Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Building an IAM Program at Portland State University
Polling URL: ...
PRESENTED BY: Ryan Bass, Associate CIO, Portland State UniversityJessica Coltrin, Associate Director, Portland State University
© 2018 Internet2
I 2 I
Asking Questions
You have the option to ask questions via the URL above, you can also upvote your favorite questions.
I 3 I
Building an Identity and Access Management (IAM) Program at Portland State University (PSU)
Agenda
About PSU
IAM Maturity
The Beginning of IAM at Portland State
IAM 2.0
2019 and beyond: Future Plans
PRESENTED BY: Presenter Name, Title, Organization
Optional second line
I 5 I
CIOs
Other leadership not focused on IAM?
IAM leadership
IAM developer/administrator
Other
Audience
About Portland State University
I 7 I
IAM Maturity
I 9 I
Gartner ITScore for IAM Maturity
Poll:...
I 10 I
I 11 I
The Beginning of IAM at Portland State
I 13 I
PSU Gartner ITScore for IAM in 2000
I 14 I
The Beginning
I 15 I
Gartner ITScore for IAM in 2010
I 16 I
The lingering Sun Identity Manager project team meetings becomes “IAM Operations” and is recognized as a long-term IT coordination group. Membership includes IAM, Windows Server Team (Active Directory), Unix Team (LDAP & CAS), Banner ERP, and Helpdesk
“Affiliate” account process created - ERP integrated and paperless
New Architecture and Integration Team with an IAM focus is created
Sun Identity ManagerIn house “Ragve” custom provisioning engine for LMS, etc
Sailpoint Identity IQ is selected to replace Sun Identity Manager
2012
I 17 I
I 18 I
PSU Gartner ITScore for IAM in 2013
I 19 I
Oracle support for Sun Identity Manager is ending soon
Project to migrate to SailPoint Identity IQ is underway
PSU Single Sign-On adoption has grown rapidly - added to Banner ERP self-service
Staff turnover creates opportunity for rebuilding IAM team
Changing Landscape in 2013
I 20 I
Large queue of lingering work to do:
Complete migration from Sun Identity Manager to Sailpoint Identity IQTake on operational responsibilities for custom provisioning toolFederated login with Shibboleth and InCommonMulti Factor AuthenticationService account managementPrivileged account management
Architecture and Integration team becomes 100% IAM focused, and is renamed to the Identity and Access Management team
Hired new leadership
Launching IAM 2.0 @ PSU in 2014
Identity and Access Management 2.0 @ PSU
I 22 I
First, look at what the rest of Higher Education is doing.• Experience with Kuali community and Kuali Identity Management• Awareness of InCommon and earlier phases of what became TIER (OSIdm4HE, CIFER)• Research with Gartner & Educause• Attended Internet2 Technology Exchange
Also look at prior work at PSU • Some foundational work in architecture and integration, Sailpoint chosen• PSU had already joined InCommon but wasn’t using it yet• We had Active Directory, LDAP, and Google in place with SunIDM• We had a custom system (ragve) built for D2L provisioning and other one-off provisioning
And institutional priorities and goals• First area of focus was finishing the Sailpoint project• Simplify the user experience and the support experience• Applications coming on board requesting SSO via SAML2
Creating a Vision
I 23 I
Vision for IAM
Sailpoint IIQfor identity store& provisioning
D2L, etc.
AD
Create Account(Banner, Destiny, etc.)
LDAP
Single Sign-OnCAS & Shibboleth
Odin Account Managerfor all account/access mgmt
password managementservice account management
privileged account managementaccess requests
Most PSU Applications
ragve for custom apps Sailpoint
wouldn’t support
I 24 I
Strategy/Priorities
1) Manage Identities 2) Access Management 3) IAM Improvements
I 25 I
Developer-Focused Implementation Methodology
… With the addition of
StrategicOperational Fixes over Project Work
Small Iterations over Large Features
I 26 I
Projects Completed To Date
1) Manage Identities- OAM 2.0 (Sailpoint project)- Definitions, Individual & Service - Service Accounts - Support/Re-architect ragve
2) Access Management- Access Management Strategy- Automated Offboarding
3) IAM Improvements- Shibboleth IdP - Implement MFA- MFA for ACH & SSO- Limited Lifetime Accounts - Sailpoint 7 Upgrade
Lessons Learned● It takes time to build experienced resources. And it hurts when you lose them.● Defining & establishing common meanings for terms like service account is important, and
it takes more time than expected.● Tie access to roles; we use the same account for a user with student and employee roles● Limit vendor solutions to what they do well. Write custom code instead of trying to modify
vendor code.● IAM Operations always takes up more time than you think it will.
