ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management,...
Transcript of ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management,...
![Page 1: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/1.jpg)
IT Architecture and Infrastructure Committee 9:00-‐10:30am., February 10, 2017, FAC 228D I. 9:00-‐9:30 Printing (Eric Hepburn) II. 9:30-‐10:00 IAM Modernization Program – Update (CW Belcher, Rosa Harris, Madia McCarthy) III. 10:00-‐10:20 Urgent Update (David Pavkovic) IV. 10:20-‐10:30 UT Cloud Services Subcommittee – Discussion (Charles Soto)
![Page 2: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/2.jpg)
IAM Modernization Program (IAMMP)/SailPoint Implementation
IT Architecture & Infrastructure
Committee Friday, February 10, 2017
CW Belcher, Associate Director Joel Guajardo, Senior Business Analyst
![Page 3: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/3.jpg)
Agenda • IAMMP Background and Approach • Interface and Data Overview • Group and Role Management Overview • Next Steps • Q&A
2 IAMMP – IT Architecture & Infrastructure Committee 2/10/2017
![Page 4: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/4.jpg)
IAMMP Background
• The Identity and Access Management (IAM) Strategic Roadmap prioritized the implementation of new enabling technologies to address several functional gaps in IAM services.
• Functional gaps in current IAM services include manual processes, delays in onboarding and poor visibility regarding who has access to what.
• SailPoint IdentityIQ (IIQ) was selected as the software to address those gaps and modernize our IAM services across the University.
3 IAMMP – IT Architecture & Infrastructure Committee 2/10/2017
![Page 5: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/5.jpg)
Identity Administration
Digital identity management, password management, and identity data provisioning
IAM Services
Authorization and Access Governance
Role-, rule-, and attribute-based authorization management
Identity Repository
Central directories and repositories of identity information
Authentication
Authentication services for enterprise and cloud applications
IAM Enabling Technologies
2/10/2017 IAMMP – IT Architecture & Infrastructure Committee 4
![Page 6: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/6.jpg)
Identity Administration
Digital identity management, password management, and identity data provisioning
IAM Services
Authorization and Access Governance
Role-, rule-, and attribute-based authorization management
Identity Repository
Central directories and repositories of identity information
Authentication
Authentication services for enterprise and cloud applications
IAM Enabling Technologies
TED, AD, etc. UTLogin/Shib
SailPoint IIQ SailPoint IIQ
2/10/2017 IAMMP – IT Architecture & Infrastructure Committee 5
![Page 7: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/7.jpg)
IAMMP Implementation Approach
6
Phase 1 2016 – Summer 2017
Phase 2 Fall 2017 – Fall 2018
Phase 3 2019
• Technical Architecture and Environments • Interface and Data Transition Strategy and Implementation • Group and Role Management Foundation
• Identity Administration and Provisioning • Password and Credential Management • Risk-Based Security Controls and Assurance Level Management • Group and Role Management Expansion
• Access Request and Approval Management • Access Recertification • Enterprise Authorization Reporting • Group and Role Management Expansion (continued)
The IAMMP work has been organized into three phases based on campus stakeholder input and technical dependencies:
IAMMP – IT Architecture & Infrastructure Committee 2/10/2017
![Page 8: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/8.jpg)
IAMMP Phase 1 Progress
7
Technical Architecture and Systems Environments • Built eight environments • Automated and executed test scripts
Phase 1 Interface and Data Implementation • Designed Identity Hub components and integrations • Building Identity Hub components and integrations • Executing initial testing between SailPoint and Workday
Group and Role Management • Confirmed early adopters and roles • Finalized use cases and requirements for basic Group
and Role Management functionality • Designing Group and Role Management functionality and
integrations • Defining the role governance model/process
IAMMP – IT Architecture & Infrastructure Committee 2/10/2017
![Page 9: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/9.jpg)
INTERFACE AND DATA OVERVIEW IT Architecture & Infrastructure Committee
8 IAMMP – IT Architecture & Infrastructure Committee 2/10/2017
![Page 10: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/10.jpg)
Iden%ty Hub
Phase 1 Identity Hub
2/10/2017 IAMMP – IT Architecture & Infrastructure Committee 9
Mainframe Authorita/ve
Sources
TIM Web Apps
Exis/ng Downstream Systems
(incl. TED & Aus/n AD)
Onboarded Disconnected
Systems
Onboarded Connected Systems
TIM SailPoint Iden/tyIQ
![Page 11: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/11.jpg)
Iden%ty Hub
Phase 1 Identity Hub with Workday
2/10/2017 IAMMP – IT Architecture & Infrastructure Committee 10
Mainframe Authorita/ve
Sources
TIM Web Apps
Workday
Exis/ng Downstream Systems
(incl. TED & Aus/n AD)
Onboarded Disconnected
Systems
Onboarded Connected Systems
TIM SailPoint Iden/tyIQ
![Page 12: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/12.jpg)
GROUP AND ROLE MANAGEMENT OVERVIEW
IT Architecture & Infrastructure Committee
11 IAMMP – IT Architecture & Infrastructure Committee 2/10/2017
![Page 13: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/13.jpg)
Group and Role Management Scope
12
Develop
Implement
Establish
Develop a role adoption plan to guide next steps
Implement early adopter roles
Establish basic functionality and role governance model and process
IAMMP – IT Architecture & Infrastructure Committee 2/10/2017
Integrate Integrate early adopter applications
![Page 14: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/14.jpg)
IAM Standard Model The objective of the IAM standard model is to onboard applications and role functionality in a consistent manner, promoting University wide standard policies and procedures for account and access management.
