jane hill directory services product manager, harvard university

11
Jane Hill Directory Services Product Manager, Harvard University

Upload: branden-sutton

Post on 17-Jan-2016

213 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Jane Hill Directory Services Product Manager, Harvard University

Jane Hill

Directory Services Product Manager, Harvard University

Page 2: Jane Hill Directory Services Product Manager, Harvard University

Identity Infrastructure Is “In”

• Privacy and security concerns have increased focus on digital identity and allowable use

• Policy discussions are actually moving and are involving business and IT

• Of course, it mattered all along, but more people seem to grasp the strategic importance and potential exposures

Page 3: Jane Hill Directory Services Product Manager, Harvard University

Progress with Policy• No formal enterprise data administration

committee now but policies have been collected at security.harvard.edu– Led by Scott Bradner, University

Information Security Officer – Work is ongoing

• Departments and schools are appreciative of the guidance

Page 4: Jane Hill Directory Services Product Manager, Harvard University

Recent Focus on FERPA

• Interpreting FERPA in context of the online classroom

• Concern that students should not be forced to remove FERPA block in order to have a fully-functional online instructional experience

• Course tools and online community tools (like iSites) present challenges

Page 5: Jane Hill Directory Services Product Manager, Harvard University

Example Policy Clarification

• Online classroom and FERPA: online environment can mimic physical classroom

• Officially registered students and instructional staff can see the name, email and image of the course participants

• Students are cautioned that FERPA does not pertain in online classroom (e.g. in an online discussion group, email will be visible)

Page 6: Jane Hill Directory Services Product Manager, Harvard University

Too Much of a Good Thing?• Using our privacy system, users can opt out of whitepages,

data element by element• But using these privacy preferences beyond whitepages

causes issues• Example: If I am adding a user to a website, and type her in by

email or HUID, and I can only return name for validation if individual is non-private, how do I add the private person as a user?– Move to invitation/opt-in mechanism? – Should public sites work differently?– If website administrators are also students, does that change what we

can let them do?

• Application privacy preference, or enterprise privacy preference?

Page 7: Jane Hill Directory Services Product Manager, Harvard University

What Is Feasible Today?• We believe we can flip the current security model with

regard to users– Analyze the user and their role, rather than a list of users

• What is right balance between federation and storing as enterprise data?

• Aggregate the user data, or use virtual approach?– Federate or take on the process of collecting?– What do we really need to own?– Will virtual repositories work?– Will source system owners accept that approach?

Page 8: Jane Hill Directory Services Product Manager, Harvard University

On Our Mind

• If we can store role at right level of detail will we be able to: – eliminate the need for applications to have their

own copy of people data?– provide access to resources based on policy

rather than user-driven requests?

• Will enterprise applications expect IdM infrastructure to exist and start deemphasizing proprietary application security?

Page 9: Jane Hill Directory Services Product Manager, Harvard University

Our IdM Project

• Engaging business and technology sides in design– Perpetual communication required around

strategic importance and urgency

• Less custom code; use vendor tools and let them keep up with standards

• Ask hard questions like “what do we really need to store?”– Can we use virtual repositories?– Aggregate or federate across domains?

Page 10: Jane Hill Directory Services Product Manager, Harvard University

Improve Data Foundation• Replace overburdened ID card system with loosely

coupled, well defined systems• Identity database components:

– Identity management • Uniquely identify people (one ID for life)• Status and role

– Common data• Address, phones and email

– Extended data about roles • Additional authorization and access management

• New processes?– Coping with provisioning the incoming employee– What kind of ID do we give people? Who performs the ID’ing?

Page 11: Jane Hill Directory Services Product Manager, Harvard University

Jane Hill, Directory [email protected]

Kishan Mallur, IT Infrastructure [email protected]

Scott Bradner, University Information Security Officer

[email protected]