Securing the Digital Campus With Identity Management Philippe Trautmann Stuart Sim.

Securing the Digital Campus With Identity Management

Philippe TrautmannStuart Sim

Sun Proprietary/Confidential: Internal Use Only

Agenda1. Overview- Why Identity Management matters- Evolution of Identity Management- Components of a "complete" Identity Management System

2. Technical Overview of Sun's Identity Management Suite- Modules of Sun's Identity Management Suite and their capabilities- Support of Federated Identity standards- SSO support for non Web applications- Sun's Decision to Open Source Access Manager Module (Run Time Authentication and Authorization)- Customer Case Study

3. (Option) An overview of Sun in "Education and Research": 30 minutes4. Q&A


What Is Identity Management?

"Identity management is the "Identity management is the set of business processes, and set of business processes, and a supporting infrastructure, for a supporting infrastructure, for the creation, maintenance, and the creation, maintenance, and use of digital identities." use of digital identities."

––The Burton GroupThe Burton Group


Follow a standard workflow for tasksFollow a standard workflow for taskssuch as adding a new faculty membersuch as adding a new faculty memberor deleting student access to course or deleting student access to course materials after a term has completedmaterials after a term has completed

Essential Functions of Identity Management●Provision access _ Establish, change, and remove user accounts and privileges

●Authenticate _ Confirm that users are who they claim to be

●Authorize _ Allow access to services based on business rules for group affiliations and roles

●Protect Privacy and Comply with Regulations

I'm John Doe and here's my IDI'm John Doe and here's my IDand password to prove itand password to prove it

Hide personal data and track usage Hide personal data and track usage patterns for audit trail without patterns for audit trail without tracking private usage information tracking private usage information such as who checked out specific such as who checked out specific books from the librarybooks from the library

All members of the group All members of the group “Prof_Smith_Physics_301”“Prof_Smith_Physics_301”have access to Professor Smith'shave access to Professor Smith'sPhysics 301 online lecture notesPhysics 301 online lecture notes


Identity Addresses Top Priorities in Education

Top ten business trends in 2004 according to a Chronicle of Higher Education/Gartner survey of selected Chronicle subscribers, December 2003

Security breaches/business disruptions

Operating costs/budgets

Data protection and privacy

Identity Management Can Improve Security, Reduce Costs, and Protect Privacy, the Top Three Business Priorities in Education


Why Identity Is So Important in Education● More stringent regulations ● Complex identity

requirements & rapidly changing user roles

● Enormous scale● 85% have experienced

security breaches in the last 12 months

● Managing access to licensed digital content

● Federation to support collaborative research


Higher Education Faces More Regulations1

●External regulations requiring greater protection of personal information

– e.g. Gramm-Leach-Blilely Act, Student andExchange Visitor Information System, HIPAA, and FERPA

●New legislation regarding copyright protection●Threats of lawsuits over intellectual property abuse or identity theft

1 Zastrocky, Yanosky, and Harris, “Higher Education Faces More Regulations,” Gartner, Research Note, December 23, 2003.


Identity Requirements in Edu are Complex

● Many roles with different access requirements

● Users often have multiple roles● Frequently changing roles● Multi-campus environment● Legacy of multiple fragmented

identity databases


Security Incidents on the Rise

● Unauthorized access to sensitive institutional data

● Threats or abusive behavior● Altered/vandalized Web site ● Research database hacked

More Than 85% Have Experienced IT Security “Incidents” in the Past 12 Months*

* Based on a Chronicle of Higher Education/Gartner survey of selected Chronicle subscribers, December 2003


Stages of Implementing

Identity Management


Stage 1 – Every Application for Itself

● Authentication and logging functionality only

● Every application for itself in performing these functions

● Multiple user names and passwords must be remembered by users

Many Institutions Still Function Without a Centralized Directory Service, Despite the Inefficiencies

Authentication

Authentication

Authentication

Authentication

Authentication


Stage 2 – Central Authentication Services

● Applications have access to centralized authentication services

● Support for single sign-on – Web Initial Sign-On (Web ISO)

● The beginnings of Federated Identity to simplify collaboration

Enables Web Initial Sign-On for Participating Applications

CentralAuthentication

Service


Stage 3 – Full Identity Management

●Workflow task automation ●Roles and rules-based authorization●System-wide auditing and reporting●Password self-administration ●Federation of identity information

Research

ERPDigitalLibrary

SIS

e-Learning

Administration Services

Transaction Services

Data Repositories


Components of “Full” Identity Management*

Component Description

Reflect Track changes to institutional data

Join Establish and maintain identities

Credential Issue digital credentials

Manage Affiliation Manage affiliation and group information

Manage Privileges Manage access privileges and permissions

Manage Passwords Self-service password resets & synchronization

Provision Push identity management info to other systems

Deliver Publish access control information at run time

Authenticate Verify identities

Authorize Allow/deny user access independent of authentication

Log Track usage for audit purposes

Federate Authenticate & authorize based on "trusted" source

* Based primarily on data from a presentation delivered by Keith Hazelton, University of Wisconsin-Madison, Identity Management CAMP, Nov. 15, 2004 and sources from Sun market development.


