28
Identity and Access Management Next Generation February 2014 Update to CTSC University of Waterloo Confidential

Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Identity and Access Management Next Generation

February 2014 Update to CTSC

University of Waterloo Confidential

Page 2: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

ROLES

University of Waterloo Confidential

Page 3: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Discussing Roles

• Group formed in late 2013 • Representation from IST, AHS, Arts,

Engineering, Environment, and Math • Contribution #1: Role Inventory • Contribution #2: Unique Role Lifecycles

University of Waterloo Confidential

Page 4: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Observation #1: Role Lifecycle

University of Waterloo Confidential

Page 5: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Role Lifecycle, Example #2

University of Waterloo Confidential

Page 6: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Conclusion

• Employment data is often insufficient to sponsor the full lifecycle of employee roles

• Administrators must have the ability to remove role membership manually, regardless of the presence supporting data

University of Waterloo Confidential

Page 7: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Observation #2: Learner Role Membership

University of Waterloo Confidential

Page 8: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Observation #2 Employee Role Membership

University of Waterloo Confidential

Page 9: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Observation #2: Role Membership: Making Choices

University of Waterloo Confidential

Page 10: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Observation #2 Role Collection Cross Appointment

University of Waterloo Confidential

Page 11: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Observation #2: Role Collection Cross Appointment

University of Waterloo Confidential

Page 12: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Conclusion

• Both identity management and the campus infrastructure require the ability to express the complex relationships individuals have with the institution

University of Waterloo Confidential

Page 13: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

RISKS

University of Waterloo Confidential

Page 14: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Risk Areas

1. Employee Terminations 2. Email Reliability and Security 3. SSO and the Cloud 4. Microsoft Technology Directions 5. Canadian Access Federation 6. Enabling Student Development

University of Waterloo Confidential

Page 15: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Employee Terminations

• Dept. heads want access to all resources, including email, to be discontinued at termination

• What happens when terminated employee is also a student?

• What happens when terminated employee is an alumnus?

University of Waterloo Confidential

Page 16: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Email Security

• Need to comply with CASL! • Barriers to SPF/DKIM adoption:

– Email forwarding – Email forgery – Mailservices creation mechanism

• Email in the Cloud – OK for students – Not for employees

University of Waterloo Confidential

Page 17: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

SSO and the Cloud

• CAS adoption often requires custom development

• SAML is well established standard in Enterprise space

• E.g. Google Apps, Concur

University of Waterloo Confidential

Page 18: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Microsoft

• CLAIMS-based authentication – SAML

• Necessary for MS Azure

University of Waterloo Confidential

Page 19: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Canadian Access Federation (CAF)

• Shibboleth is standard in Higher Ed • Based on SAML • Identified as a priority for CUCCIO security

group

University of Waterloo Confidential

Page 20: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Student/3rd Party Development

• Opendata is here • What about PII? • Password sharing is bad • Need to manage owners’ consent

University of Waterloo Confidential

Page 21: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

ARCHITECTURE & DIRECTIONS

University of Waterloo Confidential

Page 22: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Implications

• Three security domains: – Learner – Employee – External

• Userid is not enough in a federated world – “userid@domain” is convention – Similar to email address – Confusion?

University of Waterloo Confidential

Page 23: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Possible Direction

[email protected] – Employee collection – Email hosted on campus (CONNECT)

[email protected] – Learner collection – Email could be hosted off-campus – Alumni email for life

[email protected] – External collection – OpenID? Self-registration?

University of Waterloo Confidential

Page 24: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Edge cases in this model

• Applicants for academic admissions – “external” until matriculation

• Retirees – Email often cut-off – Access to Pension info?

University of Waterloo Confidential

Page 25: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

SAML adoption

• CAS currently does “SAML-lite” • Need to plan for full SAML support

– If not CAS, then big change!

• On-line Expense project is first priority • Need to consider timing:

– CAF initiatives – Email in the cloud – Other strategic initiatives

University of Waterloo Confidential

Page 26: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

Authorization Management

• SAML-based SSO is not enough • Think “facebook” trust model • OAUTH 2.0 protocol underneath

University of Waterloo Confidential

Page 27: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

NEXT STEPS

University of Waterloo Confidential

Page 28: Identity and Access Management Next Generation€¦ · • Both identity management and the campus infrastructure require the ability to express the complex relationships individuals

First-half 2014

• Formalize functional requirements for Identity and Access Management

• Prioritize the following: – Replace Oracle Waveset – SSO with SAML support – Building OAUTH capability

• Determine multi-factor authentication strategy

University of Waterloo Confidential