jane hill directory services product manager, harvard university
TRANSCRIPT
Jane Hill
Directory Services Product Manager, Harvard University
Identity Infrastructure Is “In”
• Privacy and security concerns have increased focus on digital identity and allowable use
• Policy discussions are actually moving and are involving business and IT
• Of course, it mattered all along, but more people seem to grasp the strategic importance and potential exposures
Progress with Policy• No formal enterprise data administration
committee now but policies have been collected at security.harvard.edu– Led by Scott Bradner, University
Information Security Officer – Work is ongoing
• Departments and schools are appreciative of the guidance
Recent Focus on FERPA
• Interpreting FERPA in context of the online classroom
• Concern that students should not be forced to remove FERPA block in order to have a fully-functional online instructional experience
• Course tools and online community tools (like iSites) present challenges
Example Policy Clarification
• Online classroom and FERPA: online environment can mimic physical classroom
• Officially registered students and instructional staff can see the name, email and image of the course participants
• Students are cautioned that FERPA does not pertain in online classroom (e.g. in an online discussion group, email will be visible)
Too Much of a Good Thing?• Using our privacy system, users can opt out of whitepages,
data element by element• But using these privacy preferences beyond whitepages
causes issues• Example: If I am adding a user to a website, and type her in by
email or HUID, and I can only return name for validation if individual is non-private, how do I add the private person as a user?– Move to invitation/opt-in mechanism? – Should public sites work differently?– If website administrators are also students, does that change what we
can let them do?
• Application privacy preference, or enterprise privacy preference?
What Is Feasible Today?• We believe we can flip the current security model with
regard to users– Analyze the user and their role, rather than a list of users
• What is right balance between federation and storing as enterprise data?
• Aggregate the user data, or use virtual approach?– Federate or take on the process of collecting?– What do we really need to own?– Will virtual repositories work?– Will source system owners accept that approach?
On Our Mind
• If we can store role at right level of detail will we be able to: – eliminate the need for applications to have their
own copy of people data?– provide access to resources based on policy
rather than user-driven requests?
• Will enterprise applications expect IdM infrastructure to exist and start deemphasizing proprietary application security?
Our IdM Project
• Engaging business and technology sides in design– Perpetual communication required around
strategic importance and urgency
• Less custom code; use vendor tools and let them keep up with standards
• Ask hard questions like “what do we really need to store?”– Can we use virtual repositories?– Aggregate or federate across domains?
Improve Data Foundation• Replace overburdened ID card system with loosely
coupled, well defined systems• Identity database components:
– Identity management • Uniquely identify people (one ID for life)• Status and role
– Common data• Address, phones and email
– Extended data about roles • Additional authorization and access management
• New processes?– Coping with provisioning the incoming employee– What kind of ID do we give people? Who performs the ID’ing?
Jane Hill, Directory [email protected]
Kishan Mallur, IT Infrastructure [email protected]
Scott Bradner, University Information Security Officer