Date post: | 01-Jul-2015 |
Category: |
Education |
Upload: | kevindonovan |
View: | 314 times |
Download: | 1 times |
FAS Stakeholders:IAM is Working for You!
Jane HillDirector, IAM Product Management
Identity and access management (IAM) technologies and services enable the right individuals to access the right resources at the right times for the right reasons.
We all use IAM solutions many times a day:
• Logging in to websites, servers, and other resources
• Accessing research materials at Harvard and beyond
• Checking a colleague’s calendar for a meeting
• Adding, removing, or changing employee records
At Harvard, the IAM program exists to streamline these interactions and make it easier for you to do your day-to-day tasks.
What is Identity & Access Management?
2
Our vision: Provide users, application owners, and IT administrative staff with secure, easy access to applications; solutions that require
fewer login credentials; the ability to collaborate across and beyond Harvard; and improved security and auditing.
What is Identity & Access Management?
3
Simplify User ExperienceSimplify and improve access to applications and information inside and outside of the University
Enable Research & CollaborationMake it easier for faculty, staff, and students to research and collaborate within the University and with other institutions
Protect University ResourcesImprove the security stature of the University via a standard approach
Facilitate Technology InnovationEstablish a strong foundation for IAM to enable user access regardless of new and/or disruptive technologies
Objectives Guiding Principles Key Performance Indicators
Harvard Community needs will drive our technology
Tactical project planning will remain aligned with the program’s strategic objectives
Solution design should allow for other Schools to use foundational services to communicate with the IAM system in a consistent, federated fashion
Communication and socialization are critical to our success
Monthly number of help desk requests relating to account management
Monthly number of registered production applications using IAM systems
Monthly number of user logins and access requests through IAM systems
Monthly number of production systems to which IAM provisions
Provisioning and deprovisioning are key to the IAM program:
• Add new users quickly and accurately
• Reduce manual processes and delays by issuing access through a central identity store
• Make role changes simpler and easier
• Streamline the revocation of access when necessary
The IAM program is now transitioning to the use of SailPoint IdentityIQ to manage provisioning and deprovisioning.
A New Provisioning System: SailPoint IdentityIQ
4
• Thousands of accounts are claimed every year
• Passwords are synched to multiple systems:
– Active Directories (used for email)
– LDAP (used for file sharing, and application access management)
– Google (@college, @g)
– Home directories and Kerberos
• Sponsored accounts processed by Service Desk
• Self-service password resets using Oracle Waveset
• Automatic disabling of accounts (different rules for different types of accounts)
FAS IAM Details
5
• Improve the user experience
– Claiming should be easy to use, and work on mobile devices
– Self-service password reset without security questions
• Simplify onboarding for all types of users
• Enable early access when appropriate
• Put sponsored account processes online (!)
• Enable sponsored account managers to extend or end-date accounts directly
The Wishlist
6
Ready
• Data are in the Identity Management System
• Name
• Date of birth
• Role
• Onboarding email (used when applying, or supplied by onboarding admin)
Set
• HR, Registrar, or department admin directs new user to the account claiming application
Connect
• New user enters name, DOB, HUID for basic validation
• Email sent to the onboarding email
• Use the temporary password you receive in email to login
• Choose username
• Set permanent password
• Provide recovery information
• Set security questions
• Connected!
Connect with Harvard (Claim an Account)
7
Affiliate Accounts (People)
Service Accounts (Course, Group, Department, Application)
Kiosk, Machine and other Special Accounts
Types of Sponsored Accounts
8
• Submits data about the new user: name, DOB, last 4 digits of SSN, email, reason, etc.
• System sends an email
Request
• Receives email and navigates to the account claiming application
• Logs in with email as login name and temporary password
Validate• Picks a user name
• Sets password
• Sets recovery info
• Sets security questions
• Account is created in sponsor’s department
• Notification email sent to sponsored requester
Create
Sponsored Account Process: Affiliate Process
9
The end user…
The end user…The sponsored requester…
View a list of the accounts you manage
View the resources assigned to your users
Your Accounts
End-date or renew accounts for your users
Request access to specific resources or deprovisioning(Future — 2015)
Manage Access
Manage Accounts You Own
10
Helpdesk Enters
Sponsored Accounts
Initial2015
Enable Sponsored Requester
Self- Service
Wider Release
2015
Self-Registered
Guests (Replace
XID)
FutureTBD
1. Focus first on getting SailPoint up and running, plus managing sponsored accounts
2. Then, enable distributed data entry by faculty and staff using web tools
3. Replace XID (self-registered guest) with new tool
The Sponsored Account Process is Evolving
11
MIDAS “POI”:Consultant
Contractor
Vendor
Security
FAS “Sponsored Account”:Collaborator
FAS-Specific Access for POIs
Early Access for Pending Employees
SponsoredIdentity:
Same Account Creation Process
Single Username
HUID (card in some cases)
Single UUID
Misc. Identities & Accounts from
Schools
New!
Opportunity: Simplify by Consolidating Processes
12
Clearer sponsorship information for audit, end-user self-service, hands-on management by sponsors to set up and remove access
FAS Today
• Paper Form & Fax/Mail
• HUIT Service Desk Enters
• Sponsor gets the password and conveys it to the end user
FAS+ in the Future
• Online process open to eligible sponsors
• End users set up accounts via email and web tool
• Password remains private; account self-service reduces helpdesk load
Sponsored Accounts: Before and After
13
Key concepts: Simplify user experience, improve security, and reduce overhead.
• All members of the Harvard Community are affected by identity and access management — from the first login screen
• IAM exists to make onboarding, day-to-day use, role changes, and access to resources easier for everyone at Harvard
• Our efforts will improve productivity and make day-to-day life simpler for faculty, staff, students, researchers, people administrators, application owners, and more
• And when IAM services are done right, you don’t even notice the effects — things just work
In Summary …
14
Thank you!