Identity and Access Management

IAM

A Preview

2

Goal

To design and implement an identity and access management (IAM) middleware infrastructure that – Improves the user experience– Increases our security and audit capability– Opens the door to different levels of access

3

How will IAM help us?

Streamlining business processes through workflow

Reducing the need to hire additional technology staff to manage new applications

Supporting collaboration, both internal to and external to the University.

4

Drivers for IAM

The drivers from both inside and outside the University promoting the implementation of this infrastructure include:

– interdisciplinary and inter-institutional research and collaboration

– Changing needs of teaching and learning – Fund raising and outreach – Digital library access – Increasing budgetary pressures – Interactions with government agencies

5

The IAM InfrastructureThe Business Case – 7 Major Outcomes

It will reduce the number of credentials that constituents must know to perform the actions for which they are authorized

It will reduce the implicit denial of service experienced by new members of the University.

– Accounts are not currently set up in a timely manner because processes – both manual and automated – may not function properly.

6

IAM – The Business Case

It will reduce the operational and management overhead of enabling our constituents to perform actions for which they are already authorized and the incremental cost of implementing a new online service.

It will reduce the operational and management overhead of disabling authorization for former constituents (individuals no longer in a relationship with the University) who should no longer have access to University services and resources.

7

IAM – The Business Case

It will enable the University to quickly modify a constituent’s access permissions as the his/her role, and therefore his/her set of authorizations, change

It will improve the quality of auditing actions across the University by using persistent identifiers common to all applications

8

IAM – The Business Case

It can provide an environment in which the University’s confidence that the credential presented by someone to perform an authorized action is presented by the person to whom the credential was issued.

– By centralizing identity proofing and establishing appropriate policies on how an individual can prove who he says he is.

– The middleware infrastructure stores the credential in a secure manner.

Today credentials are stored in a variety of systems, rather than a central one, with sometimes questionable levels of security.

9

IAM – Benefits

Significant benefits can be reaped from the deployment of an IAM infrastructure– Enhanced Security

IAM reduces the management of user access to a single system

Who is active is deterministic since the identity information about individuals emanates from the University’s key administrative systems

Identity data is stored in a single protected data repository with data encryption and single sign-on capability

Relatively small staff to manage it

10

IAM – Benefits

– Enhanced Security (continued) Provides a mechanism to express access control policies

– Supports authorization services to applications Supports better logging and audit capability

– User login identifiers are identical across systems so we are better able to track activity.

– Improves support for after-the-fact audit analyses

11

IAM – Benefits

Simplified Network and Online Service Access– Enables unified access to multiple applications– Enables initial-sign-on, also called single-sign-on– With initial-sign-on, it is a straightforward step to a

campus portal

12

IAM – Benefits

Economies of Scale– The identity information that is populated into the

identity and access management infrastructure comes from administrative systems like the Human Resources and Student Administration systems

– Additional identity information will be populated from other systems or interfaces as required. These entries will have explicit expiration dates associated with them.

13

IAM – Benefits

Provides better application standards around authentication and authorization

Not only are applications using a common directory for identification, but a standard (single) interface to authenticate

Applications will be easier to build, will be more consistent with each other, and provide a common user experience around authentication and authorization

14

IAM – Benefits

– Economies of Scale continued Provides a unified means of enabling and disabling access

to a wide range of online services infrastructure for access control information

– It requires more support staff to have each application maintain its own accounts and access privileges

Since all applications authenticate and authorize against the same directories, the training costs are reduced (and users are more comfortable as well)

It is easier to outsource an application that are compliant to our standards since we would not need the vendor to provide access control

15

IAM – The Proposal

The model that we are pursuing to solve the IAM problem is based on the work of the National Science Foundation Middleware Initiative and Internet 2.

We are committed to an open standards solution.

We are committed to an extensible solution.

16

IAM – The Proposal

We will address initial sign-on for web applications

We will attempt to address initial sign-on for desktop/client applications

We will address the affiliate user issue and provide mechanisms for adding such users to the database to allow access to only those services that they should receive

17

IAM – The Proposal

The next slide shows the roadmap for the identity and access management infrastructure for UConn.– This will be adapted as necessary during the

project, but is strongly based on the recommended roadmap from the NSF Middleware Initiative.

18

19

IAM – Who?

The design of the Identity Management component of the IAM infrastructure will require both technical staff from UITS and functional staff from a variety of areas– The functional staff will provide the business

processes by which we can eliminate duplicate identities for the same person, determine the roles we care about, and help us to understand where besides the Human Resources and Student Administration Systems we must look for identities.

20

IAM – Who continued?

The Identity Management component will also require technical staff with expertise in identity management, programming, and database administration.

The Provisioning Engine will require either a purchased product or some programming staff. This component will also require system and application administrators.

21

IAM – Who needs to be involved?

The Access Management component requires programmers, system administrators, identity management experts, and application administrators.

22

IAM – Where do we start?

Our goal is to carve out a manageable piece of this huge project and build for extensibility.– We have initiated a short project to investigate what

is available in the market.– RFIs are in – we just got them and we need to start

reviewing them.