Identity Management Systems: Components and Constituents Renee Frost University of Michigan/Internet2 Ann West, EDUCAUSE/Internet2/ Michigan Tech

Identity Management Systems: Components and ConstituentsRenee Frost University of Michigan/Internet2

Ann West,EDUCAUSE/Internet2/ Michigan Tech

2SAC - 11 August 2004

Copyright Renee Frost and Ann West, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.


Topics

Introduction to Identity Management Concepts Business Drivers, Policy, and Governance Technology Components Discussion Implementation Framework Discussion Wrap up and More Information


Introduction to Identity Management


Some of What We are All Trying to AccomplishEnable online service for our constituents earlier in their affiliation with us, wherever they are, and on an ongoing basis (entire life cycle)

Deliver services to new constituentsSimplify that end user access to multitude of online services

Facilitate operation of those services by IT organizations


Some of What We are All Trying to Accomplish (cont)

Increase security Resolve tension between appropriate

privacy and security regulations Accommodate increased demand for

integration across traditional data sources Participate in new, inter-organizational,

collaborative architectures and environments


Why Identity Management

The enterprise-wide, policy-driven infrastructure enablesScalability Consistency Integrity IntegrationCollaboration


DefinitionsIdentity –

set of attributes about, and identifiers referring to, a subject (person, service…)

Authentication – process used to associate a subject with an identifier

Authorization – process of determining if policy permits an intended action

to proceedCredentials–

attributes of a subject used to identify (authentication) or make access decisions (authorization) about what it can do in a particular context


Definitions (cont)

Identity Management System – a policy-driven infrastructure (policies, procedures, standards, & technologies) which

Consolidates identity information about individuals from multiple authoritative sources

Makes data available to multiple applications and other services with need to access it

Integrates the implementation of access policy and security


Identity Management Factors

Project Management

Technology

Policy &Governance

Institutional Goals

Constituent Requirements

Standards

Practices

Products

Budget

Staff Skills/Expertise

Identity Management

Ability to

Implement

Drivers


Policy and Governance

Recognize Business Drivers

Map to Institutional Environment and Goals/Strategy

Consider Constituent Requirements and Processes


Sample Business Drivers Legislation and Regulation

FERPA, HIPAA, GLB Shrinking budgets and increasing demands for

online services Security/protection of resources for ethical and

business reasons Participation in an electronic consortium

What speaks to your campus?


Map the Drivers to Institutional Environment for Policies

Are there existing policies that can be leveraged to cover identity management?

What resources are available and what partnerships (e.g., IT, legal, internal audit, police, student affairs) are in place to support policy development and implementation?

What institutional goals and core principles guide the use of data to be stored in the IdM system?

Can institution leverage & extend existing data administration policies & processes?


Map the Drivers to Institutional Environment for Security and Privacy

How does this IdM infrastructure connect with broader security and privacy goals?

Are there special security issues that must be considered when extending the IdM to a system (e.g. single sign-on, ERP)?

What security will be in place to protect the IdM infrastructure?


Consider Governance Issues

How will the University operate its identity management infrastructure?

What is the balance between centralized and distributed operation?

Who will determine whether to put new information in the common infrastructure, and how it will be represented?

If necessary info is not already collected, who will determine whether business processes should be changed to do so?


Effective Identity Management

Requires policy and governance to exist and work well on an on-going basis to ensure appropriate access, privacy, and security; to establish trustWhat are your risks?What do you value?


Example: Access to Protected Resources Risk and trust requirements are determined by

the resource holder as well as the user who considers personal privacy risk. Taken together, these requirements determine the technologies and policies implemented.

Risk management measures Authentication and authorization standards Security practices Risk assessment Change management controls Audit trails


Policy to Govern Credentials Who should be issued a credential? What assurance

level should authentication for each constituency achieve? What constraints may pertain to each? Applicants (student, faculty, staff) Admitted students, accepted faculty or staff Alums Parents Library patrons Guests: visiting academics, conference attendees, hotel

guests, arbitrary “friends”, …


Policies to Govern Credentials (cont)

How are electronic identity credentials issued? Admin process Technology

Is primary electronic identifier unique for all time to the individual? if not, what is the policy for reassignment & timeframe between uses?

How is information in electronic identity database acquired and updated?

What is public vs private info in the database?


