An IAM Framework for Australian and NZ Higher Education and Research

1. An IAM Framework for Australian and NZ Higher Education and Research Patricia McMillan and Rodney McDuff The University of Queensland Presented at TNC 2009

2. What is CAUDIT? IT Directors & CIOs from higher education & research 57 members All Australian & NZ universities Some research organisations South Pacific & Papua New Guinea

3. CAUDIT Mission To enhance its members’ ability as key strategic advisers on the use of information technology in higher education.

4. CAUDIT Activities Procurement Benchmarking Green IT Professional development Technical standards Newest committee, formed in 2008 Chaired by Nick Tate, UQ

5. Technical Standards Committee Provides a process for agreeing and maintaining technical standards across higher education & research sector IAM framework Attributes for data exchange Including auEduPerson specification eduroam policy for Australia

6. Why an IAM framework? IAM among the most important issues facing higher ed CIOs on annual surveys. Number 3 CAUDIT issue this year, after Strategic Planning and Information Management Universities face greater IAM challenges than many other organisations. Federation means IAM is no longer an internal issue.

7. What are we building? An online compendium of IAM resources A wiki designed to grow through community contributions Information providing the benefit of the community's prior experiences A common language and shared vision A framework for prioritising actions

8. What the compendium contains Business case for IAM Glossary Framework for the spectrum of IAM processes Advice – evaluating technologies; federating with other organisations A set of resources

9. Some thoughts on identity The real meditation is the meditation on one’s identity. You try it. You try finding out why you’re you and not somebody else. And who in the blazes are you anyhow? Ezra Pound, US poet, 1885-1972

10. IAM lifecycle is? A sequence of orchestrated business processes Performed by many actors Governed by some set of policies Implemented using some array of technologies All so that an individual can gain authorised access to some set of resources.

11. Prior to authorised access… Many processes & many actors Actors & relying parties may not understand their roles or how they fit into the bigger IAM picture Need a way to allow interested parties to understand the bigger picture Relationships across business processes Policies, technologies, actors How to measure improvement

12. The Framework

13. Governance and policy The most important of the 6 classes Often the most neglected How are the enterprise’s IAM business processes to be achieved? How may the enterprise’s policies constrain or shape this achievement? Who within the enterprise is responsible for the various IAM processes and sub-processes? When are these processes enacted?

14. Identification and credentialing How to identify the “digital subject” Associating a set of claims and attributes with the digital subject Issuing credentials to the digital subject to bind the subject and its “digital identity” to some level of assurance

15. Attribute aggregation As soon as a subject is identified it can start to accrue attributes Firstname, surname, etc Attributes are stored in Systems of Record Even within a single enterprise, digital identities are often scattered across many Systems of Record An aggregator such as a metadirectory can construct a consolidated view

16. Authentication & assertions Authentication is the act of proving possession of the authentication credentials Binds the subject to its digital identity for the duration of the transaction When the subject authenticates an assertion is normally constructed May range from a simple OK response to a digitally signed SAML assertion

17. Transport Once an assertion has been constructed it must be transported to the relying party Possibly to make an informed authorisation decision Relying parties need to understand the risks of the transport mechanism Same server? High assurance Over a network? May not be as high

18. Relying parties & resources Relying parties shoulder most of the risk in an IAM transaction Relying parties process assertions according to The information in the assertion The ability to verify the truth of the assertion Their own business needs, processes, risk analysis, obligations, etc

19. IAM Compendium Six volumes, one for each framework class. Policy considerations Risk assessment, risk management, LoAs Relevant standards Evaluating technology solutions Maturity model Federating with other organisations Communication and education Resources for further information

20. Current status Overview of the framework Glossary Business case to support enterprise IAM projects Around 30 participants in Australia & NZ

21. Contributors welcome! Case studies on IAM in your organisation Policy considerations and risk management for IAM Good IAM processes and practices extending to all parts of an enterprise How to evaluate technology solutions Pointers to useful resources on IAM Comments and feedback as sections are added

22. How to participate https://wiki.caudit.edu.au/confluence Accepts authentication credentials from Australian Access Federation Pilot ProtectNetwork OpenID Agreements with other federations in progress Email r.mcduff@uq.edu.au or patricia.mcmillan@uq.edu.au for authorisation and to go on the mailing list

23. A final thought on identity Americans may have no identity, but they do have wonderful teeth. Jean Baudrillard, French semiologist