Upload
marylou-wilkins
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Identity Management Systems: Components and ConstituentsRenee Frost University of Michigan/Internet2
Ann West,EDUCAUSE/Internet2/ Michigan Tech
2SAC - 11 August 2004
Copyright Renee Frost and Ann West, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
3SAC - 11 August 2004
Topics
Introduction to Identity Management Concepts Business Drivers, Policy, and Governance Technology Components Discussion Implementation Framework Discussion Wrap up and More Information
4SAC - 11 August 2004
Introduction to Identity Management
5SAC - 11 August 2004
Some of What We are All Trying to AccomplishEnable online service for our constituents earlier in their affiliation with us, wherever they are, and on an ongoing basis (entire life cycle)
Deliver services to new constituentsSimplify that end user access to multitude of online services
Facilitate operation of those services by IT organizations
6SAC - 11 August 2004
Some of What We are All Trying to Accomplish (cont)
Increase security Resolve tension between appropriate
privacy and security regulations Accommodate increased demand for
integration across traditional data sources Participate in new, inter-organizational,
collaborative architectures and environments
7SAC - 11 August 2004
Why Identity Management
The enterprise-wide, policy-driven infrastructure enablesScalability Consistency Integrity IntegrationCollaboration
8SAC - 11 August 2004
DefinitionsIdentity –
set of attributes about, and identifiers referring to, a subject (person, service…)
Authentication – process used to associate a subject with an identifier
Authorization – process of determining if policy permits an intended action
to proceedCredentials–
attributes of a subject used to identify (authentication) or make access decisions (authorization) about what it can do in a particular context
9SAC - 11 August 2004
Definitions (cont)
Identity Management System – a policy-driven infrastructure (policies, procedures, standards, & technologies) which
Consolidates identity information about individuals from multiple authoritative sources
Makes data available to multiple applications and other services with need to access it
Integrates the implementation of access policy and security
10SAC - 11 August 2004
Identity Management Factors
Project Management
Technology
Policy &Governance
Institutional Goals
Constituent Requirements
Standards
Practices
Products
Budget
Staff Skills/Expertise
Identity Management
Ability to
Implement
Drivers
11SAC - 11 August 2004
Policy and Governance
Recognize Business Drivers
Map to Institutional Environment and Goals/Strategy
Consider Constituent Requirements and Processes
12SAC - 11 August 2004
Sample Business Drivers Legislation and Regulation
FERPA, HIPAA, GLB Shrinking budgets and increasing demands for
online services Security/protection of resources for ethical and
business reasons Participation in an electronic consortium
What speaks to your campus?
13SAC - 11 August 2004
Map the Drivers to Institutional Environment for Policies
Are there existing policies that can be leveraged to cover identity management?
What resources are available and what partnerships (e.g., IT, legal, internal audit, police, student affairs) are in place to support policy development and implementation?
What institutional goals and core principles guide the use of data to be stored in the IdM system?
Can institution leverage & extend existing data administration policies & processes?
14SAC - 11 August 2004
Map the Drivers to Institutional Environment for Security and Privacy
How does this IdM infrastructure connect with broader security and privacy goals?
Are there special security issues that must be considered when extending the IdM to a system (e.g. single sign-on, ERP)?
What security will be in place to protect the IdM infrastructure?
15SAC - 11 August 2004
Consider Governance Issues
How will the University operate its identity management infrastructure?
What is the balance between centralized and distributed operation?
Who will determine whether to put new information in the common infrastructure, and how it will be represented?
If necessary info is not already collected, who will determine whether business processes should be changed to do so?
16SAC - 11 August 2004
Effective Identity Management
Requires policy and governance to exist and work well on an on-going basis to ensure appropriate access, privacy, and security; to establish trustWhat are your risks?What do you value?
17SAC - 11 August 2004
Example: Access to Protected Resources Risk and trust requirements are determined by
the resource holder as well as the user who considers personal privacy risk. Taken together, these requirements determine the technologies and policies implemented.
Risk management measures Authentication and authorization standards Security practices Risk assessment Change management controls Audit trails
18SAC - 11 August 2004
Policy to Govern Credentials Who should be issued a credential? What assurance
level should authentication for each constituency achieve? What constraints may pertain to each? Applicants (student, faculty, staff) Admitted students, accepted faculty or staff Alums Parents Library patrons Guests: visiting academics, conference attendees, hotel
guests, arbitrary “friends”, …
19SAC - 11 August 2004
Policies to Govern Credentials (cont)
How are electronic identity credentials issued? Admin process Technology
Is primary electronic identifier unique for all time to the individual? if not, what is the policy for reassignment & timeframe between uses?
How is information in electronic identity database acquired and updated?
What is public vs private info in the database?
20SAC - 11 August 2004
Policies to Govern Use of Information What restrictions are placed on use of
identity information? What assertions are acceptable for what
purposes?
