14.06.05 IT Summit IAM Presentation
-
Upload
kevindonovan -
Category
Education
-
view
396 -
download
2
Transcript of 14.06.05 IT Summit IAM Presentation
A CASE OF IDENTITY
Building Solutions to Assist
3
WHAT IS IDENTITY & ACCESS MANAGEMENT?
Identity and access management (IAM) technologies and services
enable the right individuals to access the right resources at the
right times for the right reasons.
We all use IAM solutions many times a day:
• Logging in to websites, servers, and other resources
• Accessing research materials at Harvard and beyond
• Checking a colleague’s calendar for a meeting
• Adding, removing, or changing employee records
At Harvard, the IAM Program exists to streamline these interactions
and make it easier for you to do your day-to-day tasks.
4
WHAT IS IDENTITY & ACCESS MANAGEMENT?
Simplify User Experience
Simplify and improve access to applications and information inside
and outside of the University
Enable Research & Collaboration
Make it easier for faculty, staff, and students to research and
collaborate within the University and with other institutions
Protect University Resources
Improve the security stature of the University with a standard approach.
Facilitate Technology Innovation
Establish a strong foundation for
IAM to enable user access regardless of new and/or disruptive technologies
Objectives Guiding Principles Key Performance Indicators
Harvard Community needs will drive our technology
Tactical project planning will
remain aligned with the Program strategic objectives
Solution design should allow for other Schools to use the foundational to communicate with
the IAM system in a consistent, federated fashion
Communication and socialization
are critical to our success
Monthly number of help desk requests relating to account management
Monthly number of registered production applications using IAM
systems
Monthly number of user logins and access requests through IAM
systems
Monthly number of production systems to which IAM provisions
Our vision: Provide users, application owners, and IT administrative staff
with secure, easy access to applications; solutions that require
fewer login credentials; the ability to collaborate across and
beyond Harvard; and improved security and auditing.
5
ABOUT THE IDENTITY LIFECYCLE
Provisioning Authentication
Permissions Self-Service
Deprovisioning
Authorization
Alumni
HKS HMS
Harvard Medical School:
Improved User Provisioning
Erica Bradshaw
Director, Identity and Access Management Strategy and Planning, HUIT
Tyson Kamikawa
Director, Shared Platforms and IT Effectiveness, HMS
A CASE OF IDENTITY
7
HMS: IMPROVED USER PROVISIONING
MADRIS
HSPH XML
Guest
Test
• Difficult to change
• Potential duplication of
HU efforts
• Aging guest account
process
• Account EOL not
managed well
Current State
Apps Server
8
HMS: IMPROVED USER PROVISIONING
Future State
MADRIS
HSPH XML
Guest
Test
• Leverage HU platform
• Reduce complexity & effort
• Robust toolset
• Improved business
process
• Long-term redundancy
reduction
Harvard Kennedy School:
Federated Authentication
Gretchen Grozier IAM Community Program Manager, HUIT
Steve Duncan
Director of Information Technology, HKS
Paul Hermany
Information Developer, HKS
A CASE OF IDENTITY
Authentication Design in 2008
• Standardized on Active Directory
• Focused on HKS faculty, staff, and students
- Manual process put in place to provision “sponsored accounts”
for HKS affiliates
• Single sign-on a key requirement
• Kept it simple:
- Selected products and solutions built to work with AD
- Minimized the amount of custom code needed for
authentication and authorization
10
HKS: FEDERATED AUTHENTICATION
11
Pressures on the System
• Increased collaboration between Schools means more and more
accounts provisioned each year
- Jointly-listed courses
- Cross-registration
- Research collaboration
• More reliance on timely access to digital classroom materials
- HKS has gone digital for all course materials
- Significant growth in the number of digital cases
• HKS goal to actively engage alumni
• Higher user expectations
• Security concerns
HKS: FEDERATED AUTHENTICATION
12
User Frustrations
• Additional usernames and passwords
• Time delay in provisioning accounts
• Complicated process for requesting accounts
Staff Frustrations
• IT Help Desk overrun each semester with calls from non-HKS students who have forgotten passwords or are otherwise
confused
• IT operations staff burdened with process of deprovisioning
accounts
HKS: FEDERATED AUTHENTICATION
13
Advantages of Federation
• Better user experience
– Users use an account they already know
