150 likes | 160 Views
RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005. Integrated Institutional Identity Infrastructure: Implications and Impacts. IAM Drivers. Compliance Collaboration Outreach Network security Gorilla applications Your driver here. Compliance.
E N D
RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005 Integrated Institutional Identity Infrastructure: Implications and Impacts
IAM Drivers Compliance Collaboration Outreach Network security Gorilla applications Your driver here ...
Compliance External regulations FERPA, HIPAA Funding agency reqs: DoE, DoD, etc State-agency regulations Federal e-authentication contractual Internal policies Privacy Financial controls
Privacy compliance support HIPAA, FERPA, local privacy regs, etc It's simple: control who can see what Process: classify data (eg protected health info) identify business processes, “need to know” control access methods and data locations identify and authenticate users log and audit access (as needed) manage policy expression, evolution
Infra Requirements Identity management anti-sharing controls, support process/system/service identities Authorization management translate need-to-know, data classes into containers, ACLs, roles integrate with biz processes (medical, teaching, ...) Log/audit/reporting support Privacy implementation guidance
US E-Authentication program Broad initiative supporting e-government both citizen-facing and internal based on NIST technical authentication guidelines, including 4 “levels of assurance” using SAML protocol base (Shibboleth compatible) most agencies must run compliant app in 2005 operating “Federal federation” of participating applications and credential providers standards, practices will be widely used outside of government as well http://cio.gov/eauthentication/
E-Authentication and us Universities and CAF compliance indicate “institutional authority” LoA requirements for: identity proofing, activation, revocation, password strength, good user practice facility control, config/software management helpdesk, password reset practice record-keeping, audit, etc initial assessments done by GSA future compliance via inter-federation peering will support peering to other areas (eg financial)
Inter-institutional Collaboration Much large-scale funded research is inter-institutional funding vehicles are multi-institution projects,aka virtual organizations (VOs) institutional VO support is key to being in the game not just facilities and networking any more often international in scope many other collaborations at all scales licensed content via consortia institutes, centers, special programs, ... ... and our own departments and colleges
Collaboration requirements Tools mailing list, storage, web pub, calendar, ... identity mgt, roles, groups, authz mgt, privacy and all must work inter-institutionally network access federated identity, or many sponsored accts policy flexibility e.g., “must be employee” support VO policies, IAM technologies
Institutional Outreach New initiatives lead to new populations alumni, retirees applicants, prospects K-12 regional medicine, patients distance learning, int'l campuses regional colleges
Supporting Outreach Identity management low-cost or no-cost identity proofing new lows in level of assurance, eg passwords new process state changes, eg applicant->student, employee->retiree patient process is likely high LoA Authorization campus netid does not mean “campus user” users not entitled to “regular service bundle”
Network access security High security, high access keep viruses, worms, sniffers, spammers out accomodate visitors, conferences with wireless Support identity management for machines network-layer authentication device support, constrained net environment easy access to (shared?) ids or registration new policy considerations
Big application integration ERP, Portal, LMS, Grid you're not just buying an app, you're buying infrastructure and your deployers may treat them as infrastructure, ie creating their own processes for IAM etc may be OK, but not likely to be general-purpose open-source packages are new opportunities uPortal, Sakai, Kuali, Globus many challenges same as with vendor packages good integration examples can be infectious
Conclusion the perils of success apps and orgs now come to infra providers seeking support, expecting advanced services we still have to evangelize budgets not going up exponentially ... architecture and integration know what the pieces do and don't do justify up-front costs, but focus on design wins