21SAC - 11 August 2004
Test your policy/process - internally What might your central IT org ask of a peer
campus id provider (central Library, Med Center) to decide whether to accept its identity assertions for access to resources that the IT organization controls?
What might campus depts ask about the central identity mgmt system if they wanted to leverage it for use with its own applications?
22SAC - 11 August 2004
Test your policy/process - externally What would you need to know about an
electronic identity provider to make an informed decision whether to accept their assertions to manage access to your online resources or applications?
What would you need to know about a resource provider to feel confident providing it info it might not otherwise be able to have?
23SAC - 11 August 2004
Governance Structure Needed
to maintain an accurate, secure, and functional service
to represent the varied sources of data, to reconcile discrepancies, and to establish guidelines for consistent use and access
to interpret and communicate policies and guidelines
to ensure that the service supports relevant federal, state, and university laws, regulations, and policies.
24SAC - 11 August 2004
Governance Structure – Who
Stakeholders such as data stewards from major data sources such
as HR, Registrar, Alumni, etc representatives from units with responsibility
for managing the data or infrastructure such as IT
Schools, colleges, and departments who run directory-enabled applications
25SAC - 11 August 2004
Role of Governance Prioritization of new development Review of data use requests and
requests for new data On-going legal, source system, & policy
changes Identity Mgmt policy & decision-making Additions of new communities to the IdM
infrastructure
26SAC - 11 August 2004
Role of Governance
Development of policy for: Access and use of service for performance
and security implications Service maintenance, management, and
changes – ie., logging Attribute access and use derived from
campus policyDetermination of compliance requirements to
make certain the IdM meets policy and privacy directives
27SAC - 11 August 2004
Technology Elements of Identity Management
28SAC - 11 August 2004
What is an identity management system?Policy-driven infrastructure which Consolidates identity information about
individuals in one source Makes data available to applications and other
services Provides consolidated spot for the
implementation of access policy and security
29SAC - 11 August 2004
Consolidates Identity Information
Provide a single authoritative source for identity Integrate data from authoritative sources Act as system of record for unique identifier
Ensure identity integrity Maintain one-to-one mapping between fundamental
identifiers and real-world people Rely on external identifiers to verify: name,
birthday… Reconcile identifiers to create one person object
30SAC - 11 August 2004
Identifier Reconciliation
Consolidated view of individuals identities Inventory the major source system identifiers
Characteristics Who assigns and how? Who/What uses it? Is it persistent?
Campus card, student id, library id, SIS, HRS, Finance….
Match up identifiers of the same person and accompanying data
Assign/determine the unique identifier under which the source system identifiers and data are held
31SAC - 11 August 2004
Abbreviated ID Mapping Table
Fundamental IDFundamental ID Who Assigns?Who Assigns? Who Gets One?Who Gets One?id Central IT Peopleuniversal_userID Central IT Peopleuid guest registrars guestsemail Central IT PeopleclusterID Central IT Shell account opt-inssisID Registrar Students & instructorshrsID HR StafffrsID Controller Holders of budget rolesadsID Marketing & Adv Graduates, other donorsaprID Provost FacultyoperatorID Controller ERP security principalspatronID Library Library patrons
32SAC - 11 August 2004
Consolidates Identity Information
Provide consolidated source for affiliations Which source systems define which affiliations?
Student, faculty, staff, Course, program, department … Group memberships
Provide one source for other commonly-used valuable data Citizenship, sort name… Developers/Implementers
Enables single source Simpler data integration
33SAC - 11 August 2004
Consolidates Identity Information
Provide authentication credentials & contact info Some authoritatively stored
Username(s), email address(es)
Some data sourced elsewhere Phones, USMail addresses, office location, …
Provide extra data to verify identity mapping Store secrets to help with initial account claim and
password reset scenarios
34SAC - 11 August 2004
Provisions Directory Services and Applications Data for managing provisioning processes
Consumer identifiers Transformations and feeds to directories (LDAP,
AD), applications, etc.
35SAC - 11 August 2004
Central Implementation of Access Policies Implement constraining policy
Privacy Internal or external viewing
Security & audit Consolidated logging Tracking of authorizations Specialized provisioning requirements
Provide authority and mechanisms to allow distributed administration of identity data temporary access
36SAC - 11 August 2004
Physical Components Involved
Systems of Record and other data sources Data feeds and transformation processes
Business rules Identity reconciliation
Person Registry Assignment of unique identifier Life cycle management and record integrity
Provisioning processes Business rules Target format
Published data sources Enterprise directories
Management tools Self service Delegated authority
37SAC - 11 August 2004
38SAC - 11 August 2004
A Couple of Architectural Issues: Policy/Technology Overlap What service providers will you need to
accommodate? Internal External
Federated or tightly coupled or…?
What about loosely-affiliated individuals?7th grade Science Explorations studentsParents portal
39SAC - 11 August 2004
Discussion What are some strategies for creating
polices on-the-fly? When should this be done?
When should a policy be developed vs. a technical fix? How does a technical person know when a policy decision needs to be made?
40SAC - 11 August 2004
Ability to Implement
41SAC - 11 August 2004
Project Framework
Enterprise Directory Implementation RoadmapBroad view of directory servicesIncludes articles and resources for
technology, policy, and project management
www.nmi-edit.org/getting_started/index.html
42SAC - 11 August 2004
Roadmap Focus Areas
43SAC - 11 August 2004
44SAC - 11 August 2004
Technology/Architecture and Policy/Management Tracks Project Planning
P/T - Business case, project plan, resources Directory Architecture Design and Policy Development
T - Identifier strategy, architecture and system planning P – Stakeholder communication, policy development
Data Flow, Business Process Review, Policy Development T - Service requirements, data flow model, person registry P - Business processes, policy development, communication
Directory and Applications Development and Deployment T- Implement data flow architecture, set up operational processes P - Stakeholder testing, governance, communication
45SAC - 11 August 2004
Key IdM Implementation Points
Set up some early wins Be flexible short term and firm in the long term Decide on incremental vs. big bang implementation
Overbuild the infrastructure Ensure good performance Accommodate requests as appropriate
Get the right people involved at the right levels Keep everyone informed appropriately Champions outside of IT are good Policy and business processes are the hard part
Set up core principles before starting
46SAC - 11 August 2004
Core Principles
Guiding philosophy of new infrastructure Defined before design and implementation
phases Collection of related existing and ad-hoc policies
and new guidelines Provides framework for decision making Rooted in view of data as a strategic resource
Links to all people of interest ..and all the needed identity information
47SAC - 11 August 2004
Sample Core Principles
Data is protected and requires permission for its use unless declared “public” by the data custodians or owners and not protected by the user
Data will be made available for all valid administrative and educational purposes
Access to private directory data must be granted for each service and be approved by the data stewards
Applications using the IdM system must meet the security and data definition guidelines put forth by the governance committee
48SAC - 11 August 2004
Project ResourcesPeople Steering team (policy/governance), core team
(design/details), and big team (communication and change management)
Project manager, integration lead, directory and database administrators, systems and network administration involvement
Champion(s)Cost – Build or Buy? Do the business process/integration work either way Leverage existing vendor relationships, open source… Buy? Write a detailed RFP
49SAC - 11 August 2004
Common Implementation Roadblocks Selling the infrastructure
Terminology Tailored business case
The pitch versus the real one Doesn’t security work for everything?
Getting the data Data access policies Trust it will be used appropriately
Use of the infrastructure Trust that the infrastructure will be run appropriately Lack of knowledge about its function
50SAC - 11 August 2004
Discussion
Roadblocks on your campus?
51SAC - 11 August 2004
Wrap-up
52SAC - 11 August 2004
Identity Management Factors
Project Management
Technology
Policy &Governance
Institutional Goals
Constituent Requirements
Standards
Practices
Products
Budget
Staff Skills/Expertise
Identity Management
Ability to
Implement
Drivers
53SAC - 11 August 2004
Definitions
Identity Management –
Policy-driven infrastructure which Consolidates identity information about
individuals in one sourcePublishes data in areas where applications
and other services can access it Integrates the implementation of access
policy and security
54SAC - 11 August 2004
Elements of Identity Management
Policy issues & governance processes Integrated service strategy & architecture Middleware infrastructure services Business process analysis People relationships
55SAC - 11 August 2004
Ultimately… Change Management Things will change -
IT Data stewards Service providers Users Policy makers
The people relationships formed will be critical to functioning and use of the new infrastructure.
56SAC - 11 August 2004
More informationwww.nmi-edit.org
Development Getting Started
Enterprise Directory Implementation Roadmap Readiness Assessment Tool
CAMP Identity Management – Nov 15-17 CAMP Enterprise Authentication – Nov 18-19
57SAC - 11 August 2004
What is NMI-EDIT?
NSF Middleware Initiative (NMI)Scientists and engineers can transparently use and
share distributed resources, such as computers, data, and instruments
NMI-Enterprise and Desktop Integration Technologies Consortium (NMI-EDIT)Internet2, EDUCAUSE, and SURAFocus on intra and inter-institutional identity and
access management and related services
58SAC - 11 August 2004
Acknowledgements
Thanks toTom Barton, U of ChicagoMike Berman, CalPoly - PomonaCarrie Regenstein, U of WI – MadisonMark Poepping, Carnegie MellonAnd all those we didn’t name…
Thanks also to NSF for funding the NMI-EDIT Project
59SAC - 11 August 2004
Questions?
Renee Woodten FrostUniversity of Michigan/[email protected]
Ann WestEDUCAUSE/Internet2/Michigan [email protected]