14.06.05 it summit iam presentation

A CASE OF IDENTITY

Building Solutions to Assist

3

WHAT IS IDENTITY & ACCESS MANAGEMENT?

Identity and access management (IAM) technologies and services

enable the right individuals to access the right resources at the

right times for the right reasons.

We all use IAM solutions many times a day:

•  Logging in to websites, servers, and other resources

•  Accessing research materials at Harvard and beyond

•  Checking a colleague’s calendar for a meeting

•  Adding, removing, or changing employee records

At Harvard, the IAM Program exists to streamline these interactions

and make it easier for you to do your day-to-day tasks.

4

WHAT IS IDENTITY & ACCESS MANAGEMENT?

Simplify User Experience

Simplify and improve access to applications and information inside

and outside of the University

Enable Research & Collaboration

Make it easier for faculty, staff, and students to research and

collaborate within the University and with other institutions

Protect University Resources

Improve the security stature of the University with a standard approach.

Facilitate Technology Innovation

Establish a strong foundation for

IAM to enable user access regardless of new and/or disruptive technologies

Objectives Guiding Principles Key Performance Indicators

Harvard Community needs will drive our technology

Tactical project planning will

remain aligned with the Program strategic objectives

Solution design should allow for other Schools to use the foundational to communicate with

the IAM system in a consistent, federated fashion

Communication and socialization

are critical to our success

Monthly number of help desk requests relating to account management

Monthly number of registered production applications using IAM

systems

Monthly number of user logins and access requests through IAM

systems

Monthly number of production systems to which IAM provisions

Our vision: Provide users, application owners, and IT administrative staff

with secure, easy access to applications; solutions that require

fewer login credentials; the ability to collaborate across and

beyond Harvard; and improved security and auditing.

5

ABOUT THE IDENTITY LIFECYCLE

Provisioning Authentication

Permissions Self-Service

Deprovisioning

Authorization

Alumni

HKS HMS

Harvard Medical School:

Improved User Provisioning

Erica Bradshaw

Director, Identity and Access Management Strategy and Planning, HUIT

Tyson Kamikawa

Director, Shared Platforms and IT Effectiveness, HMS

A CASE OF IDENTITY

7

HMS: IMPROVED USER PROVISIONING

MADRIS

HSPH XML

Guest

Test

•  Difficult to change

•  Potential duplication of

HU efforts

•  Aging guest account

process

•  Account EOL not

managed well

Current State

Apps Server

8

HMS: IMPROVED USER PROVISIONING

Future State

MADRIS

HSPH XML

Guest

Test

•  Leverage HU platform

•  Reduce complexity & effort

•  Robust toolset

•  Improved business

process

•  Long-term redundancy

reduction

Harvard Kennedy School:

Federated Authentication

Gretchen Grozier IAM Community Program Manager, HUIT

Steve Duncan

Director of Information Technology, HKS

Paul Hermany

Information Developer, HKS

A CASE OF IDENTITY

Authentication Design in 2008

•  Standardized on Active Directory

•  Focused on HKS faculty, staff, and students

- Manual process put in place to provision “sponsored accounts”

for HKS affiliates

•  Single sign-on a key requirement

•  Kept it simple:

- Selected products and solutions built to work with AD

- Minimized the amount of custom code needed for

authentication and authorization

10

HKS: FEDERATED AUTHENTICATION

11

Pressures on the System

•  Increased collaboration between Schools means more and more

accounts provisioned each year

-  Jointly-listed courses

-  Cross-registration

-  Research collaboration

•  More reliance on timely access to digital classroom materials

-  HKS has gone digital for all course materials

-  Significant growth in the number of digital cases

•  HKS goal to actively engage alumni

•  Higher user expectations

•  Security concerns


12

User Frustrations

•  Additional usernames and passwords

•  Time delay in provisioning accounts

•  Complicated process for requesting accounts

Staff Frustrations

•  IT Help Desk overrun each semester with calls from non-HKS students who have forgotten passwords or are otherwise

confused

•  IT operations staff burdened with process of deprovisioning

accounts


13

Advantages of Federation

•  Better user experience

– Users use an account they already know

– No delays in provisioning

•  Lower HKS IT support costs

– No need to provision/deprovision accounts or maintain passwords

•  Active Directory Federation Services works well with HKS key

technologies

•  Attributes can be delivered for authorization decisions


14

Active Directory

Federation

Services

SAML Aware Application

Shibboleth PIN

Alumni

Faculty, Staff,

Students

Tufts, MIT, …

Harvard


Implementation Timeline

HKS Alumni July 2014

HU Faculty, Staff, Students

July 2015

Tufts, MIT July 2015

Harvard Alumni Association:

