1 / 22

NSF Middleware Initiative: Managing Identity on Campus

NSF Middleware Initiative: Managing Identity on Campus. Michael R Gettes, Duke University Tom Barton, University of Chicago. Observations on: Identity & Access Management, Middleware & Security in U.S. Higher Education. Michael R Gettes Duke University gettes@Duke.EDU.

candie
Download Presentation

NSF Middleware Initiative: Managing Identity on Campus

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago

  2. Observations on:Identity & Access Management, Middleware & Security in U.S. Higher Education Michael R Gettes Duke University gettes@Duke.EDU

  3. We recognize there exists a larger world...

  4. Identity & Access Management? • #1 Issue in Higher Education - 2005/2006 EDUCAUSE IT Survey. • Less than 10 years old - some HE schools doing it much longer. • IAM is defined by many components as follows ...

  5. IAM Componentsa.k.a. “middleware” (1) • Systems of Record (HR, SIS, Alumni, Telecom, Affiliates) • Information Switch (Vendor/build) • Entity registry (Vendor/build) • Identity business rule handling (Vendor/build)

  6. IAM Componentsa.k.a. “middleware” (2) • Authentication • (Password, PKI, Kerberos (ECAR Survey - K5 everywhere), ...) • Privilege Mgmt (Authority/Authorization) • (Signet, HR system, ...) • Group Mgmt • (Vendor, Grouper, Build) • Directories - fast repositories • (Vendor, Open Source)

  7. IAM Componentsa.k.a. “middleware” (3) • Service Provisioning • Vendor, Built, Nexus • Message Mgmt - real-time and queuing • Vendor, Built or Jabber/XMPP

  8. IAM Componentsa.k.a. “middleware” (4) • Attribute Delivery • PKI, SAML/Shibboleth, Directory, Vendor, (Various) • Authorization, Act of (by Application) • Policy Decision Point (PDP) • Policy Enforcement Point (PEP)

  9. Age of this Technology • Technology is young. • Lots of options - much more than just 5 years ago. • If you buy - you will still need to build your own Identity Business Rules. Buy *and* Build decision. • NSF/Internet2 Middleware - these “solutions” are simply options. If you believe in Open Source - they are good. If not, then use these solutions to drive vendors for what you want. Remain aware of trends.

  10. Institutional Issues • STAY OFF THE FRONT PAGE OF NATIONAL NEWS!!! • IAM is part of any “good” security program. • Each institution having IAM leads to better National Security - or at least the perception of it. • IAM leads to Access Control via Authority Management, Authorization and timeliness

  11. Institutional Issues (2) • Nobody cares about implementing IAM. Need to define it in terms of Infrastructure to deliver a set of Services/Goals. • Duke - Goal is 1 hour to get ID Card and NetID services for new employee and 1 hour for status changes to take effect (job changes). • Buy-in from VPs, EVP, Provost, etc...

  12. Institutional Issues (3) • Consider rolling affiliates (non-student/fac-staff/alumni) into HR system - many contracts based on FTE (=paid person). You might get affiliate management for free. • How do ID Proofing processes (identity registration) need to change for students and staff to enhance Business services?

  13. Institutional Issues (4) • How do we validate our processes? Is my institution doing a good job on IdM? • CAF - Credential Assessment Framework • How do we know if other institutions are doing a good job? • Federations! Like-minded organizations seeking like-minded services.

  14. Institutional Identity • BRANDING of the institution via E-Identity • my.harvard, stanford.you, CNetID (Chicago) • How easy is institutional initiation? • How easy to change function at institution? • Uniting the institution electronically - overcoming typical political boundaries

  15. Levels of Assurance (LoA)? • Classify the requirements of an application • Assign confidence levels for the ID Proofing and Electronic Authentication Processes • Define mapping between Reqs and Confidence • As simple as a number (Levels 1,2,3,4). • Define confidence in terms of application requirements and you can use the same value for both.

  16. Federation? A collection of organizations, having implemented some form of Identity Management, where Credential Service Providers (CSP, Universities) and Service Providers (SP, Content Providers) agree to “rules of engagement” (policy and attributes) using federating software (SAML/Shibboleth, PKI, CardSpace ...)

  17. Higher Ed Activity... • InCommon - SAML based Federation • Inter-Federations - Can they work? • USHER - US Higher Education Root - PKI • HEBCA - Bridged PKI similar to USGov • Federal eAuth involvement (www.cio.gov) • Research community seeking Id Mgmt • NSF CyberInfrastructure • Shy away from Biometrics - What if you lose your E-thumb? • National ID vs. Federated ID - NOT RFID!

  18. Your mileage ... will vary

More Related