Identity and Access Management: Concepts and Models

1
Identity and Access ManagementConcepts and
Models

• Presentation available at
• http//arch.doit.wisc.edu/keith/midnet
• idmIntro-050609-01.ppt
• Keith Hazelton, hazelton_at_doit.wisc.edu
• Sr. IT Architect, University of Wisconsin-Madison
• Internet2 MACE
• MIDnet Spring Conference, June 9, 2005

2
Topics

• What is Identity and Access Management (IAM)?
• The IAM Stone Age
• A better vision for IAM
• An aside on the value of affiliation / group /
  privilege management services
• Basic IAM functions mapped to NMI/MACE components
• Demands on IT and how IAM services help

3

Identity and Access Management (IAM) defined

• What is Identity Management?
• Identity management is the set of business
  processes, and a supporting infrastructure, for
  the creation, maintenance, and use of digital
  identities. The Burton Group (a research firm
  specializing in IT infrastructure for the
  enterprise)
• Identity Management in this sense is often called
  Identity and Access Management (IAM)
• What problems do Identity and Access Management
  solve?

4
IAM is

• Hi! Im Lisa. (Identity)
• and heres my NetID / password to prove it.
• (Authentication)
• I want to open the Portal to check my email.
• (Authorization ? Allowing Lisa to use
  the services for which shes authorized)
• And I want to change my grade in last semesters
  Physics course.
• (Authorization ? Preventing her from doing
  things shes not supposed to do)

5
IAM is also

• New hire, Assistant Professor Alice
• Department wants to give her an email account
  before her appointment begins so they can get her
  off to a running start
• How does she get into our system and get set up
  with the accounts and services appropriate to
  faculty?

6
What questions are common to these scenarios?

• Are the people using these services who they
  claim to be?
• Are they a member of our campus community?
• Have they been given permission?
• Is their privacy being protected?

7
As for Lisa

• Sez who?
• What Lisas username and password are?
• What she should be able to do?
• What she should be prevented from doing?
• Scaling to the other 40,000 just like her on
  campus

8
As for Professor Alice

• What accounts and services should faculty members
  be given?
• At what point in the hiring process should these
  be activated?
• Methods need to scale to 20,000 faculty and staff

9
The IAM Stone Age

• List of functions
• AuthN Authenticate principals (people, servers)
  seeking access to a service or resource
• Log Track access to services/resources

10
The IAM Stone Age

• Every application for itself in performing these
  functions
• User list, credentials, if youre on the list,
  youre in (AuthN is authorization (AuthZ)
• As Hobbes might say Stone age IAM nasty,
  brutish short on features

11
Vision of a better way to do IAM

• IAM as a middleware layer at the service of any
  number of applications
• Requires an expanded set of basic functions
• Reflect Track changes to institutional data from
  changes in Systems of Record (SoR) other IdM
  components
• Join Establish maintain person identity across
  SoR

12
Your Digital Identity and The Join

• The collection of bits of identity information
  about you in all the relevant IT systems at your
  institution
• For any given person in your community, do you
  know which entry in each systems data store
  carry bits of their identity?
• If more than one system can create a person
  record, you have identity fragmentation

13
The pivotal concept of IAM The Join

• Identity fragmentation cure 1 The Join
• Use business logic to
• Establish which records correspond to the same
  person
• Maintain that identity join in the face of
  changes to data in collected systems
• Once cross-system identity is forged, assign a
  unique person identifier (often a registry ID)

14
Identity Information Access

• Some direct from the Enterprise Directory via
  reflection from SoR
• Other bits need to be made reachable by
  identifier crosswalks

15
Identity Information Reachability

• In System B, to get info from System D
• Lookup Sys D ID in identifier crosswalk
• Use whatever means Sys D provides to access info
• For new apps, leverage join by carrying Registry
  ID as a foreign key--even if not in crosswalk

16
Identity Information Reachability

• Key to reachability is less about technology,
  more about shared practice across system owners

17
Identity Fragmentation Cure 2

• When you cant integrate, federate
• Federated Identity Management means
• Relying on the Identity Management infrastructure
  of one or more institutions or units
• To authenticate and pass authorization-related
  information to service providers or resource
  hosting institutions or enterprises
• Via institution-to-provider agreements
• Facilitated by common membership in a federation
  (like InCommon)

