Penn State’s Identity & Access Management Initiative “It’s all about who you know … and what you know about them” 1 Presentation Overview • Brief Introduction to Identity & Access Management (IAM) Concepts • Why IAM is important to Penn State • Starting Up the IAM Effort • Working on IAM Together • Eight Key Recommendations • Keeping the Momentum Going 2 IAM Defined “An administrative process coupled with a technological solution which validates the identity of individuals and allows owners of data, applications, and systems to either maintain centrally or distribute responsibility for granting access to their respective resources to anyone participating within the IAM framework.” - NYS Forum 3 Three Core Concepts • People and Relationships • Creation and Management of Identities • Access to Data and Applications 4 People and Relationships • Different types of affiliations – Formal vs. Casual • Multiple affiliations • Affiliation life-cycles 5 Creation & Management of Identities • Vetting – collection and validation of identity information • Proofing – aligning collected data and matching an actual person • Issuance of credentials – ID/password pair – ID card – 2nd factor token 6 Access to Data & Applications • Connecting people to data and services • Authentication decisions – Knowing who • Authorization decisions – Affiliation type, status, level of assurance, roles and other attributes. 7 Why IAM is Important to Penn State • Four foundational goals – Increase collaboration and innovation – Improve customer service – Increase efficiency – Improve security of digital assets and mitigation of risk 8 Real Life Examples New faculty and staff hires face an unmet need to access University systems, to choose benefit options, setup syllabi, and prepare for classes--before they set foot on a Penn State campus. 9 Real Life Examples Distance education students across Pennsylvania, and around the world, face significant challenges in gaining access to the required online University resources needed for their education. 10 IAM Initiative – The Beginning … Started With Many Long Walks & Great Discussions 11 Sponsored by Position of Authority Executive Vice President and Provost R. Erickson Vice Provost & CIO Information Technology Services K. Morooney Information Technology Services 12 Co-Leading the IAM Effort Auxiliary & Business Services Information Technology Services 13 Identifying Stakeholders 14 • Auxiliary and Business Services • College of Agricultural Sciences • Commonwealth Campuses • Development and Alumni Relations • Information Technology Services • Intercollegiate Athletics • International Programs • Office of Human Resources • Office of Sponsored Programs • Office of Student Aid • Office of the Corporate Controller • Office of the Physical Plant • Office of the University Bursar • Office of the University Registrar • Outreach and Cooperative Extension • Penn State Great Valley • Penn State Milton S. Hershey Medical Center • Privacy Office (Office of the Corporate Controller) • The Graduate School • Undergraduate Admissions Office • Undergraduate Education • University Libraries • University Police Services The Invitation • We recognize that this is a very broad topic and believe that your organization's participation will be critically important to successfully understanding Penn State's needs, challenges, and future directions in IAM. “ …” The individuals representing each area should have a basic understanding of digital identities, knowledge of the business processes in your area, and an eagerness to collaborate to find a solution that will provide a strategic direction for Penn State and IT. “ 15 Vice Provost’s Initial Charge Develop a Penn State roadmap for Identity and Access Management that can be used to help marshal the energy necessary to get to where we all need to go Establish a community of people and organizations who understand each others pressures, needs, and desires in identity and access management for the purposes of maintaining and developing as nimble a set of infrastructures possible to facilitate academic, business, and collaborative processes 16 IAM Initiative Logistics • • • • Full Committee Meetings every 6 weeks Deliverables in less than 1 year Education of Committee Members Sub Groups – Report back to larger group – Shared wiki space – Co-leaders meeting with each group • Co-Leaders and Sub Group leader meetings 17 IAM Sub Groups • Levels of Assurance • Governance and Policy • Vetting, Proofing, and Registration Authorities • Risk Assessment • Lifecycles and Affiliations • Provisioning of Access • Education and Awareness 18 Eight Strategic Recommendations 19 Strategic Recommendations #1 • 20 Create a Comprehensive Policy for Identity & Access Management – A comprehensive policy, covering all aspects of Identity & Access Management, does not exist today and needs to be developed. This policy framework is crucial for the project’s success. Strategic Recommendations #2 • 21 Create a Central Person Registry – A single centralized person registry is needed to combine identity data records from disparate systems, ensuring the integrity and availability of person records. Strategic Recommendations #3 • 22 Streamline Vetting, Proofing, and Issuance of Digital Credentials – Significant gains in efficiency could be realized by overhauling the current processes for creating accounts and issuing credentials. Strategic Recommendations #4 • 23 Automate the Provisioning (and Deprovisioning) of Access Rights – Customer service and security could both be significantly increased by automating the provision of access based on affiliation, roles, and attributes. Strategic Recommendations #5 • 24 Develop a Plan for Formal Risk Assessment – A systematic risk management process is needed to evaluate the technology and information systems that are critical to the University’s mission. Strategic Recommendations #6 • 25 Add Level of Assurance Component to Accounts and Access Decisions – A more granular approach to account creation and access decisions is needed. A Level of Assurance component will provide this flexibility and is also being required by federal agencies. Strategic Recommendations #7 • 26 Promote Single Sign-on, Federated Identities, and Better Control of University Digital Credentials – Better control of Penn State digital credentials is needed—especially in regards to the use of these credentials with outside agencies, hosted vendor solutions, and other institutions of higher education. Single sign-on and federated identities will provide this control. Strategic Recommendations #8 • Promote Awareness and Education of the Importance of Identity & Access Management – Initial awareness and ongoing education is needed to promote understanding of the importance of Identity & Access Management and achieve buy-in from stakeholders 27 Next Steps • Awareness and Education – Matrix of Use Cases – Identify Priorities • Pilot implementing Levels of Assurance – Gap analysis InCommon Silver, LoA 2 – NIH Applications • Strategic Implementation Teams 28 Contact Information • Joel Weidner – jlw2@psu.edu • Renee Shuey – rshuey@psu.edu 29 Resources • Penn State IAM Initiative – http://its.psu.edu/IAM/ • The Enterprise Authentication Implementation Roadmap – http://www.nmi-edit.org/roadmap/draft-authnroadmap-03/index.html 30 Copyright Renee Shuey & Joel Weidner, March 2008 This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 31