Penn State’s
Identity & Access Management
Initiative
“It’s all about who you know …
and what you know about them”
1
Presentation Overview
• Brief Introduction to Identity & Access
Management (IAM) Concepts
• Why IAM is important to Penn State
• Starting Up the IAM Effort
• Working on IAM Together
• Eight Key Recommendations
• Keeping the Momentum Going
2
IAM Defined
“An administrative process coupled with a
technological solution which validates the
identity of individuals and allows owners of
data, applications, and systems to either
maintain centrally or distribute responsibility
for granting access to their respective
resources to anyone participating within the
IAM framework.” - NYS Forum
3
Three Core Concepts
• People and Relationships
• Creation and Management of Identities
• Access to Data and Applications
4
People and Relationships
• Different types of affiliations
– Formal vs. Casual
• Multiple affiliations
• Affiliation life-cycles
5
Creation & Management of
Identities
• Vetting – collection and validation of
identity information
• Proofing – aligning collected data and
matching an actual person
• Issuance of credentials
– ID/password pair
– ID card
– 2nd factor token
6
Access to Data & Applications
• Connecting people to data and services
• Authentication decisions
– Knowing who
• Authorization decisions
– Affiliation type, status, level of assurance,
roles and other attributes.
7
Why IAM is Important to Penn State
• Four foundational goals
– Increase collaboration and innovation
– Improve customer service
– Increase efficiency
– Improve security of digital assets and
mitigation of risk
8
Real Life Examples
New faculty and staff hires face an unmet
need to access University systems, to
choose benefit options, setup syllabi, and
prepare for classes--before they set foot
on a Penn State campus.
9
Real Life Examples
Distance education students across
Pennsylvania, and around the world, face
significant challenges in gaining access to
the required online University resources
needed for their education.
10
IAM Initiative – The Beginning
… Started With
Many Long
Walks & Great
Discussions
11
Sponsored by Position of Authority
Executive Vice
President
and Provost
R. Erickson
Vice Provost & CIO
Information
Technology Services
K. Morooney
Information Technology Services
12
Co-Leading the IAM Effort
Auxiliary &
Business
Services
Information
Technology
Services
13
Identifying Stakeholders
14
• Auxiliary and Business
Services
• College of Agricultural
Sciences
• Commonwealth Campuses
• Development and Alumni
Relations
• Information Technology
Services
• Intercollegiate Athletics
• International Programs
• Office of Human Resources
• Office of Sponsored Programs
• Office of Student Aid
• Office of the Corporate
Controller
• Office of the Physical Plant
• Office of the University Bursar
• Office of the University
Registrar
• Outreach and Cooperative
Extension
• Penn State Great Valley
• Penn State Milton S. Hershey
Medical Center
• Privacy Office (Office of the
Corporate Controller)
• The Graduate School
• Undergraduate Admissions
Office
• Undergraduate Education
• University Libraries
• University Police Services
The Invitation
• We recognize that this is a very broad topic and
believe that your organization's participation will
be critically important to successfully
understanding Penn State's needs, challenges,
and future directions in IAM. “ …” The individuals
representing each area should have a basic
understanding of digital identities, knowledge of
the business processes in your area, and an
eagerness to collaborate to find a solution that
will provide a strategic direction for Penn State
and IT. “
15
Vice Provost’s Initial Charge
Develop a Penn State roadmap for Identity and
Access Management that can be used to help
marshal the energy necessary to get to where
we all need to go
Establish a community of people and organizations
who understand each others pressures, needs,
and desires in identity and access management
for the purposes of maintaining and developing
as nimble a set of infrastructures possible to
facilitate academic, business, and collaborative
processes
16
IAM Initiative Logistics
•
•
•
•
Full Committee Meetings every 6 weeks
Deliverables in less than 1 year
Education of Committee Members
Sub Groups
– Report back to larger group
– Shared wiki space
– Co-leaders meeting with each group
• Co-Leaders and Sub Group leader
meetings
17
IAM Sub Groups
• Levels of Assurance
• Governance and Policy
• Vetting, Proofing, and Registration
Authorities
• Risk Assessment
• Lifecycles and Affiliations
• Provisioning of Access
• Education and Awareness
18
Eight Strategic
Recommendations
19
Strategic Recommendations #1
•
20
Create a Comprehensive Policy for
Identity & Access Management – A
comprehensive policy, covering all
aspects of Identity & Access
Management, does not exist today and
needs to be developed. This policy
framework is crucial for the project’s
success.
Strategic Recommendations #2
•
21
Create a Central Person Registry – A
single centralized person registry is
needed to combine identity data records
from disparate systems, ensuring the
integrity and availability of person
records.
Strategic Recommendations #3
•
22
Streamline Vetting, Proofing, and
Issuance of Digital Credentials –
Significant gains in efficiency could be
realized by overhauling the current
processes for creating accounts and
issuing credentials.
Strategic Recommendations #4
•
23
Automate the Provisioning (and Deprovisioning) of Access Rights –
Customer service and security could
both be significantly increased by
automating the provision of access
based on affiliation, roles, and attributes.
Strategic Recommendations #5
•
24
Develop a Plan for Formal Risk
Assessment – A systematic risk
management process is needed to
evaluate the technology and information
systems that are critical to the
University’s mission.
Strategic Recommendations #6
•
25
Add Level of Assurance Component
to Accounts and Access Decisions –
A more granular approach to account
creation and access decisions is needed.
A Level of Assurance component will
provide this flexibility and is also being
required by federal agencies.
Strategic Recommendations #7
•
26
Promote Single Sign-on, Federated
Identities, and Better Control of
University Digital Credentials – Better
control of Penn State digital credentials
is needed—especially in regards to the
use of these credentials with outside
agencies, hosted vendor solutions, and
other institutions of higher education.
Single sign-on and federated identities
will provide this control.
Strategic Recommendations #8
• Promote Awareness and Education of
the Importance of Identity & Access
Management – Initial awareness and ongoing education is needed to promote
understanding of the importance of Identity
& Access Management and achieve buy-in
from stakeholders
27
Next Steps
• Awareness and Education
– Matrix of Use Cases
– Identify Priorities
• Pilot implementing Levels of Assurance
– Gap analysis InCommon Silver, LoA 2
– NIH Applications
• Strategic Implementation Teams
28
Contact Information
• Joel Weidner
– jlw2@psu.edu
• Renee Shuey
– rshuey@psu.edu
29
Resources
• Penn State IAM Initiative
– http://its.psu.edu/IAM/
• The Enterprise Authentication
Implementation Roadmap
– http://www.nmi-edit.org/roadmap/draft-authnroadmap-03/index.html
30
Copyright Renee Shuey & Joel Weidner, March 2008
This work is the intellectual property of the authors.
Permission is granted for this material to be shared for
non-commercial, educational purposes, provided that
this copyright statement appears on the reproduced
materials and notice is given that the copying is by
permission of the author. To disseminate otherwise or
to republish requires written permission from the
author.
31