Identity Management for the Rest of Us: Mark Berman Williams College
Transcription
Identity Management for the Rest of Us: Mark Berman Williams College
Identity Management for the Rest of Us: How to Grow a New Infrastructure Mark Berman Williams College Joel Cooper Carleton College A Word from the Sponsors • National Science Foundation Middleware Initiative (NMI) • Enterprise and Desktop Integration Technologies Consortium (NMI-EDIT) • Internet2 and EDUCAUSE • Project Goals – Create a common, persistent and robust core middleware infrastructure for the R&E community – Provide tools and services in support of interinstitutional and inter-realm collaborations Seminar Agenda • • • • • Definitions, Role, and Functions Discovery and Implementation Steps Leveraging for the Future Vendor Overview More Information What is an Identity and Access Management Infrastructure? A collection of technology, business processes, and underlying policy that enables networked systems to determine who has access, when they get and lose access, what they are authorized to access, while protecting individual privacy and access to confidential information. The Key Functions: • • • • Who am I - Identification Am I really who I say I am - Authentication What am I allowed to do - Authorization When do I get an account, when do I get authorization, and when is my authorization changed - Provisioning • When is my account, and the resources associated with it, removed - Deprovisioning • How does everything work together to provide an effective, accurate, secure set of services - Technology and Business Processes • The Why - The underlying Policy A “typical” college campus does this sound familiar? • Users have multiple accounts to access different systems • User identity is not consistent across systems • The policies and procedures for creating/removing accounts vary from system to system • Policies are implicit, dated, inconsistent, nonexistent • Users and staff are frustrated by the amount of time “wasted” dealing with accounts, passwords, etc. • Some accounts never go away, and there are legacy accounts that nobody can identify but can’t be closed because no one knows what side effects that might cause! • Identity and access management practices are not compliant or auditable and put campus at risk An Intro to IAM Architecture Data sources Person Registry Directories Apps & Platforms Potential Simplification: Using a core system as the registry Data sources Person Registry Directories Apps & Platforms Potential Simplification: Use Directory as Person Registry Data sources Person Registry Directories Apps & Platforms What's the Scope? • WHO? • • • • • • • • • • • • • Faculty Staff Students Alumni Applicants Prospects Parents Guests Visitors Employee Spouse/Partner Employee Children Library Patrons Museum Patrons • WHAT? • • • • • • • • • • • • • • • E-Mail Web Pages File & Print Services Course Management Systems Registration Directory Financials Benefits Departmental Systems Research Systems VPN Wireless Dining Services Door Access Library Circulation Discovery: Document Business Processes • For each system and/or application: – Map existing policies and business processes • How are users identified • When and how is access granted, modified, and revoked • How do policies differ for users in differing roles, and what happens when their roles change • How are, or should, changes be communicated to interested parties • How do changes propagate through the organization • Who is the authority for each system • How are exceptions handled Sample Business Process Table Role Access Add Change Delete Student Email Fileserver On Admission On Matriculation Username on Class-Yr Change Quota: on Approval 2mo. Post Grad On Graduation Faculty Email Fileserver On Hire On Arrival Username on HR Change Quota on Request 6mo. Post Termination 6mo. Post Termination Staff Email Fileserver First Day First Day On HR Change On Request Last Day Last Day Guest Email Fileserver On Request On Approval On Role Change On Role Change Varies Varies Discovery #5: Assess Candidate Technologies • Choose a platform for the registry – What fits best with the existing environment: ERP? DB? LDAP? AD? E-dir? – How do candidate technologies mesh with current staff skill sets? – What are the drawbacks and pitfalls associated with each candidate technology? – What are the costs associated with each candidate technology? Implementation Phase 1: Environmental Readiness • Clean the data! – Comb for spurious or obsolete identity records – Ensure there is an appropriate unique identifier for each identity record – Check for compatibility with global unique identifier that will be used in the registry – Perform any necessary data synchronization – Perform any possible business process synchronization – Develop a bulk loading and migration strategy Phase 5: Deployment • Communicate with the community – Make sure everyone’s on board – Make sure everyone knows what will happen • Final data cleanup and synchronization • Pilot IAM system implementation – Install registry in the production environment – Populate registry with pilot user community – Disable legacy synchronization procedures for the pilot community – Enable input and output conduits for the pilot – Conduct user acceptance testing of the pilot Leveraging for the Future Federated Identity Management • Federated Identity Management – A system that allows individuals to use the same user name, password, or other personal identification to authenticate and be authorized to use services hosted by another organization. • Single Sign-on for the Web – Institutional applications – External partner applications – Can protect privacy. Doesn’t give away your data Interinstitutional Collaboration Drives Federations • One institution hosting course-content for another • Students at one college taking an on-line course from another college • Libraries purchasing licenses for multiple vendors with specific access policies • Researchers making resources available to project members at other schools • Schools in state systems or articulation relationships that require mutual access to services What is a Federation? • An association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions. • Uses common policy, technology, and business practices to establish trust • Access services from (or provide services to) other institutions, corporate partners, government organizations • A contractual arrangement US Federal E-Authentication • Hundreds of Federal services are available to Americans electronically – Many require some form of identity verification • The E-Authentication Initiative will provide a trusted and secure standards-based authentication architecture for ALL services – A Federated SAML-based architecture • Significant benefits for – Gov’t agencies (lower costs, better IAM) – Citizens and businesses (only one set of credentials to remember) How Federal e-auth Will Affect Us: • Students, faculty, staff will want to use their campus credentials to Authn to the Federal Apps • For this to be possible, the campus will have to be “certified” • Campus technology, process, policy must meet certain criteria – Review compliance with Password Credential Profile – http://www.cio.gov/eauthentication/CredSuite.htm • An important reason to keep Federation standards in mind when implementing IAM…. Some Identity and Access Management Vendors • Computer Associates eTrust® Identity and Access Management (formerly Netegrity) • Courion Enterprise Integration Suite • Microsoft Identity Integration Server • RSA ClearTrust® and RSA® Federated Identity Manager • Novell Identity Manager • IBM Tivoli • Thor XcellerateIM • Sun Java System Identity Manager Most were reviewed in Oct. 2005 Infoworld: http://www.infoworld.com/article/05/10/07/41FEidm_1.html?s=feature Open Source Tools • Open Metadirectory – http://dweller.catalogix.se:8200/ • Cerebrum Project – http://cerebrum.sourceforge.net/ • Nexus Provisioning System – check the www.nmi-edit.org in May Thanks! • Presenters: – Mark Berman, Williams College mark.berman@williams.edu – Joel Cooper, Carleton College jcooper@acs.carleton.edu • Contributors: – – – – Michael Berman, Art Center College of Design Steven Carmody, Brown University Andrea Gregg, Instructional Designer Ann West, EDUCAUSE/Internet2 The Williams Process • • • • • • • • • Performed Business Process Analysis Began the process of Policy Review Determined initial project scope Wrote and distributed RFP to selected vendors Selected and contracted with chosen vendor Continued Policy Review Data cleanup (does it ever end?) Developed test system Deployment at end of this month! • (Sounds easy huh?) Issues: • Existing IAM systems and procedures • Other departments (Registrar, HR) needed to take on additional responsibility for data entry and maintenance • LOTS of exceptions needed to be taken into consideration • Ability to manually override any policy or procedure needed to be designed in Anticipated Benefits • Reduced workload for Sysadmin staff and Desktop Support staff • Timely provisioning and deprovisioning of user accounts • Ability to tie in other systems as needed • Self Service password maintenance