150 likes | 290 Views
IDM Gov Committee. May 28 th 2013. Agenda items Intro: IAM Landscape in Higher Education Overview (Informational to derive Strategy) Sail Point Update: Security Issues: Pwd Reset Strategy: (Approval Required) Guest Expiry: (Approval Required)
E N D
IDM Gov Committee. May 28th 2013
Agenda items • Intro: • IAM Landscape in Higher Education Overview (Informational to derive Strategy) • Sail Point Update: • Security Issues: • Pwd Reset Strategy: (Approval Required) • Guest Expiry: (Approval Required) • Orphaned CWL Accounts: (Informational to derive Strategy) • Multi Factor Authentication: (Informational to derive Strategy) • Policy Questions
IAM Overview • IAM in Higher ED continues to mature in 2013, with operational efficiency remaining a key driver of IAM technology adoption and deployment at Higher Education institutions. The landscape continue to demand real-world business justification for their IAM initiatives, primarily in reduced support costs and improved process execution. We also continues to note strong Higher Ed interest in enhanced user convenience, improved entitlement governance, and the use of identity assurance and identity access intelligence (IAI) capabilities to address compliance requirements, and prevent and detect fraud. However, these well-established market factors are by no means the only drivers of IAM adoption • Mobile communications: The explosive growth in the use of mobile devices, such as smartphones and tablets, in the enterprise, including consumer-owned devices, is probably the most difficult challenge facing IAM professionals today. Its greatest IAM impact is in authentication, with institutions forced to find innovative and effective ways of authenticating identities across a broad range of endpoints, many of them not enterprise-managed. • Cloud computing: Enterprises continue to be drawn to the cloud and software as a service (SaaS) delivery models for their promised efficiencies and economies of scale. However, they must address the same IAM requirements as for on-premises applications, and their IT management disciplines and technologies continue to be challenged by this evolving technology model. Traditional on-premises IAM software is being extended to support SaaS applications. In addition, cloud provides a new delivery model for identity as a service (IDaaS). These IDaaS providers combine on-premises "bridge" components and in-the-cloud services to deliver hybrid identity services. • Social media: The use of social networking — for both business and personal purposes — continues to grow its effects in the enterprise. Educational institutions interests are increasing with regard to accepting identities created on social media sites for registration and authentication to enterprise systems
PWD Reset Strategy • Context: At the IAM Gov Committee on Feb21st 2013 a PWD reset mandate was approved to enforce yearly pwd resets to all cwl accounts in order to comply with IA and FIPA. Pending at that committee was a strategy in order to ensure that not everyone was asked to reset their pwds at the same time thus resulting in undue burden on Support Services: • Approval Required: Starting June 1st to ask users to reset their pwd on the anniversary of their last reset and if said anniversary is > 365 days to be preformed on the anniversary of account creation. Black out period 1 week before school starts and three weeks after.
Guest Expiry • Context : Though Sponsored Guests have be setup with an expiry date since its inception, it has yet to be enforced. It has resulted in a serious security risk as 31559 Expired guests are still active. • Approval Required: immediate enforcement of expiry dates as this expectation has been set both with the end user and the UBC sponsor. We also recommend and propose that expired accounts that are still active be disabled in a staged and controlled manner after attempting to contact the sponsor and end user. A grace period of 2 Weeks is suggested. (Time strategy in next slide)
Orphaned CWL / Prospective Students • Perspective Students that do not formalize a relationship with UBC represent approx. 19% of CWL accounts and 82% of total orphaned accounts. Risks associated with large number of orphaned include but are not limited to: compliance, security vulnerability, namespace attrition, operational overhead, etc.
Orphaned CWL / Prospective Students Cont… • Given the increased risk of said orphaned accounts created by individuals with who the University does not end up formalizing a client-consumer relationship with, IAM proposes the development of a framework to only issue CWL accounts to individuals once they are either providers of or consumers of an actual UBC service. Prior to that relationship commencing a alternate light IDP/Credential is to be used (whenever possible). . ieez-recuit’s imbedded IDP, social logins, etc. • Further to said strategy IAM also proposes the cleanup of orphaned accounts with input from enrolment services, sis, and other key stakeholders.
Multi Factor Authentication (direction approval) • Gartner has recently identified a set of four key factors influencing enterprise IT decision making today. Three of these converging factors, which they refer to as the "Nexus of Forces," will be crucial to IAM in the coming years .Within an Higher-Ed institution such as UBC, where these technologies trends have long been embraced, it is becoming ever more pressing to examine ways to mitigate risk with “Low Friction” solutions. • IAM is proposing the examination of implementing Contextual Multi-factor authentication, in order to mitigate risk while maintaining a low-friction user experience.
Policy Questions: • Q1. Should IDM allow SOR (HRMS/SIS) over-ride for business workflow or accept SOR status as doctrine and push status correction back to SOR. • Context : What SOR shows an individuals status to be, might not be what is happening in reality. An employee might be allowed access to services past their termination date. There may be a delay in paper work. If an employee moves from one position to another, their may be cross-over time agreed to by both managers etc…
Policy Questions: • Q2. Branding of new IDM solution. Sailpoint IIQ is the vendor product. Is there a branding preference…
Policy Questions: • Q3. Should IAM allow social login mechanism. • Context: • CAS has the capabilities to authenticate against social sites that have extended their Password API (Facebook, LinkedIn, Google) It can be customized so as to return to the system owner the result of the authentication query and the context of such. This allows the system owner to determine if they so choose to accept that type of PWD. • i.e.. Mike Johnson enters into a CAS enabled application his FACEBOOK account and PWD. The owner has determined that the application has low exposure (scheduling app) and therefore accepts FACEBOOK and Mike Johnson is allowed through • i.e.. Sarah Brown a CAS enabled application her GMAIL account and PWD. The owner has determined that the application has high exposure (scheduling app) and therefore rejects GMAIL and Sarah Brown is asked instead to use her CWL credentials before she is allowed through.
Policy Questions: • Q4. IAM is proposing the movement towards auto assigning obscured cwl with user selected friendly email. • Context: • IAM governance committee approved the auto generation and assignment of cwl. With this reduced namespace it is impractical to assign “good” cwl. This also presents challenges in terms of PII/FIPPA. IAM would like to assign obscure cwl/ead accounts but allow for sign on via correlated and friendly email address. • User. Jason Macdonald • CWL.. JM56745 • Email. Jmacdonald@ubc.ca (user selected) • Jason can now sign onto CAS/EAD/ELDAP with jmacdonald@ubc.ca or if he prefers JM56745 with the same pwd.