Identity _ Access Management Update by malj

VIEWS: 8 PAGES: 23

									Identity & Access
   Management
      Update
Non Student Lifecycle and Relationships
               Meeting
            March 2, 2010




                           Penn State Identity and Access Management -
   IAM Non Student
      Lifecycle and Relationships


• Level Set on IAM
• Penn State IAM
• Use Cases
• Next Steps

                            Penn State Identity and Access Management -
Definition of IAM
“An administrative process coupled with
a technological solution which validates
the identity of individuals and allows
owners of data, applications, and
systems to either maintain centrally or
distribute responsibility for granting
access to their respective resources to
anyone participating within the IAM
framework.” - NYS Forum
It’s about aligning University policies and
processes with the technologies to
support management of identities and
access to information

                                 Penn State Identity and Access Management -
IAM - The Big Picture




              Penn State Identity and Access Management -
                                         What is IAM?
•   Access to Protected Library          •   Continuing Education and Adult   •   Local Community Member            •   Updating ISIS Security Profile
    Resources                                Students                             and Short Term Access             •   Multiple Security Realms,
•   Library Staff Access to Integrated   •    New Students Applying for           Accounts                              Same Userids but Different
    Library System                           Admissions and Oncampus          •   Registrar Relationships               Passwords
•   Access to Library Public                 Housing                          •   Student Lifecycle                 •   ROTC Instructor Affiliation
    Workstations                         •   Prospective Students Visiting    •   New Students Applying for         •   Instructor with Independent
•   HMC Affiliate                            Penn State New Kensington            Undergraduate Admissions              Contractor Status
•   Access to Library Resources          •   New Faculty and Access to        •   Provision of Access to Course     •   Name change switching in the
•   Access to Alumni Library                 ANGEL and Other Class                Work For Students at a                directory
    Resources                                Resources                            Distance                          •   Special Affiliates (for example
•   Access to Electronic Theses and      •   Adjunct Faculty Activating       •   Library Resources                     Religious Affiliates)
    Dissertations Web Site                   Access Account                   •   ITS Computer Store Access         •   Father and son who is a JR
•   Graduate School Exit Survey          •   New Faculty & Staff Selecting    •   CIC CourseShare                   •   Cloning ISIS Security Profiles
    Federating to blogging hosted            Benefits                         •   Deprovision User content          •   New PSUid assigned for new
    Services                             •   Terminated Faculty Member            after graduation or resignation       PSU affiliation
•   Prospective students applying for        Maintains Access                 •   Google Cache Updates              •   Student Football Tickets
    financial aid                        •   Physicians at the Hershey        •   Access to user content after      •   Department Identity
•   Employee Confidentiality                 Medical Center and Access to         graduation and or resignation     •   DSL Use Case Interview
•   Provisioning of an employee's            Library Resources                •   Access to directory data          •   Police Services Use Case
    digital Identity                     •   Patients, Family Members, and    •   Emergency Rehire                      Interview
•   Student early access to residence        Visitors at the Penn State       •   Mulitple IDs                      •   Police Services Use Case
    hall requests and immunization           Hershey Medical Center           •   Deceased Employee                 •   Police Log
    records submissions                  •   Alumni Donors                    •   Outreach Registration
•   Grouper Auditing Use Case            •   Alumni Association                   process



                                                                                                     Penn State Identity and Access Management -
     Penn State IAM
• IAM Stakeholder Committee
• Student Lifecycle Committee
• IAM Governance
• IAM Technical Architect Group
• Non-student Lifecycle Committee
• IAM Hershey Taskforce
                        Penn State Identity and Access Management -
                   IAM Strategic Planning
                        Committee
•   Auxiliary and Business Services      •   Office of the University Registrar
•   College of Agricultural Sciences     •   Outreach and Cooperative
                                             Extension
•   Commonwealth Campuses                •   Penn State Great Valley
•   Development and Alumni Relations     •   Penn State Milton S. Hershey
                                             Medical
•   Information Technology Services      •   Privacy Office
•   Intercollegiate Athletics            •   The Graduate School
•   International Programs               •   Undergraduate Admissions Office
•   Office of Human Resources            •   Undergraduate Education
•   Office of Sponsored Programs         •   University Libraries
•   Office of Student Aid                •   University Police Services
•   Office of the Corporate Controller
•   Office of the Physical Plan
•   Office of the University Bursar




                                                        Penn State Identity and Access Management -
 IAM Strategic Recommendations
1. Create Central IAM Policy and Governance
2. Develop plan for formal Risk Assessment
3. Create a Single Central Person Registry
4. Add Level of Assurance Component to
   Credentials
5. Promote Single Sign-on, Federated Identity, and
   control of University digital identity
6. Streamline Vetting, Proofing, and Issuance of
   Digital Credentials
7. Streamline and Automate Provisioning/De-
   provisioning of Services
8. Promote Awareness and Education of IAM

                                     Penn State Identity and Access Management -
                  IAM Student Life Cycle
                                 Team
• ITS - Consulting & Support        • ITS - Digital Library Technology
  Services

• Auxiliary & Business Services     • Undergraduate Education -
                                      Student Aid
• ITS - Security Operations &       • ITS - Administrative Service
  Services

• Undergrad Admissions              • Graduate School
• Eberly College of Science         • Smeal College of Business
• Student Affairs - Health Services • University Outreach
• Dickinson School of Law           • Corporate Controller - Bursar
•   Undergrad Education - Registrar



                                              Penn State Identity and Access Management -
Penn State Identity and Access Management -
     Student Lifecycle
     Recommendations
• Expand the lifecycle for student’s
  digital identities and accounts that
  enable access to online services and
  resources—issuing the identities
  earlier on in the relationship and
  extending them beyond what are our
  current normal practices.

