IAM (AN APPROACH)

Identity and Access Management

Introduction

Agenda

Terms and terminologies Current State How others are doing IAM How we might start doing IAM Identifying key success criteria Recommendation: IAM Roadmap What the experts say Points for Discussion Next steps

The Schema is the last place I should looking to start IDM

Useful terms to know

Term Description

SAML Security Assertion Markup Language

SSO Single Signon

AAF Australian Access Federation

Shibboleth Open source software package for web single sign-on across or within organizational boundaries.

IAM Identity and Access Management

RBAC Role Based Access Control

PIV Personal Identity Verification

LUID Lifetime user ID

GUID Global User ID

Current State

Person Profile

SystemsGenerate

Maintain

InPerson

Repository??? Match ???

USE

How are others do IAM?

Theme 1

Multiple places of Information The identity information is standardised across all

systems. The identity information is use to map an LUID to an

individual within each system. Systems are fed the LUID.

Monache, University of Western Sydney

Theme 2

One place for all Information All people that have any association with the

university must have an ID first. All systems access profile details from this one

source. All systems use a single ID.

Auckland University, University Florida

What’s the difference between us and them?

Person Profile

SystemsUseIn Person Repository

LUIDGenerate

Maintain

Situation 2 – One place for all Identity Information – Auckland, UF

Person Profile

SystemsGenerate

Maintain

InPerson

Repository

LUID

Situation 1 – Multiple places of Information – Monache, UWS

Match

Person Profile

SystemsGenerate

Maintain

InPerson

Repository??? Match ???

USE

AUT

USE

Pros and ConsTheme 1 Theme 2

Impact on existing processes High Low

Impact on existing systems Low High

Requirement on new systems Moderate Low

Risk of duplicating people details None Low

Impact of duplicating people details None Low

Main Advantage of Theme 2 over Theme 1:•All profile details are sourced from one place•Mapping does not need to occur•Duplicate data is eliminated•Managing the information is easier•Less complicated business rules

Main Advantage of Theme 1 over Theme 2:•Low impact on current processes•Faster rate of quick wins•Theme 1 can be adapted over time to Theme 2

Person Registry

Mappings Table

Profile Attributes

LUID

Standard ID AttributesUser

Verification Process

CRM ARION HR Other

Business Rules

Primary Source Systems of People (Data Providers)

Secondary Systems using People (Data Users)

ID Exchange Process

Matching Process

Attributes Exchange

Assurance Layer

Assurance Level

Manages

IAM Practice

Enforces

Information Policy

Enforces

Feeds

FederationIRIS Epicor Other

Data Exchange

Directory services

Where authentication is not available a

service to provide the

LUID is available

Authentication

Theme 1

Why are we doing this?

Key Success Criteria

• Achieve cross platform interoperability• Gain efficiencies in on and off boarding processes• Students to gain access to federated services• Reduce risks around authenticating users• Improve level of verification of users• Achieve Asynchronous Access lists• Improve system access management

Addressing Key Success Criteria

Goal 1 - Get our identity information correct and standardised across AUT

Goal 2 – Clean up our Boarding Processes Goal 3 – Setup IDM Person Registry Goal 4 - Setup Federation Services Goal 5 – Deal with RBAC and Access Management

Goal 1- Get our information correct and standardised it across AUT

• Step 1 – Define and AGREE to implement a standard set of attributes to identify a user.

• Step 2 – Determine gaps in information for all systems that use identities.

• Step 3 – Define and AGREE IAM Practice and levels of assurance.

• Step 4 – Define and AGREE to implement changes to processes and technologies to fill in the gaps in information and implement personal identity verification processes.

• Step 5 – Release the Standard and IAM Practice to the rest of AUT and use the Information Policy to enforce the standard.

Goal 2 - Clean up our Boarding Processes

Step 1 – Examine current process and systems dealing with people’s identities

Step 2 – Highlight weaknesses and changes that could be made to deal with these weaknesses.

Step 3 – Develop and AGREE to implement change to processes and systems.

Step 4 – Test the changes for holes

Goal 3 - Setup IDM Person Registry Step 1 – Identify current gaps in xgab to function

as the Person Registry. Step 2 – Determine, Prioritise and AGREE to

implement changes to xgap if it is appropriate, otherwise look for an alternative solution.

Step 3 - Begin interfacing Primary Source Systems of People with the Person Registry.

Goal 4 - Setup Federation Services

Step 1 – Define and AGREE upon the schema Step 2 – Determine gaps in information currently

held in source systems. Step 3 – Identify source systems for information

and work with IGG to source the info. Step 4 – Implement Shibboleth. Step 5 – Advertise new available services.

Comments from other experts

• The trap that many get into is that they try to plan the IdM schema before they know how the downstream components will be using the directories, which may have a direct impact on the schema attributes required in an IdM - Phillip Moore

• ..the directory schema is not the final bulls eye of the business but an evolution to data quality improvements and service management and service improvements.. Alan Lloyd

• ..single most common mistake people make is not putting the proper focus on strategy, architecture and integration planning mapped back to requirements.. - Mark Prince

• Make sure you have identified ALL the stakeholders, as nothing is more dangerous than a stakeholder scorned - Byron Tice

• ..have a good understating of all the customer requirements... keep extending your schema over the time – Behruz Rushenas

• Don't try to do application authorization at the macro level. Leave that to the applications.. - Byron Tice

The Experts and Ackowledgments

• Mark Prince - Senior Director, Cyber Security Practice - US Navy 15 years experience

• Behruz Rushenas – IAM specialist at Amgen Inc• Graham Williamson - Consulting Director at Internet

Commerce Australia – UWS – Monache• Bryon Tice - Senior Consultant at Controls Integrity and

Computer & Network Security Consultant• Alan Lloyd – Owner of convergence and governance

platform software• Brian Kreh - Identity Management Strategist Phillip Moore - Enterprise Architect

Points for Discussion

What is the business reason for having an LUID? Business Reason for having multiple login Ids Achieve Theme 2 first then convert to Theme1 Running IAM initiative as a structured project Password Assertion versus Identity Assertion Convincing others that we need to do IAM Is single sign-on a priority? Data Custodians Versus Owners?

Key Notes

IAM is about quality of information IDs are not the key to IDM IDs must serve a purpose other than to be unique

Recommendation

Run initiative as a project to achieve the goals as set out in this presentation.

Identify a list of people systems owners who will become the steering committee.

Run a workshop for them to: Identify what they want to get out of IAM Identify what their key success criteria are Determine the benefits of IAM Determine usage scenarios with which we can test the outcomes Determine what will and will not work for them Determine what they are willing to do

Thanks

AUT University Michael Clarkson Senior Business Analyst maclarkson@hotmail.com Michael.clarkson@aut.ac.nz