Sun Proprietary/Confidential: Internal Use Only Stuart Sim Chief Architect Global Education &...

Sun Proprietary/Confidential: Internal Use Only

Stuart SimChief ArchitectGlobal Education & Researchhttp://blogs.sun.com/stuart

Identity Management


What Is Identity Management?

"Identity management is the "Identity management is the set of business processes, and set of business processes, and a supporting infrastructure, for a supporting infrastructure, for the creation, maintenance, and the creation, maintenance, and use of digital identities." use of digital identities."

––The Burton GroupThe Burton Group


Follow a standard workflow for tasksFollow a standard workflow for taskssuch as adding a new faculty membersuch as adding a new faculty memberor deleting student access to course or deleting student access to course materials after a term has completedmaterials after a term has completed

Essential Functions of Identity Management

●Provision access _ Establish, change, and remove user accounts and privileges

●Authenticate _ Confirm that users are who they claim to be

●Authorize _ Allow access to services based on business rules for group affiliations and roles

●Protect Privacy and Comply with Regulations

I'm John Doe and here's my IDI'm John Doe and here's my IDand password to prove itand password to prove it

Hide personal data and track usage Hide personal data and track usage patterns for audit trail without patterns for audit trail without tracking private usage information tracking private usage information such as who checked out specific such as who checked out specific books from the librarybooks from the library

All members of the group All members of the group “Prof_Smith_Physics_301”“Prof_Smith_Physics_301”have access to Professor Smith'shave access to Professor Smith'sPhysics 301 online lecture notesPhysics 301 online lecture notes


Identity Addresses Top Priorities in Education

Top ten business trends in 2004 according to a Chronicle of Higher Education/Gartner survey of selected Chronicle subscribers, December 2003

Security breaches/business disruptions

Operating costs/budgets

Data protection and privacy

Identity Management Can Improve Security, Reduce Costs, and Protect Privacy, the Top Three Business Priorities in Education


Why Identity Is So Important in Education

● More stringent regulations ● Complex identity

requirements & rapidly changing user roles

● Enormous scale● 85% have experienced security

breaches in the last 12 months● Managing access to licensed

digital content ● Federation to support

collaborative research


Higher Education Faces More Regulations1

●External regulations requiring greater protection of personal information

– e.g. Gramm-Leach-Blilely Act, Student andExchange Visitor Information System, HIPAA, and FERPA

●New legislation regarding copyright protection●Threats of lawsuits over intellectual property abuse or identity theft

1 Zastrocky, Yanosky, and Harris, “Higher Education Faces More Regulations,” Gartner, Research Note, December 23, 2003.


Identity Requirements in Education are Complex

● Many roles with different access requirements

● Users often have multiple roles● Frequently changing roles● Multi-campus environment● Legacy of multiple fragmented

identity databases


Security Incidents on the Rise

● Unauthorized access to sensitive institutional data

● Threats or abusive behavior● Altered/vandalized Web site ● Research database hacked

More Than 85% Have Experienced IT Security “Incidents” in the Past 12 Months*

* Based on a Chronicle of Higher Education/Gartner survey of selected Chronicle subscribers, December 2003


Implementing Identity Management


Every Application for Itself

● Authentication and logging functionality only

● Every application for itself in performing these functions

● Multiple user names and passwords must be remembered by users

Many Institutions Still Function Without a Centralized Directory Service, Despite the Inefficiencies

Authentication

Authentication

Authentication

Authentication

Authentication


Central Authentication Services

● Applications have access to a single trusted authoritative source

● Simplifies User Management through a single source of user credentials

● Open Standards and APIs promotes adoption across the enterprise

Enables Central Identity Management for Participating Applications

CentralAuthentication

Service


Single Sign On Services

● Applications have access to services without re-authentication once initial session is granted

● Support for multiple implementations – Web Initial Sign-On (Web ISO) – Pubcookie

– CAS● The beginnings of Federated

Identity to simplify collaboration –SAML

–Liberty –Shibboleth

Enables Web and non-Web Sign-On for Participating Applications

SSOAuthentication

Service


Complete Identity Management

●Workflow task automation ●Roles and rules-based authorization●System-wide auditing and reporting●Password self-administration ●Federation of identity information

Research

ERPDigitalLibrary

SIS

e-Learning

Administration Services

Transaction Services

Data Repositories


Components of Complete Identity Management

C o m p o n e n t D e s c r i p t i o n

Refl ect T r a c k c h a n g e s t o i n s t i t u t i o n a l d a t a

J o in E s t a b l i s h a n d m a i n t a i n i d e n t i t i e s

Creden tia l I s s u e d i g i t a l c r e d e n t i a l s

M a n a ge Affi lia tio n M a n a g e a ffi l i a t i o n a n d g r o u p i n f o r m a t i o n