Benefits of Full Identity Management Layer

●Enhanced Security and Privacy●Improved scalability and reduced cost/complexity●Improved user experience●Federation


● Complete, integrated, centralized solution– Centralized authentication, authorization and

auditing– Integrated components

● Modular and scalable– Start small with specific components

and extend to a full solution

● Integrate-able– Open standards-based interfaces

allow investment protection

Summary of Identity Solution Requirements

IntegrateableIntegrateableComplete,Complete,Integrated,Integrated,

& Centralized& Centralized

Modular&

Scalable


Why Sun For Identity Management

● Complete solution● Integrated yet modular● Best-in-class provisioning & workflow● Connectors for third party applications

in Edu● Experience in Federated Identity


Identity Manager Partial Customer List • 15 New references in Q2!

• Universidad de Oviedo, Spain • Universidad Rovira i Virgili, Spain • University of Salford, UK• Université Catholique de Louvain, Belgium• Schulen ans Netz, Germany• Western Michigan University, USA• University of California Santa Cruz, USA• University of Victoria, Canada• Notre Dame University. Australia

Identity Management: A New Imperative in Higher Education


Backup Slides


Agenda

● What is Identity Management?● Why Identity Is Important in Education● Stages of Implementing Identity Management● Identity Solution Requirements in Education● Sun’s Comprehensive Identity Management Offering● Why Sun?● Customer Examples


Federation Requirements

● Federation is necessitated by collaborative research and other inter-institution collaboration

● There are 2 implementation approaches:– The Liberty Alliance Project – An alliance of more than 150 companies,

non-profit and government organizations developing an open standard for federated network identity (http://www.projectliberty.org/)

– Shibboleth – An open source implementation of federated identity information that has gained a lot of momentum in education

● Shibboleth and Liberty are working on interoperability through SAML 2.0, expected in 12-15 months

Federation Enables Sharing Identity Information Outside the Firewall While Protecting Privacy


Federation in Java System Access Manager

● Supports Federation using Liberty specification

● Interoperability with Shibboleth through SAML 2.0 (expected in 12-15 months)

Standards-based Approach Allows Integration With Shibboleth

Java SystemJava SystemAccess ManagerAccess Manager

Shibboleth Shibboleth Server Server

Applications

Applications SAML 2.0

Firewall


Integrate-able Identity Management

● Provides broad cross-platform compatibility– Protects customers’ existing investments– Provides increased flexibility

● Supports standards at EVERY touch point


Integrated, End-to-End Identity Management

IdentityManager

AccessManager

DirectoryServer EE

User User Provisioning Provisioning

Password Management Password Management

Synchronization Services Synchronization Services

Web-Based Web-Based Administration Administration

Audit & Reporting Audit & Reporting

Web Single-Sign-On Web Single-Sign-On

Access Control Access Control

Federation Federation

Directory Services Directory Services

Security/Failover Security/Failover

AD Synchronization AD Synchronization


Identity Management Is More than Just Implementing an Enterprise Directory•Enterprise directory can provide:

> Enterprise security — Single common repository for all authentication and access control rules

> Efficiency in application development — Leverage the enterprise directory to simplify development

> Simplified collaboration — Federated identity sharing

Identity management adds: > Enhanced user experience — Single sign-on and faster

access to applications> Reduced help desk cost — Online password reset> Workflow efficiency — Automated tasks such as adding

access to course materials when users register for specific classes> Support for regulatory requirements — More complete

tracking and audit trail features


SolarisTM Operating System for x86 Platforms: Come Join Us!• Building on a leading platform• Offering customers true choice and true value• Investing in partnerships

LET'S GROW TOGETHER

Securing the Digital Campus With Identity Management Philippe Trautmann Stuart Sim.

Documents

Transcript of Securing the Digital Campus With Identity Management Philippe Trautmann Stuart Sim.