the business of identity management nercomp-2006 march 21, 2006 steve worona educause...
Post on 21-Jan-2016
215 Views
Preview:
TRANSCRIPT
The Businessof Identity Management
NERCOMP-2006March 21, 2006Steve WoronaEDUCAUSE
sworona@educause.edu
2
What Is “Identity Management”?
• Who is that “John Smith” person you just hired / admitted / granted tenure to?
• Who is the person at the keyboard claiming to be John Smith?
• What privileges does John Smith have?
• What do we do when John Smith quits / graduates / changes jobs / gets fired / gets arrested / dies?
• Who gets to access, manage, and set policies for all of this?
3
Context
• The Technology of Identity Management• The Business of Identity Management• The Philosophy of Identity Management
4
Business/Philosophyvs Technology
Datasources
PersonRegistry
Directories Apps &Platforms
[Graphic courtesy Michael Berman]
5
[Graphic courtesy Bruce Vincent]
6
“Those who know how
work for
those who know why.”
7
What’s Wrong with Status Quo
• Insecure
• Inefficient
• Inflexible
• Internal
• Illegal
8
Insecure• Notoriously weak passwords• Authorization coarse and unstable• Shared (and reused) identities• Too much data in too many places
• Unnecessary• Not encrypted• Subject to loss, theft
• Too many potential sources of data spills• Backup tapes• Lost or misplaced laptops, PDA’s, key drives, …
9
Inefficient• Multiple identity instances for the same person
• Not to be confused with multiple personas
• Multiple uncoordinated credentials• Physical and electronic• Exactly one may or may not be the right goal
• Status changes take too much time and effort
• Multiple overlapping privilege systems
• Unused/unneeded records and systems
• Burden on each new system deployed• A drag on the campus economy
10
Inflexible
• Different levels of assurance needed• The solution is not to require security
clearances for everyone!
• Evolving standards and mandates• Adapt or die
• Multiple distributed uncoordinated systems• Schools within universities, etc.
• No coherent approach• “Coherent” vs “centralized”
11
Internal
• How do you handle off-campus students / faculty / staff?
• How do community members participate in off-campus services / activities / partnerships?• The World is Flat• Research grants
• How will (do) you deal with people arriving with strong identities?• Recall the evolution of e-mail
12
Illegal
• SSN’s as identifiers
• Inadequate protection of data• Who can access what• Strong authentication (see Inflexible)• Data spills (see Insecure)
• Requirements (banking, immigration, …) to know who you’re dealing with
13
Who Cares?
• HIPAA
• Gramm-Leach-Bliley
• Sarbanes-Oxley
• HSPD-12
• RealID
• State and Federal data-protection legislation
14
Blinded by FERPA
• We’re not just a campus anymore; we’re• A bank• A medical service• A multi-national business• A presence in Cyberspace• A juicy front-page headline• A headache to our Boards and CEO’s
15
Think Y2K
• Opportunity for campus-wide planning
• Bigger than the computer center
• Lots of advance warning
• Will take lots of time
• Requirement is unavoidable
16
Steps on the Road
• Catalog all identity management activities
• Monitor evolving technologies and regulations
• Watch what others are doing
• Develop an architecture
• Plan for audit requirements
17
Steps on the Road
• Catalog all identity management activities• Who’s in charge?• Why is it there?• Is it appropriately administered?
18
Steps on the Road
• Catalog all identity management activities
• Monitor evolving technologies and regulations• Federal government• Federal agencies• State governments• Banks• IDM vendors
19
Steps on the Road
• Catalog all identity management activities
• Monitor evolving technologies and regulations
• Watch what others are doing• Policies• Administrative structures• Technologies (buy/build)
20
Steps on the Road
• Catalog all identity management activities
• Monitor evolving technologies and regulations
• Watch what others are doing
• Develop an architecture• Technical• Policy• Administrative
21
Steps on the Road
• Catalog all identity management activities
• Monitor evolving technologies and regulations
• Watch what others are doing
• Develop an architecture
• Plan for audit requirements• The common, evolving thread for “trust”• Theoretical, commercial, regulatory
22
Issues and Imponderables
• Rapidly and broadly evolving• “The sooner you start, the longer it takes.”
• 75% technology, 75% policy, 75% business• Who’s in charge?
• Benefits hard to capture and quantify• Cost avoidance• Stay out of the headlines• Stay out of jail
23
What to Do Next (First?)
• Put that team together
• Push the message up the org chart
• Keep attending presentations like this
• Get a copy of the ECAR ID Management Report when available (http://www.educause.edu/ecar)
• Get familiar with http://www.nmi-edit.org
24
End
top related