140 likes | 290 Vues
Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009. Mark Scheible Manager, Identity & Access Management Security & Compliance Office of Information Technology mark_scheible@ncsu.edu http://oit.ncsu.edu/iam.
E N D
Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009 Mark Scheible Manager, Identity & Access Management Security & Compliance Office of Information Technology mark_scheible@ncsu.edu http://oit.ncsu.edu/iam
Identity and Access Management is … What? • “Identity Management has evolved to include policies, procedures and the broad spectrum of technologies required to establish institutional identity management (IdM) systems” – Educause IdM Working Group • Major Operational areas of interest include: • Credentialing - the issuing of a “username and password” for authentication purposes • Identity Vetting & Proofing - making sure the information provided about an individual (e.g. name, DOB, address, phone number, degree(s) earned, etc.) is accurate and verified, and insuring a credential is issued to the appropriate person • Directories – database(s) containing information associated with individuals and resources (in this context, identity data or “attributes”) • Authentication Services – used to authenticate someone (think “login”) • Authorization Services – used to determine what access an individual has to applications, resources, etc., based on who they are, or their membership in a group
Identity and Access Management at NC State University … The IAM Initiative is a campus-wide collaborative effort to improve the overall infrastructure used to authenticate users and provide access (authorization) to campus resources. It involves the secure storage and access of student, faculty, staff, affiliate and guest identity data and the use of federated identities for access to both internal and external resources. • The IAM Objectives (from the IAM Charter) are: • Create and implement a cohesive Identity and Access Management Roadmap • Provide leadership in the definition, protection and use of identity data for Students, Employees, Affiliates and Guests of the University • Simplify and enhance the campus authentication infrastructure • Enable secure, reliable access to campus resources and services for the NC State community that is easily maintained through the use of roles and group membership • Implement an Enterprise Directory Service for campus to provide a single, secure location for commonly accessed authoritative user and resource data • Enable and support the use of federated identity management for campus • Reduce overall administrative costs and ensure effectiveness and adaptability of IAM services
IAM and Admissions at NC State … (in the near future)
A New Student Identity and Identity-Proofing … • Jennifer, whose mother is an NC State alumna, applies through the NC State Admissions portal (wolfPAW) and is issued a wolfPAW ID and password. • After going through the admissions process, she is accepted to the university and receives her UnityID (a non name-based combination of letters and numbers) and password online. She signs up for an Orientation session and arrives on campus with her parents during the summer. • When she goes to get her Student ID (All Campus Card), she’s asked to show a government-issued photo ID and produces her NC drivers license. The person at the desk checks her ID and matches the name to her student record. She then has her picture taken (which is uploaded to her student record) and is asked to change her Unity account password and fill in her UIA questions.
A New Student Identity and Identity-Proofing … continued • Jennifer asks why she needs to do this and is told that for the security of her student records and future transactions, this is the point at which the university is sure that she is the only person that has access to her account. When Jennifer completes this task, the time and date of the password change is recorded and a “level of assurance” field is updated in her student record. • When Jennifer completes this update, the application “asks” whether she wants to create a “parent” account to have access to her student financial record (to pay bills), her class schedule and/or her grades. • Jennifer decides to create an account for her mother to access all of the above options and enters her mother’s email address. She decides to wait on creating an account for her father (he’s a Carolina alum) until she thinks about whether or not to give him access to her grades, and exits the application.
IAM and Account Provisioning (near future?) … • Patrick has just been offered a position by the university and after accepting the offer his HR record is updated to show his affiliation with the university is no longer “applicant”, but “staff” with an effective start date. • The account credential he has been using to access the NC State job site consists of his personal email address (patrick82@yoohoo.com) and a password. He receives an email at this address with his new UnityID and directions on how to access the NCSU initial password page to pick a password and select his challenge/response (UIA) questions.
IAM and Account Provisioning (near future?) … continued • On the effective date of his employment a process is “triggered” to move his login account from the NC State “Guest Authentication System” to the university authentication system which contains active students, employees and “tightly affiliated” community members (e.g. Federally paid employees, research assistants, contractors, visiting scholars, etc.). • At the same time, a “university email account” is created for him and selected directory information (Name, department and phone number) is referenced from the campus Enterprise Directory Service that contains all his identity information. Predefined distribution lists are also populated with Patrick’s name and email address. • When Patrick shows up the next morning, he logs in to his desktop device using his new UnityID and recently changed password and has access to email and all the campus applications he needs on his first day.
Enterprise Directory Services - huh?… • A “single” directory of user identity data • Populated by authoritative sources (Systems of Record) • The data is consumed by applications and authorization services • Data is as close to the source as possible – no “aged” data • Eliminates the need for many extracts that need to be updated • The data elements (attributes) contained in the Enterprise Directory Service are based what’s needed by the data consumers • Common users of the data: • Campus “Find People” directory • Shibboleth Service Providers (SPs) • Departmental Applications
Group and Role Management … • Sandra is a web developer for PAMS and is setting up a front end to a new application for the Physics Department. She has instructions to restrict the application to members of the department or students taking Physics classes. • She installs the kit for Shibboleth on her web server and configures it to check authenticated employees for a department attribute of “physics” and also looks for “students” (a value in the affiliation attribute) with an entitlement attribute containing the value “member of PHYxxx”. If she gets a value match on either of these attributes the user is passed along to the application. • Jim is working on the helpdesk and needs to lookup a user to check their account information. He accesses a web app that references his role attributes looking for “helpdesk”. After finding a match it automatically passes him through to the user lookup application.
Federated Identity Management (FIM) and Shibboleth … • Mark brings up his browser and connects to the MyPack Portal. He’s redirected to the campus login page for Shibboleth and enters his UnityID and Password • He then visits an external wiki where he collaborates with peers from other universities and is automatically logged into the site with his NC State credential. • After reviewing some documents at the wiki site, he connects to his Google Apps account – again without needing to login – and updates a document with information from the wiki…
Pop Quiz … 1. How many slides are in this presentation? 2. What does IAM stand for? 3. What critical connection does ID-Proofing provide? 4. Why should you care “who” is using your UnityID? 5. Where does the data in an Enterprise Directory come from? 6. What are the benefits of having an identity federation? 7. What does OIT stand for? 8. Name a key “affiliation group” that was mentioned in one of the slides
Your Turn … Questions?