13
Applications
Departments
IAM Services
IAM Standard
Model
Identity Lifecycle Workflows
Access Requests
Application Integration
Interview Customer Identify Useful Services Configure for Customer
Governance
> >
IAMMP – IT Architecture & Infrastructure Committee 2/10/2017
![Page 15: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/15.jpg)
Role Management Use Cases by Phase
2/10/2017 IAMMP – IT Architecture & Infrastructure Committee 14
Phase 1 Phase 2 Phase 3
Joiner
Mover
Leaver
Joiner
Mover
Leaver
Reconciliation
Reporting
Certification
Role Maintenance
Access Request
Role Maintenance
Access Request
Legend
Initial Limited Functionality
Full Functionality
Reporting
Certification
![Page 16: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/16.jpg)
Reporting Reconciliation
Email Notifications
Group Management Indirect Provisioning
Automated Group Assignment
Role Modeling Direct Provisioning Access Requests
Certifications
Level 1
Level 2
Level 3
• Direct Connection to SailPoint IIQ via OOTB Connector
• Query TED or AD for Group Membership
• Read-Only Connection to SailPoint IIQ
Levels of Engagement
2/10/2017 IAMMP – IT Architecture & Infrastructure Committee 15
How? Benefits • Automated provisioning and access
control • Reduced time, effort and errors
across access requests, approvals and certifications
• Structured Segregation of Duties with preventative and corrective actions
• Simplified and predictable access control model
• Simplification of responsibilities for an administrator
• Scalable access control
• Accurate reporting of who has access to what
![Page 17: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/17.jpg)
Application Organization Application Type Justification
TED Identity and Access Management
Connected (Direct Connector) Foundational Application
Active Directory ITS Systems Connected (Direct Connector) Foundational Application
MS Office365 ITS Systems Connected (AD) Significant impact on manual processes; Birthright for Employees
TSC Tools ITS Networking Connected (TED) Identified by ITS Networking as in need of a centrally managed authorization system.
Usher Web Apps College of Communication Connected (TED & AD) Birthright for College of Communication
ServiceNow ITS Customer Support Services Disconnected (Direct Connector)
Strategic Application
Spectra UT Athletics Disconnected (Flat File) Audit issues with separations
Wikis Web & Contract Services Disconnected (JDBC) Helps address pain point for separations
Early Adopter Applications
16 IAMMP – IT Architecture & Infrastructure Committee 2/10/2017
![Page 18: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/18.jpg)
Joiner Example
2/10/2017 IAMMP – IT Architecture & Infrastructure Committee 17
By request of TSC Manager for School of Journalism
and logging into Wikis
Applies to all Staff Joiners across the University
BR – All – Current Staff
Inherits
BR – UT Aus/n – Current Employee
ITR – 0365 – Mailbox Access
By virtue of inheritance from Birthright Business Role
Required
By virtue of Required IT Role
Assigns
AD Group -‐ O365
Mailbox
TED Group -‐ TSC
Manager in School of Journalism
Wikis -‐ Users Group
Applies to all Staff Joiners for School of Journalism
AD Group -‐ USHER JOU
Staff
TED Group -‐ USHER JOU
Staff
ITR – USHER – JOU Staff
Assigns
![Page 19: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/19.jpg)
NEXT STEPS IT Architecture & Infrastructure Committee
18 IAMMP – IT Architecture & Infrastructure Committee 2/10/2017
![Page 20: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/20.jpg)
Next Steps
• April – Group and Role Management Adoption Plan
• June – Group and Role Management Go Live for Early Adopters
2/10/2017 IAMMP – IT Architecture & Infrastructure Committee 19
![Page 21: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/21.jpg)
20
Questions?
IAMMP – IT Architecture & Infrastructure Committee 2/10/2017
![Page 22: ITArchitectureandInfrastructureCommittee## 2.10.17 Packet.pdf · management, password management, and identity data provisioning IAM Services Authorization and Access Governance Role-,](https://reader031.fdocuments.us/reader031/viewer/2022022605/5b6e507e7f8b9a4f3c8deed5/html5/thumbnails/22.jpg)
Contact Us
Email: [email protected]
Web:
https://iamservices.utexas.edu/projects/iammp
2/10/2017 IAMMP – IT Architecture & Infrastructure Committee 21