– No delays in provisioning
• Lower HKS IT support costs
– No need to provision/deprovision accounts or maintain passwords
• Active Directory Federation Services works well with HKS key
technologies
• Attributes can be delivered for authorization decisions
HKS: FEDERATED AUTHENTICATION
14
Active Directory
Federation
Services
SAML Aware Application
Shibboleth PIN
Alumni
Faculty, Staff,
Students
Tufts, MIT, …
Harvard
HKS: FEDERATED AUTHENTICATION
Implementation Timeline
HKS Alumni July 2014
HU Faculty, Staff, Students
July 2015
Tufts, MIT July 2015
Harvard Alumni Association:
A Seamless Transition
Jane Hill
Director, IAM Product Management, HUIT
Julie Broad
Director, Alumni Affairs & Development Technology
A CASE OF IDENTITY
Diverse Alumni Populations from Multiple Sources
More than 380,000 alumni
Executive Education Programs
One semester or 9+ weeks of program
work
Degree Recipients
16
HAA: A SEAMLESS TRANSITION
Harvard Alumni Association Supports
Online Directory Tools Donate
Event Hub Events Clubs
Online Career
Advising Services Networking
17
HAA: A SEAMLESS TRANSITION
Process Challenges and Cranky Users
• New admits are in the system right away
• Regular updates flow from Registrar
• But as graduation approaches, we ask students to register (huh?) so we can issue them a new, separate account
REGISTER
• Challenging to know if user registering is who they say they are
• Lack of a process for HUID/PIN to be reset after graduation frustrates recent grads
CREDENTIAL
• Some schools have their own separate credentials and services
• Multiple Helpdesks add to user confusion
SUPPORT
18
HAA: A SEAMLESS TRANSITION
• Eliminate the need to register with HAA
• Allow student accounts to work forever
• Use standard processes for password reset, account management
• Enable separate help desk and tailor process designs for alumni
• Standard Harvard credentials make it simpler for application owners to extend access to HAA-approved resources
• Provide information on what resources are available
• Standard credential model provides opportunities to offer services to new groups of people in future — donors, parents, etc.
• Improve self-service password reset by enabling option to specify both phone and email recovery information
• Tailor onboarding and proofing to HAA populations
• Provide standard protocols for easier integration of new applications
IAM Objectives Support Alumni Engagement
19
HAA: A SEAMLESS TRANSITION
Improve End User
Experience
Expand Access to Resources
Balance Convenience and Security
20
Stakeholder Experience Today Future Goals
End Users
Different user names and credentials to access Harvard and non-Harvard apps and
data
Creating and managing user accounts is manual and paper-based
No access to external sites, or forced to register for accounts
Access to services and resources interrupted when users change, add, or leave
roles
Access information and perform research across schools (and with other institutions)
using a single credential
Manage own accounts and sponsor others through a centralized web application
Use internal Harvard credentials to access common external sites
Use the same set of credentials despite changes in status, roles, or affiliations
Application Owners
Tough to integrate access management, meaning long implementation timelines and
higher costs
Forced to grant application access to users with the same rights on a one-by-one basis
Easily integrate Harvard users with internal and external applications via an application
portal
Control user access in groups, not individuals
People Administrators
Must create sponsored guest identities manually, resulting in delays and loss of
productivity
Can’t streamline deprovisioning of users’ access privileges across multiple systems
Sponsors can create and manage external parties’ identity and access
Automated provisioning reduces the burden on
people administrators of disparate systems and improves Harvard’s security posture
HOW DOES THIS BENEFIT ME?
(Didn’t pick up a chart? Raise your hand, we’ll get you one.)
21
HOW DOES THIS BENEFIT ME?
22
• Identity begins at the first login screen
• IAM exists to make onboarding, day-to-day use, role
changes and access to resources easier for
everyone in the Harvard Community
• Our efforts will improve productivity and make day-
to-day life simpler for faculty, staff, students,
researchers, people administrators, application
owners, and more
• And when IAM services are done right, you don’t
even notice the effects — things just work
IAM: IN SUMMARY
Take the mystery
out of identity.
Learn more about
our program at
iam.harvard.edu