Identity _ Access Management Update by pptfiles


									 Identity & Access
Management Update
Non Student Lifecycle and Relationships Meeting
                March 2, 2010

                                 Penn State Identity and Access Management -
     IAM Non Student
        Lifecycle and Relationships

• Level Set on IAM
• Penn State IAM
• Use Cases
• Next Steps

                               Penn State Identity and Access Management -
 Definition of IAM
“An administrative process coupled with a
technological solution which validates the
identity of individuals and allows owners of
data, applications, and systems to either
maintain centrally or distribute responsibility
for granting access to their respective
resources to anyone participating within the
IAM framework.” - NYS Forum
It’s about aligning University policies and
processes with the technologies to
support management of identities and
access to information

                                      Penn State Identity and Access Management -
IAM - The Big Picture

               Penn State Identity and Access Management -
                                             What is IAM?
•   Access to Protected Library          •   Continuing Education and Adult   •   Local Community Member            •   Updating ISIS Security Profile
    Resources                                Students                             and Short Term Access             •   Multiple Security Realms,
•   Library Staff Access to Integrated   •    New Students Applying for           Accounts                              Same Userids but Different
    Library System                           Admissions and Oncampus          •   Registrar Relationships               Passwords
•   Access to Library Public                 Housing                          •   Student Lifecycle                 •   ROTC Instructor Affiliation
    Workstations                         •   Prospective Students Visiting    •   New Students Applying for         •   Instructor with Independent
•   HMC Affiliate                            Penn State New Kensington            Undergraduate Admissions              Contractor Status
•   Access to Library Resources          •   New Faculty and Access to        •   Provision of Access to Course     •   Name change switching in the
•   Access to Alumni Library                 ANGEL and Other Class                Work For Students at a                directory
    Resources                                Resources                            Distance                          •   Special Affiliates (for example
•   Access to Electronic Theses and      •   Adjunct Faculty Activating       •   Library Resources                     Religious Affiliates)
    Dissertations Web Site                   Access Account                   •   ITS Computer Store Access         •   Father and son who is a JR
•   Graduate School Exit Survey          •   New Faculty & Staff Selecting    •   CIC CourseShare                   •   Cloning ISIS Security Profiles
    Federating to blogging hosted            Benefits                         •   Deprovision User content          •   New PSUid assigned for new
    Services                             •   Terminated Faculty Member            after graduation or resignation       PSU affiliation
•   Prospective students applying for        Maintains Access                 •   Google Cache Updates              •   Student Football Tickets
    financial aid                        •   Physicians at the Hershey        •   Access to user content after      •   Department Identity
•   Employee Confidentiality                 Medical Center and Access to         graduation and or resignation     •   DSL Use Case Interview
•   Provisioning of an employee's            Library Resources                •   Access to directory data          •   Police Services Use Case
    digital Identity                     •   Patients, Family Members, and    •   Emergency Rehire                      Interview
•   Student early access to residence        Visitors at the Penn State       •   Mulitple IDs                      •   Police Services Use Case
    hall requests and immunization           Hershey Medical Center           •   Deceased Employee                 •   Police Log
    records submissions                  •   Alumni Donors                    •   Outreach Registration
•   Grouper Auditing Use Case            •   Alumni Association                   process

                                                                                                       Penn State Identity and Access Management -
      Penn State IAM
• IAM Stakeholder Committee
• Student Lifecycle Committee
• IAM Governance
• IAM Technical Architect Group
• Non-student Lifecycle Committee
• IAM Hershey Taskforce
                           Penn State Identity and Access Management -
            IAM Strategic Planning Committee

•   Auxiliary and Business Services      •   Office of the University Registrar
•   College of Agricultural Sciences     •   Outreach and Cooperative Extension
•   Commonwealth Campuses                •   Penn State Great Valley
•   Development and Alumni Relations     •   Penn State Milton S. Hershey Medical
•   Information Technology Services      •   Privacy Office
•   Intercollegiate Athletics            •   The Graduate School
•   International Programs               •   Undergraduate Admissions Office
•   Office of Human Resources            •   Undergraduate Education
•   Office of Sponsored Programs         •   University Libraries
•   Office of Student Aid                •   University Police Services
•   Office of the Corporate Controller
•   Office of the Physical Plan
•   Office of the University Bursar

                                                         Penn State Identity and Access Management -
   IAM Strategic Recommendations
1. Create Central IAM Policy and Governance
2. Develop plan for formal Risk Assessment
3. Create a Single Central Person Registry
4. Add Level of Assurance Component to Credentials
5. Promote Single Sign-on, Federated Identity, and
   control of University digital identity
6. Streamline Vetting, Proofing, and Issuance of Digital
7. Streamline and Automate Provisioning/De-
   provisioning of Services
8. Promote Awareness and Education of IAM

                                          Penn State Identity and Access Management -
                 IAM Student Life Cycle Team
•   ITS - Consulting & Support Services    •   ITS - Digital Library Technology
•   Auxiliary & Business Services          •   Undergraduate Education - Student
•   ITS - Security Operations & Services
                                           •   ITS - Administrative Service
•   Undergrad Admissions
                                           •   Graduate School
•   Eberly College of Science
                                           •   Smeal College of Business
•   Student Affairs - Health Services
                                           •   University Outreach
•   Dickinson School of Law
                                           •   Corporate Controller - Bursar
•   Undergrad Education - Registrar

                                                       Penn State Identity and Access Management -
Penn State Identity and Access Management -
       Student Lifecycle
• Expand the lifecycle for student’s digital
  identities and accounts that enable
  access to online services and
  resources—issuing the identities earlier
  on in the relationship and extending
  them beyond what are our current
  normal practices.