M a n a ge P r iv i leges M a n a g e a c c e s s p r i v i l e g e s a n d p e r m i s s i o n s

M a n a ge P a ssw o rds S e l f -s e r v i c e p a s s w o r d r e s e t s & s y n c h r o n i z a t i o n

P ro v isio n P u s h i d e n t i t y m a n a g e m e n t i n f o t o o t h e r s y s t e m s

Del iver P u b l i s h a c c e s s c o n t r o l i n f o r m a t i o n a t r u n t i m e

Au th en tica te V e r i f y i d e n t i t i e s

Au th o r ize A l l o w / d e n y u s e r a c c e s s i n d e p e n d e n t o f a u t h e n t i c a t i o n

Lo g T r a c k u s a g e f o r a u d i t p u r p o s e s

Federa te A u t h e n t i c a t e & a u t h o r i z e b a s e d o n " t r u s t e d " s o u r c e


Benefits of Full Identity Management Layer

●Enhanced Security and Privacy●Improved user experience●Lower systems integration costs●Improved services scalability●‘Real world’ SOA


●Complete, integrated, centralized solution– Centralized authentication, authorization and

auditing– Integrated components

●Modular and scalable– Start small with specific components

and extend to a full solution

●Integrate-able– Open standards-based interfaces

allow investment protection

Summary of Identity Solution Requirements

IntegrateableIntegrateableComplete,Complete,Integrated,Integrated,

& Centralized& Centralized

Modular&

Scalable


Sun’s Identity Management Product Family

● Comprehensive software solution that include:

> Directory Services> Access Control, Single

Sign-on, Federation> Provisioning and

Meta-Directory Services

• Open and integrate-able to reduce integration cost and complexity

Sun Java SystemDirectory Server

Enterprise Edition

Sun Java SystemIdentity Manager

Sun Java System

Access Manager


Sun Java System Directory Server

● Most widely deployed LDAP-based directory server – over 1.5 billion licenses sold

● Built-in security – prevents DoS attacks, controls access, intercepts unauthorized operations

● Password synchronization with Active Directory

Secure, highly available, and scalable directory services

Sun Java SystemDirectory Server

Enterprise EditionSun Java SystemIdentity Manager

Sun Java SystemAccess Manager


Sun Java System Access Manager●Provide consistent, strong security

for all campus IT services

●Reduce complexity and operational costs

● Improve regulatory compliance

Alumni

Web Services

Directories

Databases

Business Applications

Faculty

Students

Federation Federation

Access Manager

SingleSingleSign-onSign-on

Web Access Control Web Access Control ●Role and rule-basedRole and rule-based

access controlaccess control●CentralizedCentralized

authenticationauthenticationservicesservices

●Real-time auditsReal-time audits

Custom Systems


Sun Java System Identity Manager

Databases

Directories

Mainframes

Databases

BusinessApplications

OperatingSystems

BusinessApplications

App Server

Admin

Delegated Admin

End User Self-Service

Provisioning Provisioning

IdentityIdentitySynchronizationSynchronization

PasswordPasswordManagementManagement

Identity Manager

● Automated user provisioning● Secure, automated password management● User self-service and delegated administration● Automated data synchronization ● Comprehensive auditing and reporting

Manage Identity Profiles and Permissions Throughout the Identity Lifecycle


Provisioning Today:Fragmented, Manual, and Insecure

Human Resources System

Library Management System

Facilities/Purchasing

Help Desk

Faculty

Other AssetsStudent Information

System

PeopleSoft Financials

Exchange and Active Directory

Chargeable Assets• Mobile phone/service• Conference call account• Credit card

• Office space• Phone• Laptop

Students Researchers

Alumni

●Where are my risks?Where are my risks?●Who has access?Who has access?●What recurring charges am What recurring charges am

I still paying for?I still paying for?●How much does all of this How much does all of this

cost?cost?


