1

EDUCAUSEMidwest Regional Conference

Top Strategies for Working with Stakeholders:

Synopses of Recommendations from the Identity Management Summit

Mark Bruhn, Associate Vice President for Telecommunications, Indiana University

Steve Worona, Director of Policy and Networking Programs, EDUCAUSE

March 12, 2007

2

Overview of the Summit

Summit with Thought Leaders and Experts

Held in Washington D.C., Nov. 2-3, 2006– Key message was in the organization of the summit: A highly diverse group of

higher education leaders from a wide range of institutional offices– Range of issues discussed reflected in subsequent slides of this presentation

Definition– IdM is an integrated system of business processes, policies, and technologies that

enable organizations to facilitate and control their users’ access to online applications and resources, while protecting confidential personal and business information from unauthorized users

• Identity verification• Transaction-time authentication (passwords, PKI, biometric,…)• Authorized access• Profiles, groups, templates, roles• Provisioning, de-provisioning• Cross-departmental and cross-institutional• Community-wide

3

Drivers for Identity Management

Services, Stakeholder Expectations, Security

Why is IdM needed on campus? What services, federal compliances, and other advantages are

evident? What responsibilities does the institution have to students, faculty,

staff? How much time do institutions have to accommodate these drivers?

4

The Business Case for Identity Management

Key Points, Strategies, and Follow-up Steps

What key points should be in a business case for IdM?

How and by whom should the business case be developed and presented?

What are the follow-up steps in the case of a positive response; a negative response; a lukewarm response?

5

Institutional Ownership/Governance

Breadth of Functional Engagement, Collaboration

Consider that IdM is not just an IT issue. How then do offices such as student enrollment services, human resources, internal auditing, financial services, library, faculty research, instruction, legal counsel, security offices, policy offices, alumni, advancement, card services, health centers, IT and others define their identity management needs on campus?

How can these groups effectively work together on the policy, business process, and technology to develop and move forward on a plan to institute a common identity management system?

What are the responsibilities of the Board, President, Provost? How would a governance process be instituted and work effectively to

accommodate continuous change in requirements, legislation and opportunities?

6

Policy Considerations

Scope and Implementation

What should policy cover?

How should policy be established and managed?

How are decisions made on such issues as who gets access, cradle-to-grave management, interim access, proper checks and balances, ease of use vs. more conservative processes, privacy, other security requirements?

7

Risk Management and Assessment

Level of Risk, Cost/Benefit Considerations

What are the risks of not properly managing the identities of users?

How should institutions decide on the level of risk they are willing to absorb?

What are the costs/benefits of protecting resources?

How does IdM fit into security strategies?

8

Communication and Education

Strategies and Responsibilities

How should users of institutional resources be educated on the importance of IdM? Whose responsibility is this and more general communications?

What part does each component of the institution play?

9

Implementation and Operational Issues

Priorities, Resources, Engagement, Tradeoffs, Other Information Systems, Operations

CAMPUS PRIORITIES AND RESOURCES – How does IdM relate to other priorities at our institutions and how does planning and implementation of an IdM infrastructure fit into the ongoing work of the institution? What strategies can a campus use to make progress on implementing of a robust identity management environment on our campuses?

ENGAGEMENT – How can business units on campus stay engaged in the implementation process and maintain a sense of buy-in and urgency?

TRADEOFFS - How does the campus ensure that the IdM plan has an integrated approach to policy, process and technology?

OTHER INFORMATION SYSTEMS – Given that the campus must integrate the IdM system with existing and new information systems, how does this affect application choices of the various functional units and departments? What can be done with information systems that incorporate their own way of doing identity management?

OPERATIONS - What mechanisms are needed to support IdM? What business processes and related technologies are needed?

10

Recommendations to EDUCAUSE

• Brian Hawkins to deliver message to campus CEOs• Develop short readable brochures• Provide external consultants• Help forge new relationships between technical staff

and functional offices• Collect and publish best practices• Apply cybersecurity taskforce model to IdM• Advocacy with government---monitor status of

legislation• Work with non-IT higher ed associations

11

Questions/Discussion

Materials and notes from the IdM Summit are available at: http://www.educause.edu/IdMSummit