                              Penn State Identity and Access Management -
           Student Lifecycle
•   Expand Use of Student Affiliations and Add Defining Attributes -
    Expanded affiliations and attributes will help to more finely identify the
    relationship a student has with the University; such as applicant,
    student, or former student. Allowing access to services according to
    the student’s affiliation to the University will help ensure students have
    access to all the services they need, but only those that apply to their
    affiliation or combination of affiliations.

•   Implement Levels of Assurance with Student Accounts - Levels of
    Assurance (LoA) will classify the level of certainty the University has
    that a given digital identity matches a specific individual. The LoA
    needed to access a given service will vary across services. For
    example, the assurance of user identity needed for prospective
    students scheduling campus visits is much lower than for users
    accessing their transcripts or for faculty reporting grades.
                                                     Penn State Identity and Access Management -
        Student Lifecycle
•   Implement a Single Authentication Realm – Phasing out the
    distinction between Friends of Penn State accounts (FPS) and Access
    Accounts and moving to single authentication realm will avoid
    confusion between the two different types of accounts and help
    eliminate some of our current problems that occur when students are
    migrated back and forth between realms.

•   Streamline Registration Process – The above recommendations, if
    put into practice will provide opportunities for streamlining our current
    registration processes—enabling better customer service, reducing
    required staff time and resources, and reducing redundant registration

                                                     Penn State Identity and Access Management -
  IAM Governance Council
                      Co Sponsored by:
           Rob Pangborn                       Kevin Morooney
          VP and Dean of                      Vice Provost of
        Undergrad Admissions              Information Technology

• VP for Student Affairs, Director       • Vice President of Outreach
• University Police Services             • Assoc. Dean of Tech - Dickinson
• CIO Hershey Medical Center              School of Law
• Sr., VP Research & Dean Grad. School   • VP of Commonwealth Campuses
• Assoc.VP of Auxiliary and Business     • Dean of University Libraries &
  Services                                 Scholarly Communications
• Assoc.VP for Human Resources

                                                    Penn State Identity and Access Management -
                   IAM Technical Architect Group

• Formed in July 2009
• Charged with furthering Penn State's vision for a comprehensive and
    cohesive IAM solution.
•   Support the University's goal to expand access and opportunities while
    preserving privacy for the Penn State community.
•   Evaluate, prototype and recommend identity and access management
    solutions that provide the appropriate access to enterprise resources.

                                                     Penn State Identity and Access Management -
  IAM Technical Architect
• Two primary areas of focus in year one
 • Single Central Person Registry
 • Access Management

                            Penn State Identity and Access Management -
Newly Formed(forming)

• Non Student Relationships and
• IAM Hershey Taskforce

                           Penn State Identity and Access Management -
IAM Community Site

             Penn State Identity and Access Management -
IAM Use Cases

          Penn State Identity and Access Management -
                         Use Case
                        Deceased Employee

• Use Case:
 •   If an employee is deceased and the spouse has benefits through the
     deceased employee, the spouse must now maintain the benefits.

 •   Some records have been changed to now show the spouse's name, as well
     as provide access to the deceased employee's Penn State Access Account.
     This then changes all identity linked to the Access Account but without proper
     records or signatures.

• IAM Opportunity:
 •   Create a comprehensive IAM policy for managing all University relationships.

 •   Exploring federating identities as a solution for spousal access to benefits.
                                                         Penn State Identity and Access Management -
                        Use Case
                         Emergency Rehire
• Use Case:
 •   A person retires from Penn State. If their position has not been filled and
     there is a need for that person’s skills, the retiree may be requested to work
     temporarily as a emergency rehire. This causes problems because when
     checking IBIS records (OHR), the employee’s status is retired yet their AIS
     account is still active. In addition, the emergency rehire may also be
     prohibited from accessing services necessary to do their job because their
     affiliation is not faculty/staff, but retiree.

• IAM Opportunity:
 •   Create a comprehensive IAM policy for managing all University relationships.

 •   Different levels of access may need to be defined for the emergency rehire.

                                                       Penn State Identity and Access Management -
                                Use Case
                    Name Switching in the Directory
•   Use Case:
    •   When a student comes to Penn State their biographical data is stored in the Integrated
        Student Information System (ISIS). That information is fed to the CACTUS system for
        updating information in the Penn State Directory. Basic information about the student is
        displayed in the directory, like their name, and contact information. Post graduation the
        student may accept a position at Penn State. Their biographical data along with other
        information about them will not reside in the Integrated Business Information System (IBIS).
        Like ISIS data, IBIS data is also fed to CACTUS for directory updates.

    •   If the employee decides to marry and change their name, IBIS will be updated with the new
        name which will be propagated to CACTUS and finally the directory. A problem arises if the
        employee decides to take a class. Now information from both ISIS and IBIS will be fed to
        CACTUS. If the employee did not update ISIS with their new name, it will flip back and forth
        between their "maiden" name and their new married name. This will continue until the
        employee changes their name in ISIS.

•   IAM Opportunity:
    •   To reduce the number of authoritative sources for names and other key data elements.
                                                                    Penn State Identity and Access Management -
• “If we get this right, there isn’t a unit or
  constituency that doesn’t benefit.
• We have to try to get it right.
  on the old trajectories make us more
  brittle at a time when we need to be
  more agile.”
                               Kevin Morooney

                                 Penn State Identity and Access Management -

To top