I 27 I
2014 - Team reformed as a software development team that also handles operations Introduced JIRA/Confluence to document and collaborate
Establishment of versioned releases & standard processes for development life cycle Establishment of IAM governance model, formalizing IAM-Ops, security rep Integration with Enterprise Application governance & high level IT Advisory Committee
2015 - OAM 2.0 with Sailpoint Added Additional Staff
2016 - Shibboleth, Duo, OAM Admin Documented IAM Architecture
Milestones
I 28 I
PSU Gartner ITScore for IAM in 2016
I 29 I
Current Architecture
Sailpoint IIQfor identity store& provisioning
D2L, Pebblepad, etc.
AD
BannerSOR for all accounts
(entry via application or HR)
LDAP
Shibboleth Idp 3Single Sign-On
CAS & Shibboleth
Odin Account Managerfor all account/access mgmt
password managementservice account management
high account managementaccess requests
(custom Django web app)
Most PSU Applications
ragve for custom apps Sailpoint
wouldn’t support
OAM Adminfor backend administration
(custom Django web app)
Duo
I 30 I
Projects In Progress
1) Access Management - OAM Access Requests (OAR)- Proxy Management in OAM- Research Access Improvements
2) Manage Identities- Affiliate Accounts Rewrite- Privileged Accounts
3) IAM Improvements- Lenel Provisioning in Ragve
Lessons Learned● Switched Focus to Access Management ● Improvement projects like Affiliate Accounts always seem to take the backseat● The organization has to be ready to embrace certain changes● Vendor apis are often not as ready or complete as you need● Custom user-facing webapps shield complexity and allow for replacing components
without impacting the user experience
I 31 I
I 32 I
PSU Gartner ITScore for IAM in 2018
We’re now almost to Level 4.
Still more work to do on EA architecture alignment.
2019 and beyond: Future Plans
I 34 I
Future Projects
IAM Improvements
- Incorporate TIER - Identity First Design- Application PIN Recovery- AWS/Azure Accounts in OAM- Orphan Management- Search/Match in OAM- Temp/Guest Accounts in OAM
Core Identity and Access Management Features are in
Remaining work is improving and streamlining IAM
I 35 I
Investigate the TIER deliverables and incorporate them into our IAM Program where appropriate.
● Move Shibboleth to provided Docker containers● Implement Grouper with provided Docker containers● Investigate COmanage/MidPoint for identity store for low assurance accounts ● Investigate Shibboleth UI● Look into Banner/Ethos working group on to streamline Banner integrations● Follow id match initiative as it evolves
Incorporate TIER
I 36 I
Concept: The first time we collect identity information from a user, it should come through creating a record in the identity system. Identity system becomes the System of Record (SOR) for identity.
Principles
● Track users from their first touch point at the university through their last interaction.● Different levels of assurance, different levels of access throughout the identity lifecycle.● Visibility & automation around provisioning/deprovisioning of accounts & access.● Flexibility, modularity, and shared ownership.● Accounts are provisioned on an as-needed basis to additional systems
Identity First
I 37 I
Identity Creation
Login(Single Sign-On)
Undergrad App(Banner)Talisma Grad App
(CollegeNet)New Employee
(Banner)
Prospects Applicants Employees
Destiny
Non-Credit
Create Account(OAM)
Registration(Banner)
Students
I 38 I
Levels of Assurance
Level Info Collected Validation Uses
1 - minimal First, Last, External Email Email exists Prospects, temporary accounts, applicants, non-credit students
2 - matched Contact info, SSN requested, etc.
Search/match Admitted students
3 - verified* n/a Id document verification
Verified student, verified employee
● Each level builds upon the previous level, adding more assurance that the identity is valid● * Verified requires examination of an identity document, i.e. social security card, passport,
driver’s license● Note: We’ll be looking into InCommon Identity Assurance Levels to see where/how they fit.
I 39 I
PSU Gartner ITScore for IAM in 2020
Time for community collaboration
I 40 I
Building an IAM Program at Portland State University
PRESENTED BY: Jessica Coltrin, Associate Director, Portland State UniversityRyan Bass, Associate CIO, Portland State University
Questions and Discussion
© 2018 Internet2