Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policy and Technology in Enterprise Directory and Authentication Services No Room to Swing a Cat Michael Gettes, MACE, Duke University Keith Hazelton,

Published byRafe Wilcox Modified over 9 years ago

Similar presentations

Presentation on theme: "Policy and Technology in Enterprise Directory and Authentication Services No Room to Swing a Cat Michael Gettes, MACE, Duke University Keith Hazelton,"— Presentation transcript:

1 Policy and Technology in Enterprise Directory and Authentication Services No Room to Swing a Cat Michael Gettes, MACE, Duke University Keith Hazelton, MACE, University of Wisconsin - Madison Carrie Regenstein, University of Wisconsin - Madison Ann West, NMI-EDIT Outreach, EDUCAUSE/Internet2

2 SERC, June 7, 2004 A Word from the sponsors: What is NSF interested in?  Analogous to building the NSFnet  NSF Middleware Initiative (NMI) –Scientists and engineers can transparently use and share distributed resources, such as computers, data, and instruments –Research and education communities can effectively collaborate using advanced communications tools –Internet users around the world can benefit.

3 SERC, June 7, 2004 What is NMI-EDIT?  NMI-Enterprise and Desktop Integration Technologies Consortium (NMI-EDIT) –Internet2, EDUCAUSE, and SURA –Project Goals  Create a common, persistent and robust core middleware infrastructure for the R&E community  Provide tools and services in support of inter- institutional and inter-realm collaborations  Focus on intra and inter-institutional identity and access management and related services

4 SERC, June 7, 2004 Range of Motion: Cat Swinging  Definition of key terms  Context  Strategies for success  Moving it forward

5 SERC, June 7, 2004 Today’s goal: Focus on people, service and functionality!  To support the synergistic relationship among technologists, policy folks, and administrators as an ongoing modus operandi (m.o.)  A perspective or methods of managing, deploying and maintaining future infrastructures, IT and more.

6 SERC, June 7, 2004 Key terms  Enterprise Directory  Authentication  Authorization Taken together constitute “Identity Management System” (IdM)

7 SERC, June 7, 2004 “Identity Management System”  Suite of campus-wide security, access, and information services –Integrates data sources and manages information about people and their contact locations –Establishes electronic identity of users –Issues identity credentials –Uses administrative data and management tools to assign affiliation attributes –…and gives permission to use services based on those attributes

8 SERC, June 7, 2004 Key terms: Enterprise Directory Services Enterprise Directory Services - where electronic identifiers are reconciled and institutional identity is established and maintained for all entities of interest –Very quick lookup function –Machine address, voice mail box, email box location, address, campus identifiers

9 SERC, June 7, 2004 More key terms  Authentication (AuthN) –Process of proving your identity by “presenting” an identity credential –In IT systems, often done by a login process  Authorization (AuthZ) –Process of determining if policy permits a requested action to proceed using attribute & group information –Often associated with an authenticated identity, but not always and not necessarily

10 SERC, June 7, 2004

11 Context

12 SERC, June 7, 2004 Context: What’s the problem?  Accommodate increased demand for integration across traditional data sources  Deliver services to new populations  Resolve tension between appropriate privacy and security regulations

13 SERC, June 7, 2004 Context: Viewing angles  User view –One stop –Presentation similarities –Accurate data  Developer view –One source –Ease of development

14 SERC, June 7, 2004 Context: What happens?  Traditional data sources integration –Updating information –How soon can we serve new staff, students? –Adding individuals to identity management system

15 SERC, June 7, 2004 Context: What happens?  New constituencies –Beyond faculty, staff, and students –Alumni, retirees, new kinds of learners –A portal for parents  Challenge to “the join”  Can’t ask for the key linking attributes like DoB  Students vouch for them? Separate DB??

16 SERC, June 7, 2004 Strategies for Success

17 SERC, June 7, 2004 Strategies for Success Know your environment Establish core principles Oversight Real Life Topics to consider

18 SERC, June 7, 2004 Strategies: Know your environment! Guiding questions  Is campus governance centralized or distributed?  How has central administration demonstrated commitment to policy leadership?  What partnerships are in place to support policy development among, e.g., IT, Legal, internal audit, police, Student Affairs?

19 SERC, June 7, 2004  Are there best practices already defined for your campus? Processes to create best practices?  Are there existing policies that just need to be interpreted to cover the e-World?  What resources are available to support policy development and implementation? Strategies: Know your environment! Guiding questions

20 SERC, June 7, 2004 Strategies: Core principles  Guiding philosophy of new infrastructure  Defined before design and implementation phases  Criticality of service: 24x7 operations. All apps must be dir enabled?  Rooted in view of data as a strategic resource –Enterprise directory  Link to all people of interest ..and all the needed identity information

21 SERC, June 7, 2004 Strategies: Core principles  Sample core principles –Data infrastructure serves more than one institutional application –Data is protected and requires permission for its use unless declared “public” by the data custodians or owners –Access to private directory data must be granted for each application and be approved by the data custodians. –Applications using that data should meet the security and data definition guidelines put forth by the technical service administrators. –Data will be made available for all valid administrative and educational purposes

22 SERC, June 7, 2004 Strategies: Oversight  Oversight and ownership  Data and technical service may be different  Application and infrastructure may be different –Create, read, update, and delete (CRUD) –On-going legal, source system, and policy changes  Requires business functions to be involved  Requires changes in the infrastructure

23 SERC, June 7, 2004 Strategies: Oversight Sample Oversight functions:  Access and use of the data and compliance with University policy  Access and use of service for performance and security implications  Dissemination of directory maintenance information and changes  Documentation of applications and attribute use  Changes in requirements, procedures, and applications using the directory once per year

24 SERC, June 7, 2004 Strategies: People Issues  Whom did you include?  Whom did you forget?  In what order did you include them?  What did you hope for or expect from each one to bring to the table?  Where are the more difficult interactions/relationships?

