IAM (AN APPROACH)
Identity and Access Management
Introduction
Agenda
Terms and terminologies Current State How others are doing IAM How we might start doing IAM Identifying key success criteria Recommendation: IAM Roadmap What the experts say Points for Discussion Next steps
The Schema is the last place I should looking to start IDM
Useful terms to know
Term Description
SAML Security Assertion Markup Language
SSO Single Signon
AAF Australian Access Federation
Shibboleth Open source software package for web single sign-on across or within organizational boundaries.
IAM Identity and Access Management
RBAC Role Based Access Control
PIV Personal Identity Verification
LUID Lifetime user ID
GUID Global User ID
Current State
Person Profile
SystemsGenerate
Maintain
InPerson
Repository??? Match ???
USE
How are others do IAM?
Theme 1
Multiple places of Information The identