Transcript Identity and Access Management

Identity and Access Management
IAM
A Preview
Goal

To design and implement an identity and
access management (IAM) middleware
infrastructure that
–
–
–
2
Improves the user experience
Increases our security and audit capability
Opens the door to different levels of access
How will IAM help us?



3
Streamlining business processes through
workflow
Reducing the need to hire additional
technology staff to manage new applications
Supporting collaboration, both internal to and
external to the University.
Drivers for IAM

The drivers from both inside and outside the University
promoting the implementation of this infrastructure
include:
–
–
–
–
–
–
4
interdisciplinary and inter-institutional research and
collaboration
Changing needs of teaching and learning
Fund raising and outreach
Digital library access
Increasing budgetary pressures
Interactions with government agencies
The IAM Infrastructure
The Business Case – 7 Major Outcomes


It will reduce the number of credentials that
constituents must know to perform the actions
for which they are authorized
It will reduce the implicit denial of service
experienced by new members of the
University.
–
5
Accounts are not currently set up in a timely
manner because processes – both manual and
automated – may not function properly.
IAM – The Business Case


6
It will reduce the operational and management
overhead of enabling our constituents to perform
actions for which they are already authorized and the
incremental cost of implementing a new online
service.
It will reduce the operational and management
overhead of disabling authorization for former
constituents (individuals no longer in a relationship
with the University) who should no longer have
access to University services and resources.
IAM – The Business Case


7
It will enable the University to quickly modify a
constituent’s access permissions as the his/her
role, and therefore his/her set of authorizations,
change
It will improve the quality of auditing actions
across the University by using persistent
identifiers common to all applications
IAM – The Business Case

It can provide an environment in which the University’s
confidence that the credential presented by someone
to perform an authorized action is presented by the
person to whom the credential was issued.
–
–
By centralizing identity proofing and establishing appropriate
policies on how an individual can prove who he says he is.
The middleware infrastructure stores the credential in a secure
manner.

8
Today credentials are stored in a variety of systems, rather than a
central one, with sometimes questionable levels of security.
IAM – Benefits

Significant benefits can be reaped from the
deployment of an IAM infrastructure
–
Enhanced Security




9
IAM reduces the management of user access to a single
system
Who is active is deterministic since the identity information
about individuals emanates from the University’s key
administrative systems
Identity data is stored in a single protected data repository
with data encryption and single sign-on capability
Relatively small staff to manage it
IAM – Benefits
–
Enhanced Security (continued)

Provides a mechanism to express access control policies
–

Supports authorization services to applications
Supports better logging and audit capability
–
User login identifiers are identical across systems so we are
better able to track activity.
– Improves support for after-the-fact audit analyses
10
IAM – Benefits

Simplified Network and Online Service Access
–
–
–
11
Enables unified access to multiple applications
Enables initial-sign-on, also called single-sign-on
With initial-sign-on, it is a straightforward step to a
campus portal
IAM – Benefits

Economies of Scale
–
–
12
The identity information that is populated into the
identity and access management infrastructure
comes from administrative systems like the Human
Resources and Student Administration systems
Additional identity information will be populated from
other systems or interfaces as required. These
entries will have explicit expiration dates associated
with them.
IAM – Benefits



13
Provides better application standards around
authentication and authorization
Not only are applications using a common
directory for identification, but a standard
(single) interface to authenticate
Applications will be easier to build, will be more
consistent with each other, and provide a
common user experience around
authentication and authorization
IAM – Benefits
–
Economies of Scale continued

Provides a unified means of enabling and disabling access
to a wide range of online services infrastructure for access
control information
–


14
It requires more support staff to have each application
maintain its own accounts and access privileges
Since all applications authenticate and authorize against
the same directories, the training costs are reduced (and
users are more comfortable as well)
It is easier to outsource an application that are compliant to
our standards since we would not need the vendor to
provide access control
IAM – The Proposal



15
The model that we are pursuing to solve the
IAM problem is based on the work of the
National Science Foundation Middleware
Initiative and Internet 2.
We are committed to an open standards
solution.
We are committed to an extensible solution.
IAM – The Proposal



16
We will address initial sign-on for web
applications
We will attempt to address initial sign-on for
desktop/client applications
We will address the affiliate user issue and
provide mechanisms for adding such users to
the database to allow access to only those
services that they should receive
IAM – The Proposal

The next slide shows the roadmap for the
identity and access management infrastructure
for UConn.
–
17
This will be adapted as necessary during the
project, but is strongly based on the recommended
roadmap from the NSF Middleware Initiative.
18
IAM – Who?

The design of the Identity Management
component of the IAM infrastructure will require
both technical staff from UITS and functional
staff from a variety of areas
–
19
The functional staff will provide the business
processes by which we can eliminate duplicate
identities for the same person, determine the roles
we care about, and help us to understand where
besides the Human Resources and Student
Administration Systems we must look for identities.
IAM – Who continued?


20
The Identity Management component will also
require technical staff with expertise in identity
management, programming, and database
administration.
The Provisioning Engine will require either a
purchased product or some programming staff.
This component will also require system and
application administrators.
IAM – Who needs to be involved?

21
The Access Management component requires
programmers, system administrators, identity
management experts, and application
administrators.
IAM – Where do we start?

Our goal is to carve out a manageable piece of
this huge project and build for extensibility.
–
–
22
We have initiated a short project to investigate what
is available in the market.
RFIs are in – we just got them and we need to start
reviewing them.