25 SERC, June 7, 2004 Strategies: Real life  Cultural / technical assumptions vs. reality –“Public directories will be mined by spammers”  Honeypot: “Does it really happen?”  Nope! (How we show data matters) –Centralization vs. flexibility  Distributed management tools  Be careful what you ask for –Most anything can be done -- cost??

26 SERC, June 7, 2004 Strategies: Topics - 1  When should a policy be developed vs. a technical fix?  What are some strategies for creating polices on-the-fly? When should this be done?  How does a technical person know when a policy decision needs to be made?

27 SERC, June 7, 2004 Strategies: Topics - 2  How might we modify services to encourage high-level customers/stakeholders to work more effectively on policy issues?

28 SERC, June 7, 2004 Strategies: Topics - 3  What should we do with special cases or exceptions? –Title entries in white pages  Chancellor, Provost, VP, EVP, etc –Vanity netIDs? –Nicknames? –Privacy opt-in, opt-out?

29 SERC, June 7, 2004 Moving it Forward

30 SERC, June 7, 2004 Forward: Applying what we learned?  Consider the problem, scope, and alternatives –Big P Policies –Little p policies

31 SERC, June 7, 2004  Big P policies –FERPA FERPA FERPA –USA Patriot Act  Policy supports compliance  Practice includes guidelines for operational staff –HIPAA  Defining Health Care Components (HCCs) on campus  How can a central IT organization support compliance? Forward: Compliance with Federal regulations- Due Diligence and the central IT organization

32 SERC, June 7, 2004 Forward: Compliance with State regulations- Due Diligence and the central IT organization  Big P policies –Electronic Records Management –Education and communication Example: http://archives.library.wisc.edu/rm/rec home.htm

33 SERC, June 7, 2004 Forward: Core principles  Big P policies –Data and service as strategic resources –Data and service ownership and stewardship –Use of infrastructure –Attribute privacy

34 SERC, June 7, 2004 Forward: Local considerations  Little p policies –Relates to environment, role, and culture  NetID –Assignment, self-selection, activation, password management  Physical access security (devices) –Assignment, activation, and implementation  Others?

35 SERC, June 7, 2004 Resources www.nmi-edit.org/roadmap  middleware.internet2.edu  www.cit.cornell.edu/oit/PolicyOffice.html  EDUCAUSE/Cornell Institute for Computer Policy and Law www.educause.edu/icpl/

36 SERC, June 7, 2004 end

37 SERC, June 7, 2004 Tech and Policy Tracks

38 SERC, June 7, 2004

Download ppt "Policy and Technology in Enterprise Directory and Authentication Services No Room to Swing a Cat Michael Gettes, MACE, Duke University Keith Hazelton,"

Similar presentations

How Will it Help Me Do My Job?

How Will it Help Me Do My Job?
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
CAMP Med Welcome to CAMP Med: Identity and Access Management for Medical Applications Workshop Morgan Passiment AAMC Ann West NMI-EDIT EDUCAUSE/Internet2.

CAMP Med Welcome to CAMP Med: Identity and Access Management for Medical Applications Workshop Morgan Passiment AAMC Ann West NMI-EDIT EDUCAUSE/Internet2.
Copyright Ann West 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Ann West This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Technical Primer: Identifiers Internet2 Base CAMP Boulder, Colorado June, 2002.

Technical Primer: Identifiers Internet2 Base CAMP Boulder, Colorado June, 2002.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Identity Management: Some Basics Mark Crase, California State University Office of the Chancellor CENIC - March 9, 2011.

Identity Management: Some Basics Mark Crase, California State University Office of the Chancellor CENIC - March 9, 2011.
Enterprise Directory Services: Project Planning A. Michael Berman, VP, Instr. & Info Tech, Cal. Poly, Pomona Keith Hazelton, Sr. IT Architect University.

Enterprise Directory Services: Project Planning A. Michael Berman, VP, Instr. & Info Tech, Cal. Poly, Pomona Keith Hazelton, Sr. IT Architect University.
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
The Business of Identity Management Barry R. Ribbeck Director Systems Architecture & Infrastructure Rice University

The Business of Identity Management Barry R. Ribbeck Director Systems Architecture & Infrastructure Rice University
UNLV Data Governance Executive Sponsors Meeting Office of Institutional Analysis and Planning August 29, 2006.

UNLV Data Governance Executive Sponsors Meeting Office of Institutional Analysis and Planning August 29, 2006.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
1 Tuesday, August 16, 2005 W E B C A S T August 16, 2005 Policy Development Theory & Practice: An Emphasis on IT Pat Spellacy Director of Policy & Process.

1 Tuesday, August 16, 2005 W E B C A S T August 16, 2005 Policy Development Theory & Practice: An Emphasis on IT Pat Spellacy Director of Policy & Process.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Emergency Communications Management Jonathan Rood CIO and Associate VP, San Francisco State University Laine Keneller Business Continuity Planner & Project.

Emergency Communications Management Jonathan Rood CIO and Associate VP, San Francisco State University Laine Keneller Business Continuity Planner & Project.

Similar presentations

Ads by Google