integrated institutional identity infrastructure: implications and impacts rl “bob” morgan...

Integrated Institutional Identity Infrastructure: Implications

and Impacts

RL “Bob” Morgan

University of Washington

Internet2 Member Meeting, May 2005

3

IAM DriversIAM Drivers

• Compliance

• Collaboration

• Outreach

• Network security

• Gorilla applications

• Your driver here ...

4

ComplianceCompliance

• External regulations• FERPA, HIPAA• Funding agency reqs: DoE, DoD, etc• State-agency regulations• Federal e-authentication• contractual

• Internal policies• Privacy• Financial controls

5

Privacy compliance supportPrivacy compliance support

• HIPAA, FERPA, local privacy regs, etc

• It's simple: control who can see what

• Process:• classify data (eg protected health info)• identify business processes, “need to know”• control access methods and data locations• identify and authenticate users• log and audit access (as needed)• manage policy expression, evolution

6

Infra RequirementsInfra Requirements

• Identity management• anti-sharing controls, support• process/system/service identities

• Authorization management• translate need-to-know, data classes into

containers, ACLs, roles• integrate with biz processes (medical, teaching, ...)

• Log/audit/reporting support

• Privacy implementation guidance

7

US E-Authentication programUS E-Authentication program

• Broad initiative supporting e-government• both citizen-facing and internal• based on NIST technical authentication guidelines,

including 4 “levels of assurance”• using SAML protocol base (Shibboleth compatible)• most agencies must run compliant app in 2005• operating “Federal federation” of participating

applications and credential providers• standards, practices will be widely used outside of

government as well• http://cio.gov/eauthentication/

8

E-Authentication and usE-Authentication and us

• Universities and CAF compliance• indicate “institutional authority”• LoA requirements for: identity proofing, activation,

revocation, password strength, good user practice• facility control, config/software management• helpdesk, password reset practice• record-keeping, audit, etc

• initial assessments done by GSA• future compliance via inter-federation peering• will support peering to other areas (eg financial)

9

Inter-institutional CollaborationInter-institutional Collaboration

• Much large-scale funded research is inter-institutional

• funding vehicles are multi-institution projects,aka virtual organizations (VOs)

• institutional VO support is key to being in the game• not just facilities and networking any more• often international in scope

• many other collaborations at all scales• licensed content via consortia• institutes, centers, special programs, ...• ... and our own departments and colleges

10

Collaboration requirementsCollaboration requirements

• Tools• mailing list, storage, web pub, calendar, ...• identity mgt, roles, groups, authz mgt, privacy

• and all must work inter-institutionally• network access• federated identity, or many sponsored accts• policy flexibility

• e.g., “must be employee”• support VO policies, IAM technologies

11

Institutional OutreachInstitutional Outreach

• New initiatives lead to new populations• alumni, retirees• applicants, prospects• K-12• regional medicine, patients• distance learning, int'l campuses• regional colleges

12

Supporting OutreachSupporting Outreach

• Identity management• low-cost or no-cost identity proofing• new lows in level of assurance, eg passwords• new process state changes,

eg applicant->student, employee->retiree• patient process is likely high LoA

• Authorization• campus netid does not mean “campus user”• users not entitled to “regular service bundle”

13

Network access securityNetwork access security

• High security, high access• keep viruses, worms, sniffers, spammers out• accomodate visitors, conferences with wireless

• Support• identity management for machines• network-layer authentication

• device support, constrained net environment

• easy access to (shared?) ids or registration• new policy considerations

14

Big application integrationBig application integration

• ERP, Portal, LMS, Grid• you're not just buying an app, you're buying

infrastructure• and your deployers may treat them as infrastructure,

ie creating their own processes for IAM etc• may be OK, but not likely to be general-purpose

• open-source packages are new opportunities• uPortal, Sakai, Kuali, Globus• many challenges same as with vendor packages• good integration examples can be infectious

15

ConclusionConclusion

• the perils of success• apps and orgs now come to infra providers

seeking support, expecting advanced services• we still have to evangelize• budgets not going up exponentially ...

• architecture and integration• know what the pieces do and don't do• justify up-front costs, but focus on design wins