140 likes | 242 Views
David Walker Karl Heins Office of the President University of California. The Challenges of Creating an Identity Management Infrastructure for the University of California. Overview. The Environment UCTrust Stakeholders and Changing Roles. The University of California.
E N D
David Walker Karl Heins Office of the President University of California The Challenges of Creating an Identity Management Infrastructure for the University of California
Overview • The Environment • UCTrust • Stakeholders and Changing Roles
The University of California • Ten campuses, three national labs, five medical centers • Most operational responsibilities on campuses • Payroll, Student Information, etc. • Each campus does its own identity management • A few services are central • Employee self-service and benefits • Most licensed library materials • Multi-campus collaborations
A (Secure) Online Environment • Academic • Library • Course Management • Federal agencies • Administrative • Travel • Employee Training • Personal • Employee Benefits
At Your Service Online (AYSO) • UC's centrally-operated employee self-service application to manage tax withholding, retirement benefits, etc. • Potentially, hundreds of thousands of dollars of employee's funds. • Requires • High level of identity assurance • Help desk coordination • Coordinated log management for investigations • Legal and fiduciary compliance
What is the problem? • Identity is application centric • Access is not removed timely when people leave the organization • Difficult to terminate individual’s access to all systems when needed • Security of ID and password controls vary • Users must maintain multiple passwords • Each application must design, build and maintain the identity management infrastructure.
What Do We Need? • Trustworthy exchange of identity attributes • Trustworthy identity attributes • In general, a trust environment • Service Providers trust Identity Providers to provide correct identity information • Identity Providers trust Service Providers not to misuse information they receive • Community Members trust Identity Providers not to reveal information inappropriately and Service Providers not to misuse that information
UCTrust • Establishes global requirements to facilitate system-wide agreements. • Creates trust in identity attributes through policy. • Policy controls the creation and release of information • Technology enforces that policy • Technology ensures secure transit of identity attributes • Extends InCommon with multiple levels of assurance
UCTrust Requirements • Identity Providers must provide authoritative and accurate attribute assertions • Identity Providers must have practices that meet minimum standards • establishing electronic credentials and • maintaining individual identity information • Service Providers receiving individual identity attributes must ensure its protection and respect privacy constraints defined by the campus
Governance • IT Leadership Council (ITLC) • The body of campus CIOs • Provides oversight and conflict resolution • UCTrust Work Group • Composed of campus Identity Providers, Service Providers, UCTrust Administration, UCOP • Manages operational policies and procedures
Many Stakeholders • Application Owners • Identity Providers • CIOs • Academic Senate • Vice Chancellors of Administration • Controllers • Legal Counsel • Consensus requires policy, implementation standards, and creative politics.
Changing Roles and Responsibilities • Service Providers are dependent on Identity Providers • Identity Providers are dependent on Service Providers to protect personal information • Service Providers and Identity Providers are co-dependent for availability, user assistance, problem resolution, security investigation, etc. • End-users have a greater role in the protection of their credentials.
Role of Audit • Participate in the project development i.e. make sure proper controls established • Because ID management is a better system, advocate for change to others • Periodic review and validation to provide independent assurance to ID and service providers
Influence to Adopt UCTrust • Trust in the people who manage the new ID system • Agreement from outside experts that this change the proper course • Passion from the UCTrust to deliver • Logical reasons for the change