying Access Management Practices What is UCLA Doing with Access Management? Today This session is brought to you by Internet2, Educause, and the NMI-EDIT Consortium.

4 What is Access Management? I want to automatically give all students enrolled in CS143 access to my lab, the class web sites, and software in the lab. I don’t want to run around getting access to everything for my classes. I want what I need, where and when I need it.

5 What is Access Management? I want to create a project group and when I invite someone to join that group, they immediately have all related access. …And When I join that group, I want immediate access to all relevant resources. I want to quickly grant my assistant access while I’m away rather than loan her my access!”

6 What is Access Management? I want to run a review process in which students, faculty, staff and administrators review and approve different components and different points in the process.” Before I terminate this person, I want to make sure all their current access is revoked throughout the campus.

7 Access Management Who has access? How do we reliably grant and revoke access? How do I delegate my access to another?

8 Surveying Access Management Practices 2 Questionnaires 8 Universities comprehensive research institutions public and private 7,000 – 51,000 students, faculty and staff Respondents were asked to include a small campus group in answering the questions. Internet2 lead a survey with support from the EDUCAUSE Identity Management Working Group

9 Survey One: Tell Us About You What are your access management initiatives? Which factors drove the launch of the initiatives? What are your plans? What are the expected new capabilities? How will other know when it’s time to launch access management initiatives? An open-ended questionnaire asking:

10 Themes and Recommendations 1.Audience/end-users 2.Policy/Auditing 3.Business process/Work flow 4.Architecture 5.Data use/Protection 6.Project management

11 Audience & End Users An access management system should have a friendly user interface and a high degree of usability, accommodating a wide range of potential users.

12 Policy and Auditing Develop policies related to access control, ensure that the system will do what it is intended to, and define the roles of central IT and distributed IT offices.

13 Business Process / Work Flow Focus on people/how they get their work done Distribute control and management of groups Distributed authorization is in Reduced administration by local IT groups

14 Architecture Create groups-based authorization system Streamline management Support standards Anticipate substantial increase in the demand for groups and collaboration Think flexible design Focus on security, of course

15 Data Use / Protection The access management system will leverage existing institutional data and make it easy to incorporate new data (mainly from end-users). Reduce need for special accounts Reduce duplication of effort to manage access Gather new/additional data Widely distributed, common access management interface

16 Project Management Effective access management systems are likely implemented in stages with broad campus involvement. Implementation in stages Broad campus involvement Implementation is project focused, management of the system is more operationally focused.

17 Survey Two: Infrastructure Maturity Data stewardship Identity Management System Coverage IT Infrastructure and Planning Data sharing and re-use Groups and Access Management Access Management Enabled Policy Enforcement Access Management Audit Self-assessment measuring the maturity of policy, infrastructure, and operational practices:

18 Per-institution average score for the Infrastructure Maturity Survey 0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 9.0 10.0 1. Data Stewardship 2. People in IdM Sys. 3. Other entities in IdM 4. IT infrastrcture 5. Data sharing/re-use 6. Enriching ID through groups 7. Basic Access Mgmt 8. Policy control/priv. mgmt. 9. Managing Access Mgmt. data Main Category Average Response 1 2 3 4 5 6 7

19 Participant recommendation The problem areas demonstrated by the graphs indicate areas where Internet2 & EDUCAUSE could help with outreach and educational activities Policy control Managing access management data

20 How will colleagues at other institutions know when to consider access management initiatives?

21 Access Management Tripwires Applications are using different sets of group access rules Multiple systems require common access information There is the institutional will/desire to proceed A global identifier for users is in place An identity management infrastructure exists There is a demand to collaborate with other institutions There is a need to quickly provide access to electronic resources

22 Access Management @ UCLA Distributed security administration based on departmental/financial hierarchy Manages access for key administrative applications Early attempt at enterprise permission management Value-based, explicit permissions Permission management is a business function DACSS

23 Access Management @ UCLA Academic delegation hierarchy Access by position in workflow Download members data from data warehouse Explicit permissions within each application Students can delegate access to personal data and permission to pay tuition to parents Class Web Sites, Academic Applications, and Others

24 What is IAMUCLA? Identity & Access Management @ UCLA Who wants to access a resource? (Authentication) Does the person have permission? (Authorization)

25 IAMUCLA Enterprise Directory Common Logon ID Web Single Sign-on Enterprise Group/Permission Management

26 Before IAMUCLA Departmental Intranet User logs into each application separately using different logon IDs Permissions managed separately in individual applications URSA Class Web Sites Discussions Service Requests Budgeting Research Proposal Tracking Applications kept separate user identity data … and others

27 URSA RATS MyUCLA Travel Express Financial Web Reports many other web apps IAMUCLA Phase I ISIS/Shibboleth: Web Single Sign-On Enterprise Directory User logs in using UCLA Logon ID ED supplies user identity data Permissions managed separately in individual applications

28 At a Threshold CCLE – Faculty & Students DAT – Faculty & Staff IWE – Students & Parents GRID – Researchers at UCLA & other campuses Clinical Research – Physicians & Students Research collaboration – Faculty & Students at UCLA and other campuses A window of opportunity for a new way to handle permissions Several new applications are emerging with new and large communities of users

29 IAMUCLA Phase II URSA RATS MyUCLA Travel Express Financial Web Reports many other web apps ISIS/Shibboleth: Web Single Sign-On User logs in using UCLA Logon ID Permission Management Tools Enterprise Directory ED delivers user identity, groups, and permissions data via Shibboleth manages permissions once and replicates the same permissions data to non-web systems

30 Phase II Deliverables Deploy enterprise-wide, 24x7 permissions management system Provide cross-campus integration for all applications Support access delegation Provide support for local integration

31 1.Audience/end-users 2.Policy/Auditing 3.Business process/Work flow 4.Architecture 5.Data use/Protection 6.Project management

32 Lessons So Far Access management is a business function Distributed security administration works Access management is not intuitive. Education is important. Controllers and auditors are your friends Foster user communities; provide regular training

33 Lessons So Far Leverage Standards Architect for extensibility Timing is key. Catch the applications at critical update cycle Deploy in stages Design for the end user trained security administrators (bulk security administration) every day users (self-delegation) auditors and managers (reports, alerts, analysis) help desk staff

34 Internet2 Middleware | http://middleware.internet2.edu IAMUCLA Web Site | https://spaces.ais.ucla.edu/iamucla Albert Wu | albertwu@ucla.edu


Download ppt "Copyright Albert Wu 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,"

Similar presentations


Ads by Google