Identity and Access ManagementTown Hall

February 10, 2014 Monday 10:00AM-12:00PM 6 Story Street

Agenda

• Team News (Jason)

• Recent Accomplishments (Jane/Magnus)

• Program Plan (Erica/Jason)

• Project Methodology (Ann)

• Upcoming Project Milestones (Ann)

• IAM HUIT Website (Greg)

• Hiring Update (Jason)

• Questions and Answers (All)

2

Team News

• There is greatness among us!

– Congratulations to Joe Hardin on your well deserved HUIT Cup win!

• We’ve been busy creating IAM Program awareness!

– First iteration of the IAM Program Plan complete!

– Successful IAM Executive Leadership meeting on 1/28/13

– Program budget and resource requests have been approved.

– CIO Council update for IAM to take place today.

• We created a monthly dashboard for the Executive Committee

• We are creating an IAM Community Plan

– Provides an approach for keeping Harvard schools and departments, not to mention other higher education institutions involved

• We are looking to introduce a Program CRM solution to assist us in tracking our involvement with partners

3

Recent Accomplishments

• Auth-LDAP release deployed to Production without issue!

– Lessons learned to be gathered to assist with future process changes and release planning.

• DM Sailpoint Identity Cubes built (and built, and built…)

– Further performance tuning is in process

• Connections deployed to the Cloud!

• Working test repository created to enable efficient reuse of test data

• Working Puppet setup of our standard architecture for web apps (Apache/Tomcat) used in development.

• On-boarding of additional SPs (e.g.; ServiceNow)

4

Program Plan - Overview

• What is a Program Plan?

– High-level, governing document for all facets of IAM Program:

• Program Goals

• Team Structure

• Governance Structure

• Planning Approach

• Implementation Roadmap

• Communication/Partner Engagement

– Capture User Benefits

• End users

• Application Owners

• People Administrators

– Date driven, not scope driven deliverables

5

Program Plan (cont.)

• Four IAM Program Tenets will:

– Simplify the User Experience

• Eliminate perceived complexities surrounding user identities.

– Enable Research and Collaboration

• Enable students and faculty to share information and work across School boundaries leveraging authentication standards and federation.

– Protect University Resources

• Protect sensitive information and data.

• Meet audit and regulatory requirements.

– Facilitate Technology Innovation

• Enable HUIT-wide strategic initiatives (SIS, UC)

• Cloud

6

Program Plan - Implementation Approach

7

The IAM Program will be implemented in accordance to the four strategic objectives and work will be managed as a portfolio of eleven projects:

Program Plan - Deliverable Roadmap

• Review of the IAM Program Deliverables Roadmap (Hand-out)

• Review of the IAM Release Benefit Roadmap (Hand-out)

• Review of the One Way Federation One Pager (Hand-out)

8

Project Management Methodology

• Implementing expanded PM Approach

– Keep everything that works well

– Add structure where needed

9

Project Management Methodology Cont.

– Formalize additional phases of the releases

– Planning & Analysis Phase– Development Phase– Release/ Go-Live– Support/ Maintenance

– Adjust JIRA structure to mirror Program Plan to allow for reporting

– Releases: Epics– Deployments: Versions

– Release Documents on Confluence

– Project Charter– Go-Live Playbook– Release Plan

10

Project Management Methodology Cont.

– Project Management Plan draft due on 2/14/14

– Pilot Release to “kick off” on 2/28/14

11

12

Release Milestones

5/1: Read-Only Connectors &

Cube Aggregation in Prod

6/30: Claims; SPAC Tool; AD Provisioning

4/1: Prod Release6/15: Extended

Base Attribs in Prod

10/31: Attribs & SAML Profiles

Provided to Harvad

6/15: Gap Analysis, Backlog

Written

12/1: All Changes Complete3/31: HU LDAP

DNS Flip4/1: View for UUID in Prod

6/30: Backlog for UUID Web Svc.4/15: Launch for Internal Use6/30: Wide

Roll-Out5/31: Plan for Adding other OWF Partners

9/30: Onboarding

Wave 1

1/31: Onboarding

Wave 27/1: Sized Backlog3/31: Implement

Reference Model: Dev6/30: Implement

Reference Model: Prod

3/31: Replacement in Prod (in Cloud)

3/31: Replacement in Prod (in Cloud)

6/30: Align with Reference

Model4/15: Complete Planning Phase

6/1: Test Dev Version

9/30: Deploy to Prod

2/28: Define 4 KPIs2/13: V1

Website Live

3/15: Communication Specialist Hired

HUIT Website - IAM

• New IAM External Website to “go-live” on 2/13/14.

– http://projects.iq.harvard.edu/iam

• Call for content!

