160 likes | 290 Views
A Case for Collaborative Identity Management in a Complex Decentralized Environment. Andrea Beesing Assistant Director, IT Security and David Yeh Assistant Vice President and University Registrar. Shared Secrets, Shared Vision, Shared Governance, Shared Technologies.
E N D
A Case for Collaborative Identity Management in a Complex Decentralized Environment Andrea Beesing Assistant Director, IT Security and David Yeh Assistant Vice President and University Registrar
Shared Secrets, Shared Vision, Shared Governance, Shared Technologies • Life-cycle: A Shared Vision • Policies and practices • Reusable and scalable infrastructure and tools • Governance Needs Everyone – not just an IT concern
A Life Cycle Point of View • High school to Undergraduate to Alumni to Graduate to Employee and Friends • > 100,000 applicants • > 350,000 alumni, friends, guests! • Around-the-world sites – Ithaca, NY; New York City, and Washington, D.C. Doha, Qatar, Singapore, Beijing; Paris, France; Rome, Italy; Seville, Spain; London, England; Dublin, Ireland; and Geneva, Switzerland and Geneva, NY, and others. • Around-the-world connecting points – faculty collaborators; students, employees, alumni, parents
Simplify connecting people in our community • Provide access for the right people to the right information, anytime, any place • Process entry and access to information services, securely and efficiently • Connecting from the very beginning
Link people and services – Anytime, Anywhere, Securely • Adopting commonly developed technology tools – Shibboleth, InCommon – Grouper, Signet, Federated IdM • Inter-institution collaboration – faculty research, document transmission, international exchange and study abroad • Business partners – Inter-Library Services (ILIAD), National Student Clearinghouse, Law School Admissions Council (LSAC), Veterinary Medical College Application Service (VMCAS), American Medical School Application Service (AMCAS), CollegeBoard, Educational Testing Service, and others
Improve management of risk • Provide appropriate level of access into transactional systems • Facilities and other resource access • Protect university and college reputation
Reusable and Extendable Tools • Provision identity from the beginning • Common policies and procedures • Reusing best practices and technologies
Identity Management goals for student services • “Instant” onboarding • Establish applicant/student relationship with Cornell as early as possible • No lines on day 1 for students • Replace paper-based, manual processes with online self-service options • Improve user experience when accessing services • Across Cornell administrative units and colleges • Across institutional boundaries • Protect security and privacy
Infrastructure in support of these goals Data Stewardship and Custodianship Information Security of Institutional Data Policy Access to Student Information Authentication of IT Resources Ensuring students have ready access to information and resources they are entitled to Account management Federation Infrastructure Organization Authentication Authorization & Access Mgmt Data access standards Business process Technology Provisioning Identification and registration Training and awareness Directory Services Governance
5 Alumnus 4 Student Deposited applicant 3 Accepted applicant 2 1 Applicant Student identity life cycle Business Challenges • Delivery of ID and initial password • Service entitlements at each step • Data access decisions at each step • Seamless transition from one step to the other • Correct handling of people with multiple relationships • Anticipating future business needs such as federated access to services • Understanding where business process and organizational changes are needed • Building awareness among staff with the need to know
Business needs Fast, cost-effective, reliable way of conveying ID and password Ease of transition from applicant to student Online access to application status and financial aid award Online access to other services in future anticipated Players Director of Admissions University Registrar IT Security Director Data Steward Identity Management IT staff Business decisions Use centrally-issued ID which can be used for multiple applications NetID reserved for community members and is for life ApplicantID is unique, but temporary Applicants can only access information about the status of the application until risk concerns associated with delivery method addressed Consider change in business process to require applicants to answer security questions during application process Begin exercise to map constituent groups to service entitlements Applicant onboarding: business view
Security considerations NetID as “gold” standard, implications for federated access Clear-text passwords via email represents risk Resetting forgotten passwords for this large a group in remote locations Service providers require means to authorize applicants for access IT implementation Create applicantID in separate Kerberos database (realm) Issue one-time activation code in lieu of password Create self-service application for activating and managing applicantID Create applicant permit (group) and make available to campus service providers for read-only access Provide campus service providers with mechanism for creating their own groups “Reserve” NetID through naming convention of applicantID Applicant onboarding: IT implementation
Business needs Student gets NetID as soon as deposit paid and has access to student services Student must be aware of IT policies and their responsibilities before accessing services Players College student services staff University Registrar’s staff IT Security Director IT Policy Director Faculty Advisory Group Identity Management IT staff Business decisions Require each student to take an online tutorial and quiz to introduce policies and network citizenship Deliver NetID in US mail until risk concerns adequately addressed Student onboarding: business view
Delivering online student services in a distributed environment Intra-campus online services Identity repositories Inter-campus online services External partners PeopleSoft LDAP directory Authentication Authorization Federation Infrastructure InCommon Shibboleth Single sign-on with NetID rfc32 for all services Kerberos CUWebLogin Radius Active Directory Permit Server Grouper Signet ILiad Policy and business process
Delivering online services to all Cornell users Intra-campus online services Identity repositories Inter-campus online services External partners PeopleSoft LDAP directory Authentication Authorization Federation Infrastructure InCommon Shibboleth Kerberos CUWebLogin Radius Active Directory Permit Server Grouper Signet Single sign-on with NetID for all services ILiad Policy and business process