Provisioning with Sun:Streamlined, Automated and Secure

Approving Manager

●Reduced riskReduced risk●Complete view of Complete view of

user’s identity user’s identity ●Efficient, automated Efficient, automated

operationsoperations

FormerStudents

FacultyStudents Researchers

Alumni

Other AssetsStudent Information

System

PeopleSoft Financials

Exchange and Active Directory

Chargeable Assets• Mobile phone/service• Conference call account• Credit card

• Office space• Phone• Laptop


How Sun's Product Offering Stacks Up

I d e n t i t y M a n a g e m e n t C o m p o n e n t S u n P r o d u c t O ff e r i n g

Refl ect D i r e c t o r y S e r v e r

Jo in I d e n t i t y M a n a g e r

M anage Affi l iation ” ”

M anage P r ivileges ” ”

M anage P assw ords ” ”

P rovision ” ”

Credential A c c e s s M a n a g e r

Del iver ” ”

Authenticate ” ”

Autho rize ” ”

Log ” ”

Federate ” ”


Identity Management Is More than Enterprise Directory

•Enterprise directory can provide:> Enterprise security — Single common repository for all

authentication and access control rules> Efficiency in application development — Leverage the

enterprise directory to simplify development> Simplified collaboration — Federated identity sharing

•Identity management adds: > Enhanced user experience — Single sign-on and faster

access to applications> Reduced help desk cost — Online password reset> Workflow efficiency — Automated tasks such as adding

access to course materials when users register for specific classes> Support for regulatory requirements — More complete

tracking and audit trail features


Identity Management Implementation● Adopt Best Practices

– Identify and Recruit Systems Stakeholders– Model the Data– Consider Design Patterns– Stage the Implementation


Identity Management at Salford

● Identity solution requirements:– Assign a single ID to each person– Eliminate multiple directories (and maintenance)– Automatically provision & allow use of appropriate services– Adjust or remove access as roles change– Provide mappings between systems

● The solution:– Directory Server– Identity Manager Provisioning Module– Identity Manager Meta Directory Module– Identity Manager Password Management Module– Resource adapters for Active Directory, MS Outlook, Blackboard, SAP– Shibboleth connector for Athens

Identity Management

Stuart SimChief ArchitectGlobal Education & Research http://blogs.sun.com/stuart


Backup Slides


Why Sun For Identity Management

● Complete solution● Integrated yet modular● Best-in-class provisioning & workflow● Connectors for third party applications in Edu● Experience in Federated Identity


Identity Manager Partial Customer List • 15 New references in Q2!

• Universidad de Oviedo, Spain • Universidad Rovira i Virgili, Spain • University of Salford, UK• Université Catholique de Louvain, Belgium• Schulen ans Netz, Germany• Western Michigan University, USA• University of California Santa Cruz, USA• University of Victoria, Canada• Notre Dame University. Australia


Agenda

● What is Identity Management?● Why Identity Is Important in Education● Stages of Implementing Identity Management● Identity Solution Requirements in Education● Sun’s Comprehensive Identity Management Offering● Why Sun?● Customer Examples


Federation Requirements

● Federation is necessitated by collaborative research and other inter-institution collaboration

● There are 2 implementation approaches:– The Liberty Alliance Project – An alliance of more than 150 companies,

non-profit and government organizations developing an open standard for federated network identity (http: /www.projectliberty.org/)

– Shibboleth – An open source implementation of federated identity information that has gained a lot of momentum in education

● Shibboleth and Liberty are working on interoperability through SAML 2.0, expected in 12-15 months

Federation Enables Sharing Identity Information Outside the Firewall While Protecting Privacy


Federation in Java System Access Manager

● Supports Federation using Liberty specification

● Interoperability with Shibboleth through SAML 2.0 (expected in 12-15 months)

Standards-based Approach Allows Integration With Shibboleth

Java SystemJava SystemAccess ManagerAccess Manager

Shibboleth Shibboleth Server Server

Applications

Applications SAML 2.0

Firewall


Integrate-able Identity Management

● Provides broad cross-platform compatibility– Protects customers’ existing investments– Provides increased flexibility

● Supports standards at EVERY touch point


Integrated, End-to-End Identity Management

IdentityManager

AccessManager

DirectoryServer EE

User User Provisioning Provisioning

Password Management Password Management

Synchronization Services Synchronization Services

Web-Based Web-Based Administration Administration

Audit & Reporting Audit & Reporting

Web Single-Sign-On Web Single-Sign-On

Access Control Access Control

Federation Federation

Directory Services Directory Services

Security/Failover Security/Failover

AD Synchronization AD Synchronization


SolarisTM Operating System for x86 Platforms: Come Join Us!• Building on a leading platform• Offering customers true choice and true value• Investing in partnerships

LET'S GROW TOGETHER

Sun Proprietary/Confidential: Internal Use Only Stuart Sim Chief Architect Global Education &...

Documents

Transcript of Sun Proprietary/Confidential: Internal Use Only Stuart Sim Chief Architect Global Education &...