1

Penn State’s Identity & Access Management

Initiative

“It’s all about who you know …

and what you know about them”

2

Presentation Overview

• Brief Introduction to Identity & Access Management (IAM) Concepts

• Why IAM is important to Penn State

• Starting Up the IAM Effort

• Working on IAM Together

• Eight Key Recommendations

• Keeping the Momentum Going

3

IAM Defined

“An administrative process coupled with a technological solution which validates the identity of individuals and allows owners of data, applications, and systems to either maintain centrally or distribute responsibility for granting access to their respective resources to anyone participating within the IAM framework.” - NYS Forum

4

Three Core Concepts

• People and Relationships

• Creation and Management of Identities

• Access to Data and Applications

5

People and Relationships

• Different types of affiliations– Formal vs. Casual

• Multiple affiliations

• Affiliation life-cycles

6

Creation & Management of Identities

• Vetting – collection and validation of identity information

• Proofing – aligning collected data and matching an actual person

• Issuance of credentials– ID/password pair– ID card– 2nd factor token

7

Access to Data & Applications

• Connecting people to data and services

• Authentication decisions– Knowing who

• Authorization decisions– Affiliation type, status, level of assurance,

roles and other attributes.

8

Why IAM is Important to Penn State

• Four foundational goals– Increase collaboration and innovation– Improve customer service– Increase efficiency– Improve security of digital assets and

mitigation of risk

9

Real Life Examples

New faculty and staff hires face an unmet need to access University systems, to choose benefit options, setup syllabi, and prepare for classes--before they set foot on a Penn State campus.

10

Real Life Examples

Distance education students across Pennsylvania, and around the world, face significant challenges in gaining access to the required online University resources needed for their education.

11

… Started With Many Long Walks & Great Discussions

IAM Initiative – The Beginning

12

Executive VicePresident

and ProvostR. Erickson

Vice Provost & CIO Information

Technology Services K. Morooney

Information Technology Services

Sponsored by Position of Authority

13

Co-Leading the IAM Effort

Auxiliary & Business Services

Information Technology Services

14

Identifying Stakeholders• Auxiliary and Business Services• College of Agricultural Sciences• Commonwealth Campuses• Development and Alumni

Relations• Information Technology Services• Intercollegiate Athletics• International Programs• Office of Human Resources• Office of Sponsored Programs• Office of Student Aid• Office of the Corporate

Controller• Office of the Physical Plant

• Office of the University Bursar• Office of the University

Registrar• Outreach and Cooperative

Extension• Penn State Great Valley• Penn State Milton S. Hershey

Medical Center• Privacy Office (Office of the

Corporate Controller)• The Graduate School• Undergraduate Admissions

Office• Undergraduate Education• University Libraries• University Police Services

15

The Invitation

• We recognize that this is a very broad topic and believe that your organization's participation will be critically important to successfully understanding Penn State's needs, challenges, and future directions in IAM. “ …” The individuals representing each area should have a basic understanding of digital identities, knowledge of the business processes in your area, and an eagerness to collaborate to find a solution that will provide a strategic direction for Penn State and IT.  “

16

Vice Provost’s Initial Charge

Develop a Penn State roadmap for Identity and Access Management that can be used to help marshal the energy necessary to get to where we all need to go

Establish a community of people and organizations who understand each others pressures, needs, and desires in identity and access management for the purposes of maintaining and developing as nimble a set of infrastructures possible to facilitate academic, business, and collaborative processes

17

IAM Initiative Logistics

• Full Committee Meetings every 6 weeks• Deliverables in less than 1 year• Education of Committee Members• Sub Groups

– Report back to larger group– Shared wiki space– Co-leaders meeting with each group

• Co-Leaders and Sub Group leader meetings

18

IAM Sub Groups

• Levels of Assurance• Governance and Policy• Vetting, Proofing, and Registration

Authorities• Risk Assessment• Lifecycles and Affiliations• Provisioning of Access• Education and Awareness

19

Eight Strategic Recommendations

19

20

Strategic Recommendations #1

• Create a Comprehensive Policy for Identity & Access Management – A comprehensive policy, covering all aspects of Identity & Access Management, does not exist today and needs to be developed. This policy framework is crucial for the project’s success.

21

Strategic Recommendations #2

• Create a Central Person Registry – A single centralized person registry is needed to combine identity data records from disparate systems, ensuring the integrity and availability of person records.

22

Strategic Recommendations #3

• Streamline Vetting, Proofing, and Issuance of Digital Credentials – Significant gains in efficiency could be realized by overhauling the current processes for creating accounts and issuing credentials.

23

Strategic Recommendations #4

• Automate the Provisioning (and De-provisioning) of Access Rights – Customer service and security could both be significantly increased by automating the provision of access based on affiliation, roles, and attributes.

24

Strategic Recommendations #5

• Develop a Plan for Formal Risk Assessment – A systematic risk management process is needed to evaluate the technology and information systems that are critical to the University’s mission.

25

Strategic Recommendations #6

• Add Level of Assurance Component to Accounts and Access Decisions – A more granular approach to account creation and access decisions is needed. A Level of Assurance component will provide this flexibility and is also being required by federal agencies.

26

Strategic Recommendations #7

• Promote Single Sign-on, Federated Identities, and Better Control of University Digital Credentials – Better control of Penn State digital credentials is needed—especially in regards to the use of these credentials with outside agencies, hosted vendor solutions, and other institutions of higher education. Single sign-on and federated identities will provide this control.

27

Strategic Recommendations #8

• Promote Awareness and Education of the Importance of Identity & Access Management – Initial awareness and on-going education is needed to promote understanding of the importance of Identity & Access Management and achieve buy-in from stakeholders

28

Next Steps

• Awareness and Education– Matrix of Use Cases– Identify Priorities

• Pilot implementing Levels of Assurance– Gap analysis InCommon Silver, LoA 2– NIH Applications

• Strategic Implementation Teams

29

Contact Information

• Joel Weidner– jlw2@psu.edu

• Renee Shuey– rshuey@psu.edu

30

Resources

• Penn State IAM Initiative– http://its.psu.edu/IAM/

• The Enterprise Authentication Implementation Roadmap– http://www.nmi-edit.org/roadmap/draft-authn-

roadmap-03/index.html

31

Copyright Renee Shuey & Joel Weidner, March 2008 This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.