Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Identity Management

advertisement 
Identity Management:
What it is, isn’t and what it can do for you
Tom Golson, TAMU IT
Agenda
•
•
•
•
Identity management, from a high level
TAMU IT’s history in Identity Management
Brief overview of Dell ONE Identity Manager
Plans for the evolution of Identity at Texas A&M
University
• Cautions and Warnings
• Questions
What is Identity Management?
Identity and Access Management consists of
• Policies
• Processes, and
• Technologies
put in place for the purpose of establishing Subject
digital identities and controlling access to digital
resources.
That sounds easy enough ...
Identity and Access Management is NOT just
account provisioning or password management.
For Identity and Access Management,
stakeholders, data owners (Registration
Authorities) and identity consumers have to work
together and agree on the the data to aggregate
and the practices for reflecting Identity to
downstream services.
When approached holistically
Identity and Access Management enables
● Security
● Compliance
● Outreach
● Personalization
● Decision making
Identity reduces the friction between customers
and services.
How it began at Texas A&M University
• Starting in 1999 as a username and address for
email
– Identity was an IT project focused on email until
2005. The “NetID”.
• 2005 Formal efforts began to engage
stakeholders and the LDAP Working Group was
formed
• 2010 The NetID and Identity activities expanded
into Active Directory
• 2014 Identity Agent programs began
Technically: 1999
Technically: 2011
And That’s When We Knew
• Identity and Access Management was
precariously perched
– Dozens of data sources
– Processed by hundreds of applications
– Directly provisioning 10 targets
– Indirectly provisioning dozens of targets through
data feeds and uploads to customers
• Staffing couldn’t increase
• Helping customers integrate identity was almost
impossible
Enter Dell ONE
• Dell ONE is an Identity Management suite
• The core, “Identity Manager” is:
– Object mapping and libraries
– Workflow
– Job execution
– Synchronization
– Connectors & provisioners
• TAMU IT also purchased:
– Password Manager
– Data governance
– Cloud Access Manager
Dell ONE Block Diagram
Freeing up resources
• Texas A&M University genuinely has an
advantage:
– Established governance processes managed
out of the Identity Office
– Strong working relationships with data owners
and data consumers
To Deliver
• Process and relationship mean:
– Consensus around persistent, unique identifiers
has been established
– The Identity Team has a deep understanding of
the data and the limitations of the data
Real Value
• So we can now
– Stop writing applications and
– Focus on integrating:
•
•
•
•
Identity creation
Provisioning
Deprovisioning
Group membership
Crawl, Walk, Run, Run, Sprint
• 16 years of Identity and Access Management
infrastructure doesn’t turn on a dime
• But we have an extremely aggressive schedule
– Kickoff in January
– Dev installation complete by end of February
– Model data aggregation by end of April
– Parallel loading of Identity Store by end of June
– Manage TAMU IT “dev” directories by end of
July
– Current provisioning/deprovisioning replaced by
end of September
Uncharted Territory
• When the process of aggregating identity data
and reflecting that into TAMU IT directories is
complete, it isn’t quite “home free”
– Migrate TAMU IT customer-facing services
(https://gateway.tamu.edu) into the Dell ONE
portal
– Migrate web services to Dell ONE native
services or re-factor
But hopefully in parallel
• Dell ONE delegation for provisioning federated
Active Directories
– Provide major organizational units access to
Identity data for the purposes of:
• Minimizing the number of credentials our
customers have to manage
• Expanding the umbrella of compliance
• Improving the security posture of the entire
organization
– Campus member access also means improving
the Identity Store by exposing group
functionality
Data Governance Module
• The Dell ONE Data Governance module offers
– Self-service requests for access to participating
Active Directory file and resource shares
– Includes audit trails for specific resources
– And audits of resources for individuals
Cloud Access Manager
• CAS and Shibboleth have been great but have
limitations
– Sharepoint’s non-standard SAML
implementation
– Applications requiring complex response
transforms (data or protocol)
• An opportunity to make central credential
management (expiry, security) available to new
categories of applications
• Social identities for low assurance populations
But Buyer Beware
• The history of Identity and Access program
migrations is littered with failures
• It is not possible to vet, in advance, every use
case
• It will be at least six months before any
meaningful conversations about community
opportunities can happen
Questions?
Or feel free to email me at tgolson_at_tamu.edu
Related documents
Rules Revision Form - Student Rules
Rules Revision Form - Student Rules
Texas A&M NetID Identity Services HR Identity Agent Designation
Texas A&M NetID Identity Services HR Identity Agent Designation
Student Rules and Regulations Committee
Student Rules and Regulations Committee
Stakeholder Engagement Model
Stakeholder Engagement Model
Smart Energy Campus Initiative (SECI)
Smart Energy Campus Initiative (SECI)
20120430 Teaching position in MET, BS degree or higher required
20120430 Teaching position in MET, BS degree or higher required
EDCI 658 – History of Education - Lynn M. Burlbaw
EDCI 658 – History of Education - Lynn M. Burlbaw
Lesson Three
Lesson Three
Download
advertisement