Collaboration: Identity and Access Management

1
Collaboration Identity and Access Management

• Lori Stevens
• University of Washington
• 16-17 October 2007

2
(No Transcript)
3
What is IAM?

• Critical IT infrastructure
• Intersection of what NW engineers dont want to
  do with what app developers dont want to do
• Combines technologies, business processes,
  governance, and policies to
• Manage digital identities
• Specify how ids access resources

4
Terminology

• Authentication says who you are
• Authorization says what you can do
• Credentials what you provide as ID
• Federation collection of orgs that agree to
  operate under a certain rule-set

5
Terminology

• Identification Process by which info about a
  person is used to provide some LOA
• Level of Assurance (LOA)- Degree of certainty
  that someone is who they say they are
• Low is OK for some things
• For patient information (PHI), need high

6
What drives the need?

• Collaboration
• Research and education, governments, global
  health,
• Administrative applications
• Growing complexity and the need to simplify
• Risk mitigation

7
IAM-supported Collaboration

• Wiki, blog, email, calendar, IM
• Document sharing/editing
• Phone/videoconference
• Data sharing
• More about outreach, ease of access, enablement

8
Why is IAM necessary?

• To ensure the intended people access intended
  services
• Organizations have to manage users/ids
  efficiently and accurately
• While enabling them to get their work done
• Digital IDs are taking on an increasingly
  important role for how we collaborate and share
  networked resources

9
Identity Management Trends

• Pervasive in business processes
• Inserting NetIDs as early as possible
• e.g. NetIDs for student applicants, contractors,
  etc.
• Identities/NetIDs useful for life, e.g. alumni,
  retirees

10
Sources of Information

• Human Resource db
• Research/grants db
• Student db
• Other dbs provide info about affiliations

11
Person Registry

• Is knowing someone is a student enough?
• Is this person an employee and a student?
• Is this person affiliated with the institution?

12
Federated Authentication

• Scholarship is global
• Less allegiance to institution, more to research
• Worldwide peers, now the norm
• Access to partners is now
• Simple and more flexible
• More secure

13
What is Shibboleth?

• Standards-based (SAML) Web SSO pkg
• Open Source
• Uses local IdM system to get to campus and other
  institutions apps
• Protects users privacy and insts data
• Plays well with others, helps svc partners

14
Federations

• Usually HE but doesnt need to be limited
• Mostly Shib-based, not all though
• Use cases
• content access
• collaboration support
• wireless roaming

15
(No Transcript)
16
Identity Lifecycle Management

• Managing users
• One NetID per person
• Credentials
• Provisioning
• Enabling self-service

17
Managing Identity

• Provision accounts
• Associate accounts with identities/people
• Groups are created and managed
• Accounts are given privileges
• Credentials are issued
• Authn, Authz, and Federation happen

18
Group and Access Management

• Several sources determine where a person fits
• A person belongs to several groups
• One person often has several affiliations
• Access can be based on
• Affiliation
• Group membership
• Roles
• Privileges

19
Access Management

• Authentication
• Single sign-on, fewer sign-ons
• LOA, of credentials
• Federation and trust
• Authorization
• access control, role-based, federation
• Security auditing

20
Enterprise IAM Infrastructure

• Enterprise user database
• Person registry, directory driven from large
  business sources, e.g. staff, student, affiliates
• Enterprise group management
• Driven from business sources, e.g. courses,
  departments, ad-hoc
• Enterprise privilege management
• Delegated, role/function/affiliation-based

21
Consolidation supports Collaboration

• Provides a centrally-coordinated service
• Allows for distributed management of content
• No need to manage multiple instances
• Single place for auditing and reporting
• Eases mgmt of security issues for apps
• One set of tools and data for apps
• The stuff of academic life and often
  inter-institutional

22
Challenges with Centralizing

• Governance, mgmt of data
• Defining rules, delegation
• Compliance and regulations
• Consensus and support for central svcs
• Responsibility and accountability

23
Policy and Governance Questions

• Who is responsible for IDM?
• What collaboration scenarios are important to
  Research and Education?
• Who will approve policies?
• Who is part of the federation?
• Who decides and develops policies?
• Who owns the source data?

24
Technical Challenges

• Delivering information to apps
• Mobility, portability
• anywhere, anyhow, anytime computing
• Interface consistency cross-location
• Diversity of apps and platforms
• Advanced app requirements
• Interoperability

25
IAM Benefits

• Supports collaboration
• Enables global federated authentication
• Simplifies and secures
• Reduces help desk load
• Enables
• Shared management
• Operating efficiencies

26
Advancing IAM Efforts

• Fostering technical standards
• Aggregating and disseminating technical design
  and implementation strategies
• Fostering opportunities for others to deploy
  products
• Integrating efforts with specific scientific and
  research communities

27
Resources

• http//www.terena.org/activities/tf-emc2/
• middleware.internet2.org
• http//middleware.internet2.edu/MACE/
• www.nmi-edit.org/roadmap/draft-authn-roadmap-03/

28
Questions?