18
Vision of a better way to do IAM

• More in the expanded set of basic functions
• Credential issue digital credentials to people
  in the community
• Mng. Affil. Manage affiliation and group
  information
• Mng. Priv. Manage privileges and permissions at
  system and resource level
• Provision Push IAM info out to systems and
  services as required
• Deliver Make access control / authorization
  information available to services and resources
  at run time
• AuthZ Make the allow deny decision independent
  of AuthN

19
Policy issues re credential function NetID

• When to assign, activate (as early as possible)
• Who gets them? Applicants? Prospects?
• Guest NetIDs (temporary, identity-less)
• Reassignment (never except)
• Who can handle them? Argument for WebISO.

20
A closer look at managing affiliations, groups
and privileges

• How does this help the harried IT staff?

21
Authorization, the early years

• IAM value realized only when access to services
  information enabled
• Authorization support is the keystone
• Crude beginnings If you can log in, you get it
  all
• Call to serve non-traditional audiences breaks
  this model
• Applicants
• Collaborative program students

22
Authorization, the early years

• First refinement on Log in, get it all
• Add service flags to the enterprise directory as
  additional identity information
• Lisa Eligible for email
• Fred Eligible for student health services
• Sam Enrolled in Molecular Biology 432
• The horrendous scaling problem

23
Authorization, the early years

• Bringing in groups to deal with the scaling
  problem
• Here groups are being used to carry affiliations
  or roles

24

• Thanks to jbarkley_at_nist.gov

25

26

27

28
Groups and affiliation managementsoftware?

• Middleware Architecture Committee for Education
  (MACE) in Internet2 sponsoring the Grouper
  project
• Infrastructure at University of Chicago
• User interface at Bristol University in UK
• upport from NSF Middleware Initiative (NMI)
• http//middleware.internet2.edu/dir/groups

29
Role- and Privilege-based AuthZ

• Privileges are what you can do
• Roles are who you are, which can be the used for
  policy-based privileges
• Both are viable, complementary for authorization

30
Roles (cf. isMemberOf)

• Inter-realm, specific privileges vary in
  different contexts
• e.g. Instructor can submit grades at one
• site, read only at another
• Eligibilility (can have) instead of authorization
  (can do)
• e.g. Faculty/Staff /Students get free email
• from specific provider

31
Privileges (cf. eduPersonEntitlement)

• Permissions should be same across service
  providers
• Service providers do not need to know rules
  behind authorization
• e.g. Building access regardless of why -- has
• office in building, taking class in
  building,
• authorized by building manager

32
Privilege Management Feature Summary
33
Privilege Management software?

• Project Signet of Internet2 MACE
• Development based at Stanford
• upport from NSF Middleware Initiative
• http//middleware.internet2.edu/signet

34
Basic IAM functions mapped to theNMI / MACE
components
Enterprise Directory
Systems of Record
Stdnt
Registry
LDAP
Reflect
HR
Join
Other
Credential
35
A successful enterprise directoryattracts data

• People start to see the value in reflecting data
  there
• App. owners start asking to put person-level
  specifics
• Service config
• Customization
• Personalization
• What about non-person data?
• Why do we never see data warehouse and
  directory in the same book or white paper?

36
Basic IAM functions mapped to theNMI / MACE
components
Apps / Resources
Enterprise Directory
AuthN
Systems of Record
AuthN
Log
Reflect
Provision
Join
WebISO
Credential
AuthZ
Mng. Affil.
Mng. Priv.
Deliver
Log
Grouper
Signet
Shibboleth
37
Provisioning
Apps / Resources
Enterprise Directory
AuthN
Systems of Record
AuthN
Log
Reflect
Provision
Join
WebISO
Credential
AuthZ
Mng. Affil.
Mng. Priv.
Deliver
Log
Grouper
Signet
Shibboleth
38
Two modes of app/IAM integration

• Domesticated applications
• Provide them the full set of IdM functions
• Applications with attitude (comes in the box)
• Meet them more than halfway by provisioning

39
Provisioning

• Getting identity information where it needs to be
• For Apps with Attitude, this often means
  exporting reformatted information to them in a
  form they understand
• Using either App-provided APIs or tricks to write
  to their internal store
• Change happens, so this is an ongoing process

