1 / 14

Deploying and Managing Identity Architecture: Key Issues and Solutions

This article explores the challenges and solutions in deploying and managing an identity architecture, including system maintenance, responsibility for classifications, system updates, level of assurance, identity federation, and decentralized management. It emphasizes the importance of organizational coherence and coordination in achieving successful identity management.

witte
Download Presentation

Deploying and Managing Identity Architecture: Key Issues and Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TF-EMC2, 20080709Torbjörn WibergUmeå Universitet Current Campus Issues – From My Horizon

  2. Current issues – my impression • Goal: A Deployed Identity Architecture • Initial casification of an application • System maintenance issues • Shall you charge system owners for use of the IdArch • Who is responsible for maintenance of casifications • How do you plan system updates for the whole integrated application structure (a system owner cant take an isolated decision to update a system). • LOA – not only technology • A lot of decisions around interpretations of enterprise data

  3. Deploy and Use an Identity Architecture • An Identity architecture consists of: An enterprise repository for identity and privilege information; Procedures for identity management; A meta-directory for synchron. of enterprise data; Services for Authentication, Authorisarion and controlled release of identity and privilege information • The primary driver is SSO • user-friendliness is the primary success factor (not the increased quality or efficiency of user administration) • Identity management is by now identified by most campuses as an important . • a lot of talks at conferences and a lot of courses ... • but other issues and problems involved are not appreciated enough

  4. Level of Assurance • Have we deployed an Identity Architecture with an Identity Management we trust enough to control authorization of the use of shared resources? • We need identities on different levels of assurance • Initial ident does not reach the required LOA • Speed of getting an account • Students off campus • Loose affiliation

  5. Remember! • The services introduced are convenient for the user – single-signon • But we also introduce another mission critical cmponent in our infrastructure (comparable to the DNS)

  6. Basic issues inIdentity Management • To be accepted as a member of an Identity Federation you need to have your Id Mgmt in order. • the Id Federation is about trusting each others identities • You need to know • Who you issue an identity to and why • How you identify the person receiving the credentials • Why you assign a certain affiliation to an identity • How you manage that affiliation and other info

  7. Further issues inIdentity Management • How is the management of the information from different sources that is synchronised by the meta-directory managed? • The necessary coherent view of the organisation in systems to be integrated is not a reality. • The freedom of management of systems is heavily reduced in an integrated environment • The quality of identity management must aim at use of the information for authorization

  8. A coherent view of the organisation • Who is respons5ble for keeping a coherent view of the organisation • How is a new organisational unit established? Changed? Removed? • Does any system contain a ”correct” view of the organisation? • Can it be a component in the meta-directory?

  9. Meta-directory issues • Precedence rules when the same data may be found in several systems • Employee and/or student • Name changes • Change of social security numbers

  10. Decentralised management • Identity and privilege information • Management of an attribute shall harmonise with the order of delegation • Remember: The attributes shall be used for authorisation • Much of the information can be managed decentralised (follow the order of delegation • ”Guests” have to be added to be authorized to use resources

  11. Grace Periods • When is an account inactivated? • a student leaves • an employee leaves • faculty and staff • Different grace periods for different systems and services? • Exceptions • when • who can decide

  12. Privilege Information • Authorization requires other type of information • roles in courses • projects, board members • virtual organisations • Management of the privileges shall be done by those controlling the resource or service

  13. System owners • The systems are integrated • The System owners cant decide on their own any more • Upgrades have to be coordinated • How is that best organised?

  14. As you can see • Many of these issues are non-technical and one may say that • to get your Identity Management in order • you have to get your organisation in order

More Related