An IAM Framework for Australian and NZ Higher Education and Research

1
An IAM Framework for Australian and NZ Higher
Education and Research

• Patricia McMillan and Rodney McDuff
• The University of Queensland
• Presented at TNC 2009

2
What is CAUDIT?

• IT Directors CIOs from higher education
  research
• 57 members
• All Australian NZ universities
• Some research organisations
• South Pacific Papua New Guinea

3
CAUDIT Mission

• To enhance its members ability as key
  strategic advisers on the use of information
  technology in higher education.

4
CAUDIT Activities

• Procurement
• Benchmarking
• Green IT
• Professional development
• Technical standards
• Newest committee, formed in 2008
• Chaired by Nick Tate, UQ

5
Technical Standards Committee

• Provides a process for agreeing and maintaining
  technical standards across higher education
  research sector
• IAM framework
• Attributes for data exchange
• Including auEduPerson specification
• eduroam policy for Australia

6
Why an IAM framework?

• IAM among the most important issues facing higher
  ed CIOs on annual surveys.
• Number 3 CAUDIT issue this year, after Strategic
  Planning and Information Management
• Universities face greater IAM challenges than
  many other organisations.
• Federation means IAM is no longer an internal
  issue.

7
What are we building?

• An online compendium of IAM resources
• A wiki designed to grow through community
  contributions
• Information providing the benefit of the
  community's prior experiences
• A common language and shared vision
• A framework for prioritising actions

8
What the compendium contains

• Business case for IAM
• Glossary
• Framework for the spectrum of IAM processes
• Advice evaluating technologies federating with
  other organisations
• A set of resources

9
Some thoughts on identity

• The real meditation is the meditation on ones
  identity. You try it. You try finding out why
  youre you and not somebody else. And who in the
  blazes are you anyhow?
• Ezra Pound, US poet, 1885-1972

10
IAM lifecycle is?

• A sequence of orchestrated business processes
• Performed by many actors
• Governed by some set of policies
• Implemented using some array of technologies
• All so that an individual can gain authorised
  access to some set of resources.

11
Prior to authorised access

• Many processes many actors
• Actors relying parties may not understand their
  roles or how they fit into the bigger IAM picture
• Need a way to allow interested parties to
  understand the bigger picture
• Relationships across business processes
• Policies, technologies, actors
• How to measure improvement

12
The Framework
13
Governance and policy

• The most important of the 6 classes
• Often the most neglected
• How are the enterprises IAM business processes
  to be achieved?
• How may the enterprises policies constrain or
  shape this achievement?
• Who within the enterprise is responsible for the
  various IAM processes and sub-processes?
• When are these processes enacted?

14
Identification and credentialing

• How to identify the digital subject
• Associating a set of claims and attributes with
  the digital subject
• Issuing credentials to the digital subject to
  bind the subject and its digital identity to
  some level of assurance

15
Attribute aggregation

• As soon as a subject is identified it can start
  to accrue attributes
• Firstname, surname, etc
• Attributes are stored in Systems of Record
• Even within a single enterprise, digital
  identities are often scattered across many
  Systems of Record
• An aggregator such as a metadirectory can
  construct a consolidated view

16
Authentication assertions

• Authentication is the act of proving possession
  of the authentication credentials
• Binds the subject to its digital identity for the
  duration of the transaction
• When the subject authenticates an assertion is
  normally constructed
• May range from a simple OK response to a
  digitally signed SAML assertion

17
Transport

• Once an assertion has been constructed it must be
  transported to the relying party
• Possibly to make an informed authorisation
  decision
• Relying parties need to understand the risks of
  the transport mechanism
• Same server? High assurance
• Over a network? May not be as high

18
Relying parties resources

• Relying parties shoulder most of the risk in an
  IAM transaction
• Relying parties process assertions according to
• The information in the assertion
• The ability to verify the truth of the assertion
• Their own business needs, processes, risk
  analysis, obligations, etc

19
IAM Compendium

• Six volumes, one for each framework class.
• Policy considerations
• Risk assessment, risk management, LoAs
• Relevant standards
• Evaluating technology solutions
• Maturity model
• Federating with other organisations
• Communication and education
• Resources for further information

20
Current status

• Overview of the framework
• Glossary
• Business case to support enterprise IAM projects
• Around 30 participants in Australia NZ

21
Contributors welcome!

• Case studies on IAM in your organisation
• Policy considerations and risk management for IAM
• Good IAM processes and practices extending to all
  parts of an enterprise
• How to evaluate technology solutions
• Pointers to useful resources on IAM
• Comments and feedback as sections are added

22
How to participate

• https//wiki.caudit.edu.au/confluence
• Accepts authentication credentials from
• Australian Access Federation Pilot
• ProtectNetwork
• OpenID
• Agreements with other federations in progress
• Email r.mcduff_at_uq.edu.au or patricia.mcmillan_at_uq.e
  du.au for authorisation and to go on the mailing
  list

23
A final thought on identity

• Americans may have no identity, but they do
  have wonderful teeth.
• Jean Baudrillard, French semiologist