Policies to Govern Use of Information What restrictions are placed on use of

identity information? What assertions are acceptable for what

purposes?


Test your policy/process - internally What might your central IT org ask of a peer

campus id provider (central Library, Med Center) to decide whether to accept its identity assertions for access to resources that the IT organization controls?

What might campus depts ask about the central identity mgmt system if they wanted to leverage it for use with its own applications?


Test your policy/process - externally What would you need to know about an

electronic identity provider to make an informed decision whether to accept their assertions to manage access to your online resources or applications?

What would you need to know about a resource provider to feel confident providing it info it might not otherwise be able to have?


Governance Structure Needed

to maintain an accurate, secure, and functional service

to represent the varied sources of data, to reconcile discrepancies, and to establish guidelines for consistent use and access

to interpret and communicate policies and guidelines

to ensure that the service supports relevant federal, state, and university laws, regulations, and policies.


Governance Structure – Who

Stakeholders such as data stewards from major data sources such

as HR, Registrar, Alumni, etc representatives from units with responsibility

for managing the data or infrastructure such as IT

Schools, colleges, and departments who run directory-enabled applications


Role of Governance Prioritization of new development Review of data use requests and

requests for new data On-going legal, source system, & policy

changes Identity Mgmt policy & decision-making Additions of new communities to the IdM

infrastructure


Role of Governance

Development of policy for: Access and use of service for performance

and security implications Service maintenance, management, and

changes – ie., logging Attribute access and use derived from

campus policyDetermination of compliance requirements to

make certain the IdM meets policy and privacy directives


Technology Elements of Identity Management


What is an identity management system?Policy-driven infrastructure which Consolidates identity information about

individuals in one source Makes data available to applications and other

services Provides consolidated spot for the

implementation of access policy and security


Consolidates Identity Information

Provide a single authoritative source for identity Integrate data from authoritative sources Act as system of record for unique identifier

Ensure identity integrity Maintain one-to-one mapping between fundamental

identifiers and real-world people Rely on external identifiers to verify: name,

birthday… Reconcile identifiers to create one person object


Identifier Reconciliation

Consolidated view of individuals identities Inventory the major source system identifiers

Characteristics Who assigns and how? Who/What uses it? Is it persistent?

Campus card, student id, library id, SIS, HRS, Finance….

Match up identifiers of the same person and accompanying data

Assign/determine the unique identifier under which the source system identifiers and data are held


Abbreviated ID Mapping Table

Fundamental IDFundamental ID Who Assigns?Who Assigns? Who Gets One?Who Gets One?id Central IT Peopleuniversal_userID Central IT Peopleuid guest registrars guestsemail Central IT PeopleclusterID Central IT Shell account opt-inssisID Registrar Students & instructorshrsID HR StafffrsID Controller Holders of budget rolesadsID Marketing & Adv Graduates, other donorsaprID Provost FacultyoperatorID Controller ERP security principalspatronID Library Library patrons



Provide consolidated source for affiliations Which source systems define which affiliations?

Student, faculty, staff, Course, program, department … Group memberships

Provide one source for other commonly-used valuable data Citizenship, sort name… Developers/Implementers

Enables single source Simpler data integration



Provide authentication credentials & contact info Some authoritatively stored

Username(s), email address(es)

Some data sourced elsewhere Phones, USMail addresses, office location, …

Provide extra data to verify identity mapping Store secrets to help with initial account claim and

password reset scenarios


Provisions Directory Services and Applications Data for managing provisioning processes

Consumer identifiers Transformations and feeds to directories (LDAP,

AD), applications, etc.


Central Implementation of Access Policies Implement constraining policy

Privacy Internal or external viewing

Security & audit Consolidated logging Tracking of authorizations Specialized provisioning requirements

Provide authority and mechanisms to allow distributed administration of identity data temporary access


Physical Components Involved

Systems of Record and other data sources Data feeds and transformation processes

Business rules Identity reconciliation

Person Registry Assignment of unique identifier Life cycle management and record integrity

Provisioning processes Business rules Target format

Published data sources Enterprise directories

Management tools Self service Delegated authority



A Couple of Architectural Issues: Policy/Technology Overlap What service providers will you need to

accommodate? Internal External

Federated or tightly coupled or…?

What about loosely-affiliated individuals?7th grade Science Explorations studentsParents portal


Discussion What are some strategies for creating

polices on-the-fly? When should this be done?