– Ideas and submissions for content entries

– IAM topics to be spot lighted

– Plans for group videos

– Photo submission

13

Hiring Update

• Interim Community Manager Position filled

– Welcome, Steve King!

• Senior Cloud Engineer selected

– Conditional Offer extended to candidate with expected start date on 2/18/14.

• Wave 1 Positions are Open!

– Software Engineer

– Senior Database Developer

– Lead Software Engineer ($1,000 referral bonus eligible)

– Community Program Manager

– Directory Architect

– Quality Assurance Engineer

– Solutions Architect

– Communications and Reporting Specialist

14

Questions and Answers?

15

Supporting Materials

16

Appendix A: IAM Accomplishments to Date

Simplify the User Experience• Selected and purchased a new identity creation toolset that will lead to improved onboarding experience for all users.• Implemented a new Central Authentication Service for faster, flexible deployment of applications across the University.• Implemented One-Way Federation with the Harvard Medical School to prove the concept that users can select the credentials they would like

to use, to access services.• Implemented Provisioning improvements to set the foundation for the expansion of cloud services, support Active Directory consolidation,

and email migrations.• Integrated a new ID Card Application into IAM that enables the University to handle large-scale replacement of expired cards.

Enable Research and Collaboration• Joined InCommon Federation and enabled authorized Harvard users to access protected resources at Hathitrust.• Enabled access to a planning tool that Harvard researchers can use to assist with compliance of funding requirements specific to grants (e.g.,

NSF, NIH, Gordon and Betty Moore Foundation).

Protect University Resources• Proposed a new Password Policy to the HUIT Security Organization to standardize password strength and expiration requirements for the

University.• Drafted a Cloud Security Architecture with the HUIT Security Organization to provide Level 4 security assurance for application deployments

within Amazon Web Services.• Refreshed the AUTH LDAP software and infrastructure to current, supported versions.

Facilitate Technology Innovation• Created a conceptual architecture for IAM Services to be deployed within the Amazon’s offsite hosting facilities.

17

Appendix B – IAM Business Need

18

Stakeholder Experience Today Imagine If…. Program Benefit

Faculty and Staff

• Faculty and staff use different user names and credentials to access applications and data both internal and external to the University.

• Manual, paper based process for sponsoring and managing user accounts.

• Faculty and staff have no access or are forced to register for accounts to access external sites.

• Faculty and staff could access information and perform research across schools and with other institutions without having to use several sets of credentials.

• Faculty and staff could manage their own accounts and sponsor other through a centralized web applications.

• Simplify Account Management

• Increase Self-Service

• Expand Access to Resources

Students

• Student use different user names and credentials to access applications that cross school boundaries.

• The identity of a student is not consistent throughout the identity lifecycle from acceptance to alumni resulting in interrupted access to services and resources.

• Students could choose to use their home school credentials to login into applications across the University.

• Students could keep using the same set of credentials after they graduate.

• Allow Choice of Credentials

• Ensure Continuity of Identity

Technical Staff

• Reliance on manual user management results poses a security risk.

• Application teams have difficulty integrating identity access management into their solutions creating long implementation timelines and higher costs.

• Automated provisioning reduces the burden on IT staff and increases the security posture of the University.

• Application teams can easily integrate Harvard users with internal and external applications.

• Simplify Application Set-up and Administration

External Users

• External users, such as researchers from other higher education institutions, must obtain a Harvard credential and password to access resources.

• External users can access Harvard applications using credentials native to their home institution.

• Reduce Manual Process for Guest Membership

Appendix C- IAM Vision

19

1. Simplify the User Experience

“Simplify and improve user access to applications and information inside and outside of the University.”

2. Enable Research and Collaboration

“Simplify the ability for faculty, staff, and students to perform research and collaboration within the University and with colleagues from other institutions.”

3. Protect University Resources

“Improve the security stature of the University with a standard approach.”

4. Facilitate Technology Innovation

“Establish a strong foundation for IAM to enable user access regardless of new and/or disruptive technologies.“

Strategic Objectives Guiding Principles Key Performance Indicators

● Harvard Community needs will drive the technology supporting the Identity and Access Management Program

 

● Tactical project planning will remain aligned with the Program strategic objectives

 

● Solution design should allow for other Schools to use the foundational to communicate with the IAM system in a consistent, federated fashion

 

● Communication and socialization of the program are critical to its success

• The number of help desk requests that relate to account management per month.

• The number of registered production applications that use the IAM system per month.

•  The number of user logins and access requests through the IAM system per month.

• The number of production systems that the IAM system provisions to per month.

Provide secure access to applications that is easy for the user, application owner, and IT administrative staff with solutions that require fewer login credentials, enable collaboration across Harvard and beyond, and

improve security and auditing.

The Vision for Identity and Access Management (IAM)