Jane Hill Directory Services Product Manager, Harvard University

1. Jane Hill Directory Services Product Manager, Harvard University

2. Identity Infrastructure Is “In” • Privacy and security concerns have increased focus on digital identity and allowable use • Policy discussions are actually moving and are involving business and IT • Of course, it mattered all along, but more people seem to grasp the strategic importance and potential exposures

3. Progress with Policy • No formal enterprise data administration committee now but policies have been collected at security.harvard.edu • Led by Scott Bradner, University Information Security Officer • Work is ongoing • Departments and schools are appreciative of the guidance

4. Recent Focus on FERPA • Interpreting FERPA in context of the online classroom • Concern that students should not be forced to remove FERPA block in order to have a fully-functional online instructional experience • Course tools and online community tools (like iSites) present challenges

5. Example Policy Clarification • Online classroom and FERPA: online environment can mimic physical classroom • Officially registered students and instructional staff can see the name, email and image of the course participants • Students are cautioned that FERPA does not pertain in online classroom (e.g. in an online discussion group, email will be visible)

6. Too Much of a Good Thing? • Using our privacy system, users can opt out of whitepages, data element by element • But using these privacy preferences beyond whitepages causes issues • Example: If I am adding a user to a website, and type her in by email or HUID, and I can only return name for validation if individual is non-private, how do I add the private person as a user? • Move to invitation/opt-in mechanism? • Should public sites work differently? • If website administrators are also students, does that change what we can let them do? • Application privacy preference, or enterprise privacy preference?

7. What Is Feasible Today? • We believe we can flip the current security model with regard to users • Analyze the user and their role, rather than a list of users • What is right balance between federation and storing as enterprise data? • Aggregate the user data, or use virtual approach? • Federate or take on the process of collecting? • What do we really need to own? • Will virtual repositories work? • Will source system owners accept that approach?

8. On Our Mind • If we can store role at right level of detail will we be able to: • eliminate the need for applications to have their own copy of people data? • provide access to resources based on policy rather than user-driven requests? • Will enterprise applications expect IdM infrastructure to exist and start deemphasizing proprietary application security?

9. Our IdM Project • Engaging business and technology sides in design • Perpetual communication required around strategic importance and urgency • Less custom code; use vendor tools and let them keep up with standards • Ask hard questions like “what do we really need to store?” • Can we use virtual repositories? • Aggregate or federate across domains?

10. Improve Data Foundation • Replace overburdened ID card system with loosely coupled, well defined systems • Identity database components: • Identity management • Uniquely identify people (one ID for life) • Status and role • Common data • Address, phones and email • Extended data about roles • Additional authorization and access management • New processes? • Coping with provisioning the incoming employee • What kind of ID do we give people? Who performs the ID’ing?

11. Jane Hill, Directory Services jane_hill@harvard.edu Kishan Mallur, IT Infrastructure Services kishan_mallur@harvard.edu Scott Bradner, University Information Security Officer sob@harvard.edu