the business of identity management 2006 educause mid-atlantic regional conference january 11, 2006...
TRANSCRIPT
![Page 1: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/1.jpg)
The Businessof Identity Management
2006 EDUCAUSE Mid-Atlantic Regional ConferenceJanuary 11, 2006
Steve WoronaEDUCAUSE
![Page 2: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/2.jpg)
2
Before We Begin
• Thanks• Ann West• Mark Berman & Joel Cooper• Tom Barton & Bruce Vincent
• Focus• The Technology of Identity Management• The Business of Identity Management• The Philosophy of Identity Management
![Page 3: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/3.jpg)
3
What Is “Identity Management”?
• Who is that “John Smith” person you just hired / admitted / granted tenure to?
• Who is the person at the keyboard claiming to be John Smith?
• What privileges does John Smith have?
• What do we do when John Smith quits / graduates / changes jobs / gets fired / gets arrested / dies?
• Who gets to access, manage, and set policies for all of this?
![Page 4: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/4.jpg)
4
Business/Philosophyvs Technology
Datasources
PersonRegistry
Directories Apps &Platforms
![Page 5: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/5.jpg)
5
![Page 6: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/6.jpg)
6
“Those who know how
work for
those who know why.”
![Page 7: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/7.jpg)
7
What’s Wrong with Status Quo
• Insecure
• Inefficient
• Inflexible
• Internal
• Illegal
![Page 8: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/8.jpg)
8
Insecure• Notoriously weak passwords• Authorization coarse and unstable• Shared (and reused) identities• Too much data in too many places
• Unnecessary• Not encrypted• Subject to loss, theft
• Too many potential sources of data spills• Backup tapes• Lost or misplaced laptops, PDA’s, key drives, …
![Page 9: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/9.jpg)
9
Inefficient• Multiple identity instances for the same person
• Not to be confused with multiple personas
• Multiple uncoordinated credentials• Physical and electronic• Exactly one may or may not be the right goal
• Status changes take too much time and effort
• Multiple overlapping privilege systems
• Unused/unneeded records and systems
• Burden on each new system deployed• A drag on the campus economy
![Page 10: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/10.jpg)
10
Inflexible
• Different levels of assurance needed• The solution is not to require security
clearances for everyone!
• Evolving standards and mandates• Adapt or die
• Multiple distributed uncoordinated systems• Schools within universities, etc.
• No coherent approach• “Coherent” vs “centralized”
![Page 11: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/11.jpg)
11
Internal
• How do you handle off-campus students / faculty / staff?
• How do community members participate in off-campus services / activities / partnerships?• The World is Flat• Research grants
• How will (do) you deal with people arriving with strong identities?• Recall the evolution of e-mail
![Page 12: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/12.jpg)
12
Illegal
• SSN’s as identifiers
• Inadequate protection of data• Who can access what• Strong authentication (see Inflexible)• Data spills (see Insecure)
• Requirements (banking, immigration, …) to know who you’re dealing with
![Page 13: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/13.jpg)
13
Who Cares?
• HIPAA
• Gramm-Leach-Bliley
• Sarbanes-Oxley
• HSPD-12
• RealID
• State and Federal data-protection legislation
![Page 14: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/14.jpg)
14
Blinded by FERPA
• We’re not just a campus anymore; we’re• A bank• A medical service• A multi-national business• A presence in Cyberspace• A juicy front-page headline• A headache to our Boards and CEO’s
![Page 15: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/15.jpg)
15
Think Y2K
• Opportunity for campus-wide planning
• Bigger than the computer center
• Lots of advance warning
• Will take lots of time
• Requirement is unavoidable
![Page 16: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/16.jpg)
16
Steps on the Road
• Catalog all identity management activities
• Monitor evolving technologies and regulations
• Watch what others are doing
• Develop an architecture
• Plan for audit requirements
![Page 17: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/17.jpg)
17
Steps on the Road
• Catalog all identity management activities• Who’s in charge?• Why is it there?• Is it appropriately administered?
![Page 18: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/18.jpg)
18
Steps on the Road
• Catalog all identity management activities
• Monitor evolving technologies and regulations• Federal government• Federal agencies• State governments• Banks• IDM vendors
![Page 19: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/19.jpg)
19
Steps on the Road
• Catalog all identity management activities
• Monitor evolving technologies and regulations
• Watch what others are doing• Policies• Administrative structures• Technologies (buy/build)
![Page 20: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/20.jpg)
20
Steps on the Road
• Catalog all identity management activities
• Monitor evolving technologies and regulations
• Watch what others are doing
• Develop an architecture• Technical• Policy• Administrative
![Page 21: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/21.jpg)
21
Steps on the Road
• Catalog all identity management activities
• Monitor evolving technologies and regulations
• Watch what others are doing
• Develop an architecture
• Plan for audit requirements• The common, evolving thread for “trust”• Theoretical, commercial, regulatory
![Page 22: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/22.jpg)
22
Issues and Imponderables
• Rapidly and broadly evolving• “The sooner you start, the longer it takes.”
• 75% technology, 75% policy, 75% business• Who’s in charge?
• Benefits hard to capture and quantify• Cost avoidance• Stay out of the headlines• Stay out of jail
![Page 23: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/23.jpg)
23
What to Do Next (First?)
• Put that team together
• Push the message up the org chart
• Keep attending presentations like this
• Get a copy of the ECAR ID Management Report when available (http://www.educause.edu/ecar)
• Get familiar with http://www.nmi-edit.org
![Page 24: The Business of Identity Management 2006 EDUCAUSE Mid-Atlantic Regional Conference January 11, 2006 Steve Worona EDUCAUSE sworona@educause.edu](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649ed35503460f94be395d/html5/thumbnails/24.jpg)
24
End