Identity Management for the Rest of Us: Mark Berman Williams College

Transcription

Identity Management for the Rest of Us: Mark Berman Williams College
Identity Management for the Rest of Us:
How to Grow a New Infrastructure
Mark Berman
Williams College
Joel Cooper
Carleton College
A Word from the Sponsors
• National Science Foundation Middleware
Initiative (NMI)
• Enterprise and Desktop Integration
Technologies Consortium (NMI-EDIT)
• Internet2 and EDUCAUSE
• Project Goals
– Create a common, persistent and robust core
middleware infrastructure for the R&E community
– Provide tools and services in support of interinstitutional and inter-realm collaborations
Seminar Agenda
•
•
•
•
•
Definitions, Role, and Functions
Discovery and Implementation Steps
Leveraging for the Future
Vendor Overview
More Information
What is an Identity and Access
Management Infrastructure?
A collection of technology, business
processes, and underlying policy that enables
networked systems to determine who has
access, when they get and lose access, what
they are authorized to access, while
protecting individual privacy and access to
confidential information.
The Key Functions:
•
•
•
•
Who am I - Identification
Am I really who I say I am - Authentication
What am I allowed to do - Authorization
When do I get an account, when do I get authorization, and
when is my authorization changed - Provisioning
• When is my account, and the resources associated with it,
removed - Deprovisioning
• How does everything work together to provide an effective,
accurate, secure set of services - Technology and Business
Processes
• The Why - The underlying Policy
A “typical” college campus does this sound familiar?
• Users have multiple accounts to access different systems
• User identity is not consistent across systems
• The policies and procedures for creating/removing
accounts vary from system to system
• Policies are implicit, dated, inconsistent, nonexistent
• Users and staff are frustrated by the amount of time
“wasted” dealing with accounts, passwords, etc.
• Some accounts never go away, and there are legacy
accounts that nobody can identify but can’t be closed
because no one knows what side effects that might cause!
• Identity and access management practices are not
compliant or auditable and put campus at risk
An Intro to IAM Architecture
Data
sources
Person
Registry
Directories
Apps &
Platforms
Potential Simplification: Using a
core system as the registry
Data
sources
Person
Registry
Directories
Apps &
Platforms
Potential Simplification: Use
Directory as Person Registry
Data
sources
Person
Registry
Directories
Apps &
Platforms
What's the Scope?
•
WHO?
•
•
•
•
•
•
•
•
•
•
•
•
•
Faculty
Staff
Students
Alumni
Applicants
Prospects
Parents
Guests
Visitors
Employee Spouse/Partner
Employee Children
Library Patrons
Museum Patrons
•
WHAT?
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
E-Mail
Web Pages
File & Print Services
Course Management Systems
Registration
Directory
Financials
Benefits
Departmental Systems
Research Systems
VPN
Wireless
Dining Services
Door Access
Library Circulation
Discovery:
Document Business Processes
• For each system and/or application:
– Map existing policies and business processes
• How are users identified
• When and how is access granted, modified, and revoked
• How do policies differ for users in differing roles, and what
happens when their roles change
• How are, or should, changes be communicated to interested
parties
• How do changes propagate through the organization
• Who is the authority for each system
• How are exceptions handled
Sample Business Process Table
Role
Access
Add
Change
Delete
Student
Email
Fileserver
On Admission
On Matriculation
Username on Class-Yr Change
Quota: on Approval
2mo. Post Grad
On Graduation
Faculty
Email
Fileserver
On Hire
On Arrival
Username on HR Change
Quota on Request
6mo. Post Termination
6mo. Post Termination
Staff
Email
Fileserver
First Day
First Day
On HR Change
On Request
Last Day
Last Day
Guest
Email
Fileserver
On Request
On Approval
On Role Change
On Role Change
Varies
Varies
Discovery #5: Assess Candidate
Technologies
• Choose a platform for the registry
– What fits best with the existing environment: ERP?
DB? LDAP? AD? E-dir?
– How do candidate technologies mesh with current
staff skill sets?
– What are the drawbacks and pitfalls associated with
each candidate technology?
– What are the costs associated with each candidate
technology?
Implementation Phase 1:
Environmental Readiness
• Clean the data!
