Making Digital Identity easy inside the firewall Workshop

1
Making Digital Identity easy inside the firewall
(Workshop)

• Tony Brookes
• University of Derby
• University Information Assurance officer
• t.brookes_at_derby.ac.uk
• Microsoft Architect Insight Conference 2007

2
Agenda 75 min.

• Round table introduction and any specific goals
  youd like to achieve from this session. (10
  Mins)
• Summary of things wed learnt from our
  implementation project. (20 30 Mins, depending
  on questions).
• Options split into groups and tackle some of the
  issues raised or single group using mindmap
  (about 35 min).

3
Why do we automate identity management?

• We have 20,000 students, 2,000 staff, all with
  network email accounts we have an annual
  turnover of at least 25 of our students
  throughout the year our courses are modular. We
  have full time, part time, post graduate,
  students aged 14 80 some of whom (about 4000)
  are taught in another country.
• With online, overseas and campus based teaching,
  conferences, short courses, halls waiting for
  accounts is not an option. People are starting
  and leaving courses all the time and all need
  accounts NOW, especially the part time students.
• Too many accounts to manually create delete,
  and the existing hand crafted system is creaking
  (!)

4
Design Goal
Futures
Swipe Cards (doors) Conferences Shibboleth
Business Rules
Staff
On-line teaching
Students
IDM
Network Accounts
Students
email
Halls
Directory inc LDAP
Library
Automation of all accounts - no manual
maintenance.
5
Technologies used

• Novell Identity Manager V 3.0
• Novell eDirectory
• DirXML
• GroupWise
• Active Directory (Soon)
• Exchange (Soon)
• Oracle 9 10, PeopleSoft,
• Solaris, Windows, Linux, Tru64.
• Etc (200 inc virtual servers)

6
Services Dependent upon this service

• All of them.
• System failure is noticed within a few hours or
  minutes depending upon when exactly and if a
  couple of thousand new students are enrolling
  that day.
• Were considering integrating software licensing
  and electronic resources (i.e. Library
  databases).
• Its getting more complex as the number of types
  of account vary. Long gone are the single staff
  or student account covering everything. Now often
  at module level.

7
Student Accounts

• Four Types live by March 2008
• Enquirer
• Applicant
• Student
• Alumni
• Finer detail by account attribute.
• Generated automatically from student systems.

8
Staff Accounts

• Single staff account
• Details by attribute
• Generated automatically from the HR system

9
Challenges - Technology - 30.

• Often data quality and consistency issues hide
  small but time consuming technical issues.
• Sometimes difficult to fault find as it involves
  two or three teams all certain their system is
  ok!
• The business rules will need coding, once they
  are all known and agreed.

10
Challenges - People - 70.

• You are connecting people together via their
  systems who (until now) have not worked together
  or have common standards for their data.
• Often unclear who owns the policy/practice/proce
  ss or has the authority to make a particular
  decision.
• This (IDM) will need changes in peoples working
  practices and will find all sorts of people who
  either didnt know they were involved, or dont
  want to be.

11
Data silos and dependencies
Organisational Pyramid (Vertical)

Data silos (Horizontal)
I/P
used
IDM Layer
12
More People Challenges.

• Youll need to be very persuasive theyre happy
  as they are
• Once their system is declared authoritative, any
  data issues are theirs not the IT departments.
• Who owns the telephone number is surprisingly
  emotive.

13
Lessons learned

• Not everyone wants their systems linked some
  like the manual overhead and the control that
  creating the accounts manually gives them.
  (Really!)
• If you havent got a central directory for
  everyone, then you WILL need one before starting.
• Sometimes there are unexpected efficiency gains
  simply from talking and just because you can link
  things together doesnt mean you should,
  especially all at once

14
Lessons learned (2)

• Reduction in manual account related work in the
  IT areas.
• Identity synchronisation is much easier than
  automatic identity management.
• Carrying out the project stirs up all sorts of
  governance type issues.

15
Lessons learned (3)

• Nearly every University has or needs a Grey
  users/Waifs strays/odds ends database for all
  the account holders that dont fit into the
  standard definitions.
• The whole student lifecycle is much more complex
  than just undergraduates its people and they
  change their minds. Often. And in unexpected ways.

16
Lessons learned (4)

• Discovery, Discovery, Discovery. Test and retest
  whenever linking systems together for the first
  time as all sorts of subtle data quality issues
  will surface.
• Oh that field! yes we know what the database
  schema says, but we use it for sort of thing.
• Beware assumptions its perfectly possible for
  one person to be a student sponsor, a member of
  staff, a student, an alumni and an applicant all
  in one week.

17
The Business View

• Personalisation and hence student self service is
  enabled by IDM.
• The need to drive up income means student roles
  will proliferate as we develop more niche/new
  products.
• Anything that increases efficiency is good.
• Youve got my data in that system, why do I need
  to type it in again in this one??
• Awareness of data protection and compliance are
  driving care around account creation and deletion.

18
Futures

• Athens to Shibboleth July 2008
• Possible Swipe card control of door access
• Conferences
• Short courses
• Printing and photocopying payment(s) etc, etc.
• Self Service software licensing on the desktop.
• Interesting issue surfacing from the users if
  Ive got a single electronic identity why do I
  have multiple id cards?

19
Workshop what do we do next ?

• Split into groups or not?
• Does the group want to continue following up this
  session/topic after the conference closes, and if
  so, how???
• Internet based? Blog(s)?
• Collective paper?
• BCS SIG??
• ?????

20
My Question

• (for use if no other bright ideas occur)
• How to easily and understandably document this
  sort of project in an easy to use way for the
  various areas in the teams, ideally self
  documenting.
• Users.
• Technical.
• Management.