When should a policy be developed vs. a technical fix? How does a technical person know when a policy decision needs to be made?


Ability to Implement


Project Framework

Enterprise Directory Implementation RoadmapBroad view of directory servicesIncludes articles and resources for

technology, policy, and project management

www.nmi-edit.org/getting_started/index.html


Roadmap Focus Areas



Technology/Architecture and Policy/Management Tracks Project Planning

P/T - Business case, project plan, resources Directory Architecture Design and Policy Development

T - Identifier strategy, architecture and system planning P – Stakeholder communication, policy development

Data Flow, Business Process Review, Policy Development T - Service requirements, data flow model, person registry P - Business processes, policy development, communication

Directory and Applications Development and Deployment T- Implement data flow architecture, set up operational processes P - Stakeholder testing, governance, communication


Key IdM Implementation Points

Set up some early wins Be flexible short term and firm in the long term Decide on incremental vs. big bang implementation

Overbuild the infrastructure Ensure good performance Accommodate requests as appropriate

Get the right people involved at the right levels Keep everyone informed appropriately Champions outside of IT are good Policy and business processes are the hard part

Set up core principles before starting


Core Principles

Guiding philosophy of new infrastructure Defined before design and implementation

phases Collection of related existing and ad-hoc policies

and new guidelines Provides framework for decision making Rooted in view of data as a strategic resource

Links to all people of interest ..and all the needed identity information


Sample Core Principles

Data is protected and requires permission for its use unless declared “public” by the data custodians or owners and not protected by the user

Data will be made available for all valid administrative and educational purposes

Access to private directory data must be granted for each service and be approved by the data stewards

Applications using the IdM system must meet the security and data definition guidelines put forth by the governance committee


Project ResourcesPeople Steering team (policy/governance), core team

(design/details), and big team (communication and change management)

Project manager, integration lead, directory and database administrators, systems and network administration involvement

Champion(s)Cost – Build or Buy? Do the business process/integration work either way Leverage existing vendor relationships, open source… Buy? Write a detailed RFP


Common Implementation Roadblocks Selling the infrastructure

Terminology Tailored business case

The pitch versus the real one Doesn’t security work for everything?

Getting the data Data access policies Trust it will be used appropriately

Use of the infrastructure Trust that the infrastructure will be run appropriately Lack of knowledge about its function


Discussion

Roadblocks on your campus?


Wrap-up


Identity Management Factors

Project Management

Technology

Policy &Governance

Institutional Goals

Constituent Requirements

Standards

Practices

Products

Budget

Staff Skills/Expertise

Identity Management

Ability to

Implement

Drivers


Definitions

Identity Management –

Policy-driven infrastructure which Consolidates identity information about

individuals in one sourcePublishes data in areas where applications

and other services can access it Integrates the implementation of access

policy and security


Elements of Identity Management

Policy issues & governance processes Integrated service strategy & architecture Middleware infrastructure services Business process analysis People relationships


Ultimately… Change Management Things will change -

IT Data stewards Service providers Users Policy makers

The people relationships formed will be critical to functioning and use of the new infrastructure.


More informationwww.nmi-edit.org

Development Getting Started

Enterprise Directory Implementation Roadmap Readiness Assessment Tool

CAMP Identity Management – Nov 15-17 CAMP Enterprise Authentication – Nov 18-19


What is NMI-EDIT?

NSF Middleware Initiative (NMI)Scientists and engineers can transparently use and

share distributed resources, such as computers, data, and instruments

NMI-Enterprise and Desktop Integration Technologies Consortium (NMI-EDIT)Internet2, EDUCAUSE, and SURAFocus on intra and inter-institutional identity and

access management and related services


Acknowledgements

Thanks toTom Barton, U of ChicagoMike Berman, CalPoly - PomonaCarrie Regenstein, U of WI – MadisonMark Poepping, Carnegie MellonAnd all those we didn’t name…

Thanks also to NSF for funding the NMI-EDIT Project


Questions?

Renee Woodten FrostUniversity of Michigan/[email protected]

Ann WestEDUCAUSE/Internet2/Michigan [email protected]

Documents

Identity Management Systems: Components and Constituents Renee Frost University of Michigan/Internet2 Ann West, EDUCAUSE/Internet2/ Michigan Tech