– Comb for spurious or obsolete identity records
– Ensure there is an appropriate unique identifier for
each identity record
– Check for compatibility with global unique identifier
that will be used in the registry
– Perform any necessary data synchronization
– Perform any possible business process
synchronization
– Develop a bulk loading and migration strategy
Phase 5: Deployment
• Communicate with the community
– Make sure everyone’s on board
– Make sure everyone knows what will happen
• Final data cleanup and synchronization
• Pilot IAM system implementation
– Install registry in the production environment
– Populate registry with pilot user community
– Disable legacy synchronization procedures for the
pilot community
– Enable input and output conduits for the pilot
– Conduct user acceptance testing of the pilot
Leveraging for the Future
Federated Identity Management
• Federated Identity Management
– A system that allows individuals to use the same user
name, password, or other personal identification to
authenticate and be authorized to use services hosted
by another organization.
• Single Sign-on for the Web
– Institutional applications
– External partner applications
– Can protect privacy. Doesn’t give away your data
Interinstitutional Collaboration
Drives Federations
• One institution hosting course-content for
another
• Students at one college taking an on-line
course from another college
• Libraries purchasing licenses for multiple
vendors with specific access policies
• Researchers making resources available to
project members at other schools
• Schools in state systems or articulation
relationships that require mutual access to
services
What is a Federation?
• An association of organizations that come
together to exchange information as
appropriate about their users and resources in
order to enable collaborations and
transactions.
• Uses common policy, technology, and business
practices to establish trust
• Access services from (or provide services to)
other institutions, corporate partners,
government organizations
• A contractual arrangement
US Federal E-Authentication
• Hundreds of Federal services are available to
Americans electronically
– Many require some form of identity verification
• The E-Authentication Initiative will provide a
trusted and secure standards-based
authentication architecture for ALL services
– A Federated SAML-based architecture
• Significant benefits for
– Gov’t agencies (lower costs, better IAM)
– Citizens and businesses (only one set of credentials
to remember)
How Federal e-auth Will Affect Us:
• Students, faculty, staff will want to use their
campus credentials to Authn to the Federal
Apps
• For this to be possible, the campus will have
to be “certified”
• Campus technology, process, policy must meet
certain criteria
– Review compliance with Password Credential Profile
– http://www.cio.gov/eauthentication/CredSuite.htm
• An important reason to keep Federation
standards in mind when implementing IAM….
Some Identity and Access
Management Vendors
• Computer Associates eTrust® Identity and
Access Management (formerly Netegrity)
• Courion Enterprise Integration Suite
• Microsoft Identity Integration Server
• RSA ClearTrust® and RSA® Federated Identity
Manager
• Novell Identity Manager
• IBM Tivoli
• Thor XcellerateIM
• Sun Java System Identity Manager
Most were reviewed in
Oct. 2005 Infoworld:
http://www.infoworld.com/article/05/10/07/41FEidm_1.html?s=feature
Open Source Tools
• Open Metadirectory
– http://dweller.catalogix.se:8200/
• Cerebrum Project
– http://cerebrum.sourceforge.net/
• Nexus Provisioning System
– check the www.nmi-edit.org in May
Thanks!
• Presenters:
– Mark Berman, Williams College
[email protected]
– Joel Cooper, Carleton College
[email protected]
• Contributors:
–
–
–
–
Michael Berman, Art Center College of Design
Steven Carmody, Brown University
Andrea Gregg, Instructional Designer
Ann West, EDUCAUSE/Internet2
The Williams Process
•
•
•
•
•
•
•
•
•
Performed Business Process Analysis
Began the process of Policy Review
Determined initial project scope
Wrote and distributed RFP to selected vendors
Selected and contracted with chosen vendor
Continued Policy Review
Data cleanup (does it ever end?)
Developed test system
Deployment at end of this month!
•
(Sounds easy huh?)
Issues:
• Existing IAM systems and procedures
• Other departments (Registrar, HR) needed to
take on additional responsibility for data entry
and maintenance
• LOTS of exceptions needed to be taken into
consideration
• Ability to manually override any policy or
procedure needed to be designed in
Anticipated Benefits
• Reduced workload for Sysadmin staff and
Desktop Support staff
• Timely provisioning and deprovisioning of user
accounts
• Ability to tie in other systems as needed
• Self Service password maintenance