1 / 16

A Case for Collaborative Identity Management in a Complex Decentralized Environment

This article explores the need for collaborative identity management in a complex decentralized environment, discussing shared secrets, shared vision, shared governance, and shared technologies. It highlights the importance of a life-cycle approach, reusable infrastructure, and governance needs. The case study focuses on student identity life cycle management, addressing business challenges and providing solutions for fast, reliable, and secure conveyance of ID and password, seamless transitions, and online access to services.

ldevin
Télécharger la présentation

A Case for Collaborative Identity Management in a Complex Decentralized Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Case for Collaborative Identity Management in a Complex Decentralized Environment Andrea Beesing Assistant Director, IT Security and David Yeh Assistant Vice President and University Registrar

  2. Shared Secrets, Shared Vision, Shared Governance, Shared Technologies • Life-cycle: A Shared Vision • Policies and practices • Reusable and scalable infrastructure and tools • Governance Needs Everyone – not just an IT concern

  3. A Life Cycle Point of View • High school to Undergraduate to Alumni to Graduate to Employee and Friends • > 100,000 applicants • > 350,000 alumni, friends, guests! • Around-the-world sites – Ithaca, NY; New York City, and Washington, D.C. Doha, Qatar, Singapore, Beijing; Paris, France; Rome, Italy; Seville, Spain; London, England; Dublin, Ireland; and Geneva, Switzerland and Geneva, NY, and others. • Around-the-world connecting points – faculty collaborators; students, employees, alumni, parents

  4. Simplify connecting people in our community • Provide access for the right people to the right information, anytime, any place • Process entry and access to information services, securely and efficiently • Connecting from the very beginning

  5. Link people and services – Anytime, Anywhere, Securely • Adopting commonly developed technology tools – Shibboleth, InCommon – Grouper, Signet, Federated IdM • Inter-institution collaboration – faculty research, document transmission, international exchange and study abroad • Business partners – Inter-Library Services (ILIAD), National Student Clearinghouse, Law School Admissions Council (LSAC), Veterinary Medical College Application Service (VMCAS), American Medical School Application Service (AMCAS), CollegeBoard, Educational Testing Service, and others

  6. Improve management of risk • Provide appropriate level of access into transactional systems • Facilities and other resource access • Protect university and college reputation

  7. Reusable and Extendable Tools • Provision identity from the beginning • Common policies and procedures • Reusing best practices and technologies

  8. Use Case: Student Identity Life Cycle

  9. Identity Management goals for student services • “Instant” onboarding • Establish applicant/student relationship with Cornell as early as possible • No lines on day 1 for students • Replace paper-based, manual processes with online self-service options • Improve user experience when accessing services • Across Cornell administrative units and colleges • Across institutional boundaries • Protect security and privacy

  10. Infrastructure in support of these goals Data Stewardship and Custodianship Information Security of Institutional Data Policy Access to Student Information Authentication of IT Resources Ensuring students have ready access to information and resources they are entitled to Account management Federation Infrastructure Organization Authentication Authorization & Access Mgmt Data access standards Business process Technology Provisioning Identification and registration Training and awareness Directory Services Governance

  11. 5 Alumnus 4 Student Deposited applicant 3 Accepted applicant 2 1 Applicant Student identity life cycle Business Challenges • Delivery of ID and initial password • Service entitlements at each step • Data access decisions at each step • Seamless transition from one step to the other • Correct handling of people with multiple relationships • Anticipating future business needs such as federated access to services • Understanding where business process and organizational changes are needed • Building awareness among staff with the need to know

  12. Business needs Fast, cost-effective, reliable way of conveying ID and password Ease of transition from applicant to student Online access to application status and financial aid award Online access to other services in future anticipated Players Director of Admissions University Registrar IT Security Director Data Steward Identity Management IT staff Business decisions Use centrally-issued ID which can be used for multiple applications NetID reserved for community members and is for life ApplicantID is unique, but temporary Applicants can only access information about the status of the application until risk concerns associated with delivery method addressed Consider change in business process to require applicants to answer security questions during application process Begin exercise to map constituent groups to service entitlements Applicant onboarding: business view

  13. Security considerations NetID as “gold” standard, implications for federated access Clear-text passwords via email represents risk Resetting forgotten passwords for this large a group in remote locations Service providers require means to authorize applicants for access IT implementation Create applicantID in separate Kerberos database (realm) Issue one-time activation code in lieu of password Create self-service application for activating and managing applicantID Create applicant permit (group) and make available to campus service providers for read-only access Provide campus service providers with mechanism for creating their own groups “Reserve” NetID through naming convention of applicantID Applicant onboarding: IT implementation

  14. Business needs Student gets NetID as soon as deposit paid and has access to student services Student must be aware of IT policies and their responsibilities before accessing services Players College student services staff University Registrar’s staff IT Security Director IT Policy Director Faculty Advisory Group Identity Management IT staff Business decisions Require each student to take an online tutorial and quiz to introduce policies and network citizenship Deliver NetID in US mail until risk concerns adequately addressed Student onboarding: business view

  15. Delivering online student services in a distributed environment Intra-campus online services Identity repositories Inter-campus online services External partners PeopleSoft LDAP directory Authentication Authorization Federation Infrastructure InCommon Shibboleth Single sign-on with NetID rfc32 for all services Kerberos CUWebLogin Radius Active Directory Permit Server Grouper Signet ILiad Policy and business process

  16. Delivering online services to all Cornell users Intra-campus online services Identity repositories Inter-campus online services External partners PeopleSoft LDAP directory Authentication Authorization Federation Infrastructure InCommon Shibboleth Kerberos CUWebLogin Radius Active Directory Permit Server Grouper Signet Single sign-on with NetID for all services ILiad Policy and business process

More Related