                          Penn State Identity and Access Management -
         Student Lifecycle
•
         Recommendations
    Expand Use of Student Affiliations and Add Defining Attributes
    - Expanded affiliations and attributes will help to more finely
    identify the relationship a student has with the University; such
    as applicant, student, or former student. Allowing access to
    services according to the student’s affiliation to the University
    will help ensure students have access to all the services they
    need, but only those that apply to their affiliation or combination
    of affiliations.

•   Implement Levels of Assurance with Student Accounts - Levels
    of Assurance (LoA) will classify the level of certainty the
    University has that a given digital identity matches a specific
    individual. The LoA needed to access a given service will vary
    across services. For example, the assurance of user identity
    needed for prospective students scheduling campus visits is
    much lower than for users accessing their transcripts or for
    faculty reporting grades.
                                                Penn State Identity and Access Management -
      Student Lifecycle
      Recommendations
•   Implement a Single Authentication Realm – Phasing out the
    distinction between Friends of Penn State accounts (FPS) and
    Access Accounts and moving to single authentication realm will
    avoid confusion between the two different types of accounts
    and help eliminate some of our current problems that occur
    when students are migrated back and forth between realms.

•   Streamline Registration Process – The above recommendations,
    if put into practice will provide opportunities for streamlining
    our current registration processes—enabling better customer
    service, reducing required staff time and resources, and
    reducing redundant registration activities.



                                              Penn State Identity and Access Management -
            IAM Governance
               CoCouncil
                 Sponsored by:
           Rob Pangborn                    Kevin Morooney
          VP and Dean of                   Vice Provost of
             Undergrad                 Information Technology
            Admissions

• VP for Student Affairs, Director     • Vice President of Outreach
• University Police Services           • Assoc. Dean of Tech -
• CIO Hershey Medical Center           Dickinson
• Sr., VP Research & Dean Grad.          School of Law
School                                 • VP of Commonwealth Campuses
• Assoc.VP of Auxiliary and Business   • Dean of University Libraries &
  Services                                Scholarly Communications
• Assoc.VP for Human Resources


                                                Penn State Identity and Access Management -
                   IAM Technical Architect Group

• Formed in July 2009
• Charged with furthering Penn State's vision for a comprehensive and
    cohesive IAM solution.
•   Support the University's goal to expand access and opportunities while
    preserving privacy for the Penn State community.
•   Evaluate, prototype and recommend identity and access management
    solutions that provide the appropriate access to enterprise resources.




                                                   Penn State Identity and Access Management -
IAM Technical Architect
       Group
• Two primary areas of focus in year
  one
 • Single Central Person Registry
 • Access Management


                         Penn State Identity and Access Management -
        Newly
    Formed(forming)
      Committees
• Non Student Relationships and
  Lifecycle
• IAM Hershey Taskforce

                          Penn State Identity and Access Management -
IAM Community Site




            Penn State Identity and Access Management -
IAM Use Cases


         Penn State Identity and Access Management -
                           Use Case
                          Deceased Employee
• Use Case:
 •   If an employee is deceased and the spouse has benefits through the
     deceased employee, the spouse must now maintain the benefits.

 •   Some records have been changed to now show the spouse's name, as
     well as provide access to the deceased employee's Penn State Access
     Account. This then changes all identity linked to the Access Account
     but without proper records or signatures.

• IAM Opportunity:
 •   Create a comprehensive IAM policy for managing all University
     relationships.

 •   Exploring federating identities as a solution for spousal access to
     benefits.                                      Penn State Identity and Access Management   -
                            Use Case
•   Use Case: Emergency Rehire
    •   A person retires from Penn State. If their position has not been filled
        and there is a need for that person’s skills, the retiree may be
        requested to work temporarily as a emergency rehire. This causes
        problems because when checking IBIS records (OHR), the employee’s
        status is retired yet their AIS account is still active. In addition, the
        emergency rehire may also be prohibited from accessing services
        necessary to do their job because their affiliation is not faculty/staff,
        but retiree.

• IAM Opportunity:
    •   Create a comprehensive IAM policy for managing all University
        relationships.

    •   Different levels of access may need to be defined for the emergency
        rehire.                                    Penn State Identity and Access Management   -
                               Use Case
                 Name Switching in the Directory
•   Use Case:
    •   When a student comes to Penn State their biographical data is stored in the Integrated
        Student Information System (ISIS). That information is fed to the CACTUS system for
        updating information in the Penn State Directory. Basic information about the student
        is displayed in the directory, like their name, and contact information. Post graduation
        the student may accept a position at Penn State. Their biographical data along with
        other information about them will not reside in the Integrated Business Information
        System (IBIS). Like ISIS data, IBIS data is also fed to CACTUS for directory updates.

    •   If the employee decides to marry and change their name, IBIS will be updated with the
        new name which will be propagated to CACTUS and finally the directory. A problem
        arises if the employee decides to take a class. Now information from both ISIS and
        IBIS will be fed to CACTUS. If the employee did not update ISIS with their new name,
        it will flip back and forth between their "maiden" name and their new married name.
        This will continue until the employee changes their name in ISIS.

•   IAM Opportunity:
    •   To reduce the number of authoritative sources for names and other key data
        elements.                                           Penn State Identity and Access Management   -
• “If we get this right, there isn’t a
  unit or constituency that doesn’t
  benefit.
• We have to try to get it right.
  Continuing on the old trajectories
  make us more brittle at a time when
  we need to be more agile.”Morooney
                          Kevin




                            Penn State Identity and Access Management -

								
To top