FAS Stakeholders:IAM is Working for You!

Jane HillDirector, IAM Product Management

Identity and access management (IAM) technologies and services enable the right individuals to access the right resources at the right times for the right reasons.

We all use IAM solutions many times a day:

• Logging in to websites, servers, and other resources

• Accessing research materials at Harvard and beyond

• Checking a colleague’s calendar for a meeting

• Adding, removing, or changing employee records

At Harvard, the IAM program exists to streamline these interactions and make it easier for you to do your day-to-day tasks.

What is Identity & Access Management?

2

Our vision: Provide users, application owners, and IT administrative staff with secure, easy access to applications; solutions that require

fewer login credentials; the ability to collaborate across and beyond Harvard; and improved security and auditing.

What is Identity & Access Management?

3

Simplify User ExperienceSimplify and improve access to applications and information inside and outside of the University

Enable Research & CollaborationMake it easier for faculty, staff, and students to research and collaborate within the University and with other institutions

Protect University ResourcesImprove the security stature of the University via a standard approach

Facilitate Technology InnovationEstablish a strong foundation for IAM to enable user access regardless of new and/or disruptive technologies

Objectives Guiding Principles Key Performance Indicators

Harvard Community needs will drive our technology

Tactical project planning will remain aligned with the program’s strategic objectives

Solution design should allow for other Schools to use foundational services to communicate with the IAM system in a consistent, federated fashion

Communication and socialization are critical to our success

Monthly number of help desk requests relating to account management

Monthly number of registered production applications using IAM systems

Monthly number of user logins and access requests through IAM systems

Monthly number of production systems to which IAM provisions

Provisioning and deprovisioning are key to the IAM program:

• Add new users quickly and accurately

• Reduce manual processes and delays by issuing access through a central identity store

• Make role changes simpler and easier

• Streamline the revocation of access when necessary

The IAM program is now transitioning to the use of SailPoint IdentityIQ to manage provisioning and deprovisioning.

A New Provisioning System: SailPoint IdentityIQ

4

• Thousands of accounts are claimed every year

• Passwords are synched to multiple systems:

– Active Directories (used for email)

– LDAP (used for file sharing, and application access management)

– Google (@college, @g)

– Home directories and Kerberos

• Sponsored accounts processed by Service Desk

• Self-service password resets using Oracle Waveset

• Automatic disabling of accounts (different rules for different types of accounts)

FAS IAM Details

5

• Improve the user experience

– Claiming should be easy to use, and work on mobile devices

– Self-service password reset without security questions

• Simplify onboarding for all types of users

• Enable early access when appropriate

• Put sponsored account processes online (!)

• Enable sponsored account managers to extend or end-date accounts directly

The Wishlist

6

Ready

• Data are in the Identity Management System

• Name

• Date of birth

• Role

• Onboarding email (used when applying, or supplied by onboarding admin)

Set

• HR, Registrar, or department admin directs new user to the account claiming application

Connect

• New user enters name, DOB, HUID for basic validation

• Email sent to the onboarding email

• Use the temporary password you receive in email to login

• Choose username

• Set permanent password

• Provide recovery information

• Set security questions

• Connected!

Connect with Harvard (Claim an Account)

7

Affiliate Accounts (People)

Service Accounts (Course, Group, Department, Application)

Kiosk, Machine and other Special Accounts

Types of Sponsored Accounts

8

• Submits data about the new user: name, DOB, last 4 digits of SSN, email, reason, etc.

• System sends an email

Request

• Receives email and navigates to the account claiming application

• Logs in with email as login name and temporary password

Validate• Picks a user name

• Sets password

• Sets recovery info

• Sets security questions

• Account is created in sponsor’s department

• Notification email sent to sponsored requester

Create

Sponsored Account Process: Affiliate Process

9

The end user…

The end user…The sponsored requester…

View a list of the accounts you manage

View the resources assigned to your users

Your Accounts

End-date or renew accounts for your users

Request access to specific resources or deprovisioning(Future — 2015)

Manage Access

Manage Accounts You Own

10

Helpdesk Enters

Sponsored Accounts

Initial2015

Enable Sponsored Requester

Self- Service

Wider Release

2015

Self-Registered

Guests (Replace

XID)

FutureTBD

1. Focus first on getting SailPoint up and running, plus managing sponsored accounts

2. Then, enable distributed data entry by faculty and staff using web tools

3. Replace XID (self-registered guest) with new tool

The Sponsored Account Process is Evolving

11

MIDAS “POI”:Consultant

Contractor

Vendor

Security

FAS “Sponsored Account”:Collaborator

FAS-Specific Access for POIs

Early Access for Pending Employees

SponsoredIdentity:

Same Account Creation Process

Single Username

HUID (card in some cases)

Single UUID

Misc. Identities & Accounts from

Schools

New!

Opportunity: Simplify by Consolidating Processes

12

Clearer sponsorship information for audit, end-user self-service, hands-on management by sponsors to set up and remove access

FAS Today

• Paper Form & Fax/Mail

• HUIT Service Desk Enters

• Sponsor gets the password and conveys it to the end user

FAS+ in the Future

• Online process open to eligible sponsors

• End users set up accounts via email and web tool

• Password remains private; account self-service reduces helpdesk load

Sponsored Accounts: Before and After

13

Key concepts: Simplify user experience, improve security, and reduce overhead.

• All members of the Harvard Community are affected by identity and access management — from the first login screen

• IAM exists to make onboarding, day-to-day use, role changes, and access to resources easier for everyone at Harvard

• Our efforts will improve productivity and make day-to-day life simpler for faculty, staff, students, researchers, people administrators, application owners, and more

• And when IAM services are done right, you don’t even notice the effects — things just work

In Summary …

14

Thank you!