A Seamless Transition

Jane Hill

Director, IAM Product Management, HUIT

Julie Broad

Director, Alumni Affairs & Development Technology

A CASE OF IDENTITY

Diverse Alumni Populations from Multiple Sources

More than 380,000 alumni

Executive Education Programs

One semester or 9+ weeks of program

work

Degree Recipients

16

HAA: A SEAMLESS TRANSITION

Harvard Alumni Association Supports

Online Directory Tools Donate

Event Hub Events Clubs

Online Career

Advising Services Networking

17


Process Challenges and Cranky Users

• New admits are in the system right away

• Regular updates flow from Registrar

• But as graduation approaches, we ask students to register (huh?) so we can issue them a new, separate account

REGISTER

• Challenging to know if user registering is who they say they are

•  Lack of a process for HUID/PIN to be reset after graduation frustrates recent grads

CREDENTIAL

• Some schools have their own separate credentials and services

• Multiple Helpdesks add to user confusion

SUPPORT

18


• Eliminate the need to register with HAA

• Allow student accounts to work forever

• Use standard processes for password reset, account management

• Enable separate help desk and tailor process designs for alumni

• Standard Harvard credentials make it simpler for application owners to extend access to HAA-approved resources

• Provide information on what resources are available

• Standard credential model provides opportunities to offer services to new groups of people in future — donors, parents, etc.

•  Improve self-service password reset by enabling option to specify both phone and email recovery information

• Tailor onboarding and proofing to HAA populations

• Provide standard protocols for easier integration of new applications

IAM Objectives Support Alumni Engagement

19


Improve End User

Experience

Expand Access to Resources

Balance Convenience and Security

20

Stakeholder Experience Today Future Goals

End Users

Different user names and credentials to access Harvard and non-Harvard apps and

data

Creating and managing user accounts is manual and paper-based

No access to external sites, or forced to register for accounts

Access to services and resources interrupted when users change, add, or leave

roles

Access information and perform research across schools (and with other institutions)

using a single credential

Manage own accounts and sponsor others through a centralized web application

Use internal Harvard credentials to access common external sites

Use the same set of credentials despite changes in status, roles, or affiliations

Application Owners

Tough to integrate access management, meaning long implementation timelines and

higher costs

Forced to grant application access to users with the same rights on a one-by-one basis

Easily integrate Harvard users with internal and external applications via an application

portal

Control user access in groups, not individuals

People Administrators

Must create sponsored guest identities manually, resulting in delays and loss of

productivity

Can’t streamline deprovisioning of users’ access privileges across multiple systems

Sponsors can create and manage external parties’ identity and access

Automated provisioning reduces the burden on

people administrators of disparate systems and improves Harvard’s security posture

HOW DOES THIS BENEFIT ME?

(Didn’t pick up a chart? Raise your hand, we’ll get you one.)

21

HOW DOES THIS BENEFIT ME?

22

•  Identity begins at the first login screen

•  IAM exists to make onboarding, day-to-day use, role

changes and access to resources easier for

everyone in the Harvard Community

•  Our efforts will improve productivity and make day-

to-day life simpler for faculty, staff, students,

researchers, people administrators, application

owners, and more

•  And when IAM services are done right, you don’t

even notice the effects — things just work

IAM: IN SUMMARY

Take the mystery

out of identity.

Learn more about

our program at

iam.harvard.edu

14.06.05 it summit iam presentation

Education

harvard hks

hks students

hks faculty

user access

identity access management

provisioning lower hks

iam solutions

authorization decisions