40
Provisioning Service Pluses

• Provisioning decisions governed by runtime
  configuration, not buried in code somewhere
• Single engine for all consumers has obvious
  economy
• Config is basis for healing consumers with broken
  reflection
• Config could be basis of change management
  compare as is provisioning rule to a what if rule

41
Same IAM functions, different packaging

• Your IAM infrastructure (existing or planned) may
  have different boxes lines
• But somewhere, somehow this set of IdM functions
  is getting done
• Gives us all a way to compare our solutions by
  looking at various packagings of the IdM functions

42
IAM functions

43
IAM functions big pictures
44
IAM functions big pictures
Manage Grps
Log
AuthZ
Reflect
Provide/run-time
Join
Credential
Manage Privs
Provide/provision
(AuthN)
45
Alternative packaging of basic IAM functions
Single System of Record as Enterprise Directory
Student -HR Info System
Registry
LDAP
"Join"
Reflect
Credential
46
Single SoR as Enterprise Directory

• Who owns the system?
• Do they see themselves as running shared
  infrastructure?
• Will any external populations ever become
  internal?
• What if hospital negotiates a deal?
• Stress-test alternative packaging by thinking
  through the list of basic IdM functions

47
Alternative packaging of basic IAM
Apps / Resources
Enterprise Directory
AuthN
Systems of Record
AuthN
Log
Reflect
Provision
Join
Kerberos
Credential
AuthZ
LDAP
Mng. Affil.
Deliver
Log
Directory Plug-ins
48
What is IT being asked to do?

• Automatic creation and deletion of computer
  accounts
• Personnel records access for legal compliance
• One stop for university services (portal)
  integrated with course management systems

49
What else is IT being asked to do?

• Student record access for life
• Submission and/or maintenance of information
  online
• Privacy protection

50
More on the To Do list

• Stay in compliance with a growing list of policy
  mandates
• Increase the level of security protections in the
  face of a steady stream of new threats

51
More on the To Do list

• Serve new populations (alumni, applicants,)
• More requests for new services and new
  combinations of services
• Increased interest in eBusiness
• There is an Identity Management aspect to each
  and every one of these items

52
How full IAM layer helps

• Improves scalability IAM process automation
• Reduces complexity of IT ecosystem
• Complexity as friction (wasted resources)
• Improved user experience
• Functional specialization App developer can
  concentrate on app-specific functionality

53
Q A

54
Appendix IAM and the rise of policy concerns

• New systems and applications have come in two
  primary ways
• A campus unit approaches a central IT group to
  build a new application
• Some Request for Proposal (RFP) process leads to
  a new system

55
A campus unit approaches a Central IT group to
build a new application

• If the IT group encountered policy issues
• It had no standard place to turn for answers
• Technologists either made policy decisions
• Or they referred the issue back to the requestor
• Or, sometimes, the project stalled

56
2) RFP process leads to purchase of a new system

• If the new system affected business process
  and/or policies
• The campus struggled to create a forum to address
  the issues
• Or the effect was not noticed until after go-live
• Or implementors did their best to work around the
  problems
• Or, sometimes, the project stalled

57
Responding to requestsA new approach at
UW-Madison

• Campus leaders are defining new ways of
  channeling and responding to requests
• Groups like the AuthNZ Coordinating Team (ACT)
  anticipate policy issues and sort through the
  concerns
• They route findings and recommendations to the
  CIO office
• The CIO Office take the issue to an appropriate
  campus body

58

59
Responding to requestsA new approach

• The Identity Management Leadership Group (IMLG)
  provides leadership on IdM issues when responding
  to
• Submission and/or maintenance of information
  online
• Privacy protection
• Increased compliance demands
• Increased security threats

60
Why a new group?

• Technology is now more robust and services are
  considered foundational to the institution
• Broader scope, e.g., new populations
• New policy issues and more of them
• Need for flexibility and quick turn-around time

61
One key resource to help you start building the
IAM infrastructure

• Enterprise Directory Implementation Roadmap
• http//www.nmi-edit.org/roadmap/
  directories.html
• Parallel project planning paths
• Technology/Architecture
• Policy/Management

62
(No Transcript)