Docstoc

Presentation - Welcome to ACM SIGUCCS

Document Sample
Presentation - Welcome to ACM SIGUCCS Powered By Docstoc
					     Orchestrating
    an Identity and Access
Management Implementation
                     Panel
Bruce Taggart
 Vice Provost, Library & Technology Services
 Lehigh University
Tim Foley
 Director, Client Services, Library & Technology Services
 Lehigh University
Aaron Perry
 President
 APTEC, LLC
Moderator: Sara Rodgers
 Team Leader, Identity & Access Management
 Lehigh University
             Q&A

Getting in tune
  with Identity and Access Management
             Q&A

What is Identity and Access
Management?
            Lehigh’s Focus
Knowing who you are (Identity) and providing
 access to what you need (Access)
  – Who
    • Relationship, Affiliation or Role
    • Multiple Roles
    • Transitions/Changes
  – What
    • Electronic Resources
    • Computing Services
                 Campus Identity &
             Access Management (“IAM”)
 External                                                     Internal




     SOA           Delegated       Alumni/      Affiliates       Faculty &       Students             SOA
  Applications      Admin         Customers                        Staff                           Applications

Identity Management Service
                   Access Management                Identity Administration
                     •   Authentication & SSO         •      Delegated Administration
                     •   Authorization & RBAC         •      Self-Registration & Self-Service
                     •   Identity Federation          •      User & Group Management


   Auditing                                                                                           Monitoring
     and                                                                                                and
   Reporting                            Workflow and orchestration                                   Management


                   Directory Services               Identity Provisioning
                     •   LDAP Directory               •      Who, What, When, Where, Why
                     •   Meta-Directory               •      Rules & access policies
                     •   Virtual Directory            •      Integration framework




 Applications                                   Systems & Repositories


                                        Hosted By The University of Mary
 Fac/Staff     Student      ERP        CRM        Washington
                                                OS (Unix)  HR       Mainframe                   NOS/Directories
                   Q&A

How important is Identity and Access
Management?
•   Administrative/ERP/information systems
•   Disaster Recovery/business continuity
•   Funding IT
•   Identity/access management
•   Infrastructure
•   Security
                2008 EDUCAUSE
               Current Issue Survey

Ranking from All Institutions on
                  Strategic Importance
1.Security (2)
2.Administrative/ERP/information systems (3)
3.Funding IT (1)
4.Infrastructure (7)
5.Identity/access management (4)
6.Disaster recovery/business continuity (5)
2007 ranking in parentheses
                 2008 EDUCAUSE
                Current Issue Survey

Ranking from All Institutions on
   Potential to Become More Significant
1.Identity/access management (2)
2.Security (1)
3.Funding IT (3)
4.Disaster recovery/business continuity (4)
5.Administrative/ERP/information systems (5)
6.Infrastructure (8)
2007 ranking in parentheses
                      Q&A
To what extent is your institution considering or
implementing an identity and access
management solution?
  1.   Not considering
  2.   Currently evaluating
  3.   Planned, but won’t start within the next 12 months
  4.   Plan to start within the next 12 months
  5.   Implementation is in progress
  6.   Partially operational
  7.   Fully operational
                  Q&A
Do you have a dedicated Identity and Access
Management team/department?

What is the scope of responsibilities for your
IAM team/dept.?
(computing accounts, library systems, ID
cards, building access, parking access)
              Case Study

Prelude
    Drivers and Objectives
    Planning and Procedures




 Lehigh University
      Current Environment

• Homegrown system
• Developed & supported by staff with 20+
  years of service
• Adapted & patched over many years
                     What we typically see
                at Higher Education Institutions
                Administrators
                    User Name…………..
                    PIDM………………….
                                                                                                                                 Students
                    Affiliation……………..
                                                                Applications
                    Department…………..
                    Password…………….                                  Help Desk



                                                  Faculty/Staff Portal                 Student Portal

Faculty and Staff
     Arriving                                                                            Emergency                Web-Based
                                           Banner Student
                                                                                         Response                 Self-Service



                                         Email
                                                                    ?                                Blackboard


Faculty and Staff
    Changing                               LDAP Directory                            Collaboration          Benefactor Apps



                                                      Software                                                                        Alumni
                                                                                          Alumni Portal
                                                     Distribution


Faculty and Staff                                                        Banner HR
     Leaving




                                                                                              IT Resources
        Challenges and Issues

Data                                             Supportability
• No single view of identity data                • Administration performed both
  across applications                              centrally and locally
• Inconsistent user identity data                • Manual, paper-driven processes
• Multiple repositories of user                    work, but lack audit ability
  identity data                                  • IT staff is stretched, especially as
• Lack of defined standards for                    new projects are defined and
  user attributes                                  started
                                    Typical HE   • Infrastructure support team has a
• Many identity owners & sources
                                    Challenges     wide range of responsibility with
                                                   limited means
                                    and Issues
Growth
• Use of web-based applications
  continues to grow
                                                 Institutional Culture
• Increasing demands for new                     • Priorities may vary on a per
  services                                         school or campus basis

• Need to support within current                 • Varied and complex user
  spending levels                                  populations

• Affiliate community is always                  • Many institutions “bend over
  growing                                          backwards” to provide the
                                                   highest levels of service to their
                                                   students


                                        15
      Changing Landscape
• Expansion – users and resources
  – Portal Implementation (2002)
• Complexity
  – Changing roles
  – Reduce role inflation
  – Self service options
  – Single sign-on
  – Federated identity management
• Compliance
  – Federal Acts (FERPA, HIPAA, GLB)
  – Privacy (under attack!)
              Objectives
• Sustainability – standardized, documented
• Scalability
  – Easier to extend the solution to other key
    applications and infrastructure
  – Incrementally add functionality such as
    workflow, approval processes, and attestation
  – Federation
• Security
  – Foundation for enterprise application framework
  – Additional/more secure authentication methods
  – Rich auditing and reporting capability
  Planning and Preparation

• Buy vs. Build
• Determine total cost of ownership
• Select the vendor, consultants
• Determine staffing and consulting needs
• Form internal implementation team
             Buy vs. Build
• Availability of products – does something
  already exist that meets our needs?
• Long-term strategic goals – scalable solution
  – Robust - added functionality
  – Integration with expanding enterprise system
    (Banner, Luminis, Enrollment Management)
• Sustainable, standardized solution
  – Documented and supported
• Software quality assurance
  – Tested, proven
    Total Cost of Ownership
•   Software
•   Hardware
•   Training
•   Consulting
•   Internal Staff
    – Staff Dedicated to IAM
    – Systems Installation/Maintenance
    – Programming
    – Data stewards
              Why Oracle?
• Compatibility
  – System features in line with our needs
  – Oracle to Oracle (Banner)
  – OIM can complement our existing IdM.
• Auditing features were appealing
• "Adapter Factory" and out-of-the-box
  connectors
        IdM Solution Approach


                   • Small, easy to define projects
                   • Defined success criteria and requirements
 Risk Avoidance
                   • Use of proven “off the shelf” products and
                     technologies where appropriate


                   • Each project provides immediate value and
  Rapid Value        results, which can be leveraged by other
  Realization        institutional initiatives



                   • Leverage institution’s existing technology
                     base and skills
  Pragmatism       • Recommend a solution that is easily
                     expandable to meet future requirements


                   • Recommend products that have predictable
                     licensing and support costs
Cost Containment   • Recommend institution’s internal team take
                     ownership and perform tasks where possible
Case Study - Our Experience
              Case Study

OIM Implementation
    in Two Movements




Lehigh University
           Implementation
• Phase I
  – Discovery
  – Documentation
  – Design
    – Role-based provisioning
    – Interface with authoritative source
• Phase II
  – Development
  – Testing
  – Deployment
                    Case Study

Concurrent Harmonies
  & Dissonance



Lehigh University
              Challenges
• Resistance to change
• Trust Issues
  – Data Stewards/Managers
  – Programmers and Systems Analysts
• Cleaning up our act
  – Improve accuracy, completeness & timeliness of data
    in Banner – our authoritative source
  – Distributed responsibility
  – Analyze business practices & policies
  – Create customized input forms
  – Improve interpretation of data (work with
     data stewards, stakeholders)
  – Begin attestation (periodic access audits)
        Lessons Learned
• Communication is key
  – Involve stakeholders & data stewards
  – Consensus building
  – Make sure everyone who will be involved with
    the implementation has input on the decision.
  – Involve early
• You won’t believe what we found
  – Trace/Document problems
  – Explain and re-train
• Push-pull with those you need most
• Monday morning quarterbacks
           What’s Next?


• Expanding the scope of our IAM to
  include systems outside of LTS
• Multifactor authentication

• Federated identity management
       Contact Information


Lehigh University:
  Bruce Taggart – bmt2@lehigh.edu
  Tim Foley – tjf0@lehigh.edu
  Sara Rodgers – skr5@lehigh.edu
APTEC, LLC:
  Aaron Perry - aaron@aptecllc.com
Use                      Data Entry
                       Faculty HR Job
                        Assignment
                                         Banner

                                        Data Entry
                                          Faculty
                                                     1.2

                                                          Data Entry
                                                                      1.1              1
                                                                                                 HR
                                                                                                                  Faculty
                                                                                                                                                     9

                                                                                                                                                    OPEN Process
                                                                                                                                                                        OPEN


                                                                                                                                                                          open        OPEN
                                                                                                                                                      Initiated
                                         Teaching



Case
                                                         New Faculty                                                                                                                Account(s)
                                        Assignment         Record
                         Update
                         Faculty
                                                                                                                                                                                 Done
                        Record(s)                                                                         IdM
                                                                  2                                                                           User         Error                 Msg
                                                                                                                                              Msg          Msg

                                                                               Faculty




                                                                                                                                              Yes
                                                                             Recon Runs                                      10                     10.1
                                                                             on Schedule




                                                                                                                                                           No
                                                                                                                                                            10.2
                                                              3
                           Post-OPEN                                                                                                   Does OIM
                                                                                                                                         User
           Provision                                                                             Create New                             Exist?
           AD User                                        On-Board               4                                                                              11
                                                                                                 Faculty OIM
           Account Assign AD                             Faculty User
                                                                                                    User
                                                           Process                                                                                      Update
                      “Roles”           13.1
                                                           Initiated                                                                                  Faculty OIM
                     (Groups)
                                                                                                   5                                                  User (Flag/
       Active Directory                                                                                                                                  Pwd)

                                                                                       5.2           Are
                                                                                                  Username
                           Pre-OPEN                          STOP                No                                          5.1
                                                                                                 Requirements         Ye
                                                                                                                         s
           Provision                                                                                Met?
                                                                                                                                       Generate
          LDAP User                               8.1                                                                                   Lehigh
           Account                                                                                                                     Username
                                                                                       No
                                        7.1          Update                                            6.2
                                                  User Accounts
                                                   on Sources                                      12.2
       Phonebook LDAP
                                                     8                                     6.1                                    6
                                                                                                       Do Rules or                                   Process Rules
                                                                   7                                   Roles Apply?                                    and Roles
                           Pre-OPEN                                              Yes        12.1                                  12
           Provision                                Provision
          LDAP User                               User Accounts             13
           Account                                on Resources

                                        7.2                       14


       AFS LDAP
                                                                            7.4                                                        13.2                                         7.5

                           Pre-OPEN                                                   Pre-OPEN                                           Post-OPEN                                      Pre-OPEN

                                                           Provision                                                                                                 Provision
           Provision                                                                                            Provision                                          Email Mailbox
                                                           AFS User                                                                                                   (Auto-
          NIS Record                                                                                            AFS Space
                                                           Account                                                                                                  Responder)

                                        7.3


       NIS Password File                                AFS Account                                          AFS Space                                     Email Mailbox



                                                                        7.6                                                       13.3                                              13.4

                                                                                      Pre-OPEN                                           Post-OPEN                                  Post-OPEN

                                                           Provision                                                                                                  Update
                                                                                                                 Provision                                         Email Mailbox
                                                           BB User                                                                                                  (Drop Auto-
                                                                                                                Portal User
                                                           Account                                                                 Assign                           Responder)

                                                                                                                                   Portal
                                                                                                                                   Roles

                                                        Blackboard                                           Luminis Portal                                Email Mailbox
Lehigh Dev and Testing Environment
Production Environment Recommendation
                                           Oracle                                 Oracle
                                          Database                               Database
                                                              Standby
                                          < SID >                                < SID >
                                          10.2.0.2                               10.2.0.2

                                           Primary                               Failover


             <hostname>.cc.lehigh.edu                                                       <hostname>.cc.lehigh.edu
                    RHEL 4r5                                                                       RHEL 4r5




                                                                                                    OIM 9.1.0
                          OIM 9.1.0




  Applications
                          Connectors                            rsync                              Connectors
                           Adapters                                                                 Adapters




                            Jboss                                                                    Jboss
                          Weblogic 10.3
                          4.0.3 SP1                                                               Weblogic 10.3
                                                                                                   4.0.3 SP1
                            80/443                                                                   80/443
                                          <hostname>.cc.lehigh.edu   <hostname>.cc.lehigh.edu
                                                 RHEL 4r5                   RHEL 4r5




           Admin &         Design
         user console      Console
45,000
                             Changes
40,000                                               Applicant
                                                      13,000


35,000



                                                   Parents 4,000
30,000

                                                   Offered 3,500
                                  Applicant
25,000                              6,000


                                Parents 1,700
20,000
                                Offered 3,500
                                                   Alumni 15,000

15,000
                                Alumni 7,300


10,000                                            Fac/Staff 1,764
          Fac/S taff 1,764     Fac/Staff 1,764

            Grad 2,089           Grad 2,100         Grad 2,100

 5,000
           Ugrad 4,756           Ugrad 4,856        Ugrad 5,000


    -
         Previous              Current           Projected

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:1/18/2011
language:English
pages:34