280 likes | 381 Views
Collaboration: Identity and Access Management. Lori Stevens University of Washington 16-17 October 2007. What is IAM?. Critical IT infrastructure Intersection of what NW engineers don’t want to do *with* what app developers don’t want to do
E N D
Collaboration: Identity and Access Management Lori Stevens University of Washington 16-17 October 2007 University of Washington
What is IAM? • Critical IT infrastructure • Intersection of what NW engineers don’t want to do *with* what app developers don’t want to do • Combines technologies, business processes, governance, and policies to: • Manage digital identities • Specify how ids access resources University of Washington
Terminology • Authentication: says who you are • Authorization: says what you can do • Credentials: what you provide as ID • Federation: collection of orgs that agree to operate under a certain rule-set University of Washington
Terminology • Identification: Process by which info about a person is used to provide some LOA • Level of Assurance (LOA)- Degree of certainty that someone is who they say they are • Low is OK for some things • For patient information (PHI), need high University of Washington
What drives the need? • Collaboration • Research and education, governments, global health, … • Administrative applications • Growing complexity and the need to simplify • Risk mitigation University of Washington
IAM-supported Collaboration • Wiki, blog, email, calendar, IM • Document sharing/editing • Phone/videoconference • Data sharing • More about outreach, ease of access, enablement University of Washington
Why is IAM necessary? • To ensure the intended people access intended services • Organizations have to manage users/ids efficiently and accurately • While enabling them to get their work done • Digital IDs are taking on an increasingly important role for how we collaborate and share networked resources University of Washington
Identity Management Trends • Pervasive in business processes • Inserting NetIDs as early as possible • e.g. NetIDs for student applicants, contractors, etc. • Identities/NetIDs useful for life, e.g. alumni, retirees University of Washington
Sources of Information • Human Resource db • Research/grants db • Student db • Other dbs provide info about affiliations University of Washington
Person Registry • Is knowing someone is a student enough? • Is this person an employee and a student? • Is this person affiliated with the institution? University of Washington
Federated Authentication • Scholarship is global • Less allegiance to institution, more to research • Worldwide peers, now the norm • Access to partners is now: • Simple and more flexible • More secure University of Washington
What is Shibboleth? • Standards-based (SAML) Web SSO pkg • Open Source • Uses local IdM system to get to campus and other institution’s apps • Protects user’s privacy and inst’s data • Plays well with others, helps svc partners University of Washington
Federations • Usually HE but doesn’t need to be limited • Mostly Shib-based, not all though • Use cases: • content access • collaboration support • wireless roaming University of Washington
Identity Lifecycle Management • Managing users • One NetID per person • Credentials • Provisioning • Enabling self-service University of Washington
Managing Identity • Provision accounts • Associate accounts with identities/people • Groups are created and managed • Accounts are given privileges • Credentials are issued • Authn, Authz, and Federation happen University of Washington
Group and Access Management • Several sources determine where a person fits • A person belongs to several groups • One person often has several affiliations • Access can be based on: • Affiliation • Group membership • Roles • Privileges University of Washington
Access Management • Authentication: • Single sign-on, fewer sign-ons • LOA, # of credentials • Federation and trust • Authorization: • access control, role-based, federation • Security auditing University of Washington
Enterprise IAM Infrastructure • Enterprise user database • Person registry, directory driven from large business sources, e.g. staff, student, affiliates • Enterprise group management • Driven from business sources, e.g. courses, departments, ad-hoc • Enterprise privilege management • Delegated, role/function/affiliation-based University of Washington
Consolidation supports Collaboration • Provides a centrally-coordinated service • Allows for distributed management of content • No need to manage multiple instances • Single place for auditing and reporting • Eases mgmt of security issues for apps • One set of tools and data for apps • The stuff of academic life and often inter-institutional University of Washington
Challenges with Centralizing • Governance, mgmt of data • Defining rules, delegation • Compliance and regulations • Consensus and support for central svcs • Responsibility and accountability University of Washington
Policy and Governance Questions • Who is responsible for IDM? • What collaboration scenarios are important to Research and Education? • Who will approve policies? • Who is part of the federation? • Who decides and develops policies? • Who owns the source data? University of Washington
Technical Challenges • Delivering information to apps • Mobility, portability • anywhere, anyhow, anytime computing • Interface consistency cross-location • Diversity of apps and platforms • Advanced app requirements • Interoperability University of Washington
IAM Benefits • Supports collaboration • Enables global federated authentication • Simplifies and secures • Reduces help desk load • Enables • Shared management • Operating efficiencies University of Washington
Advancing IAM Efforts • Fostering technical standards • Aggregating and disseminating technical design and implementation strategies • Fostering opportunities for others to deploy products • Integrating efforts with specific scientific and research communities University of Washington
Resources • http://www.terena.org/activities/tf-emc2/ • middleware.internet2.org • http://middleware.internet2.edu/MACE/ • www.nmi-edit.org/roadmap/draft-authn-roadmap-03/ University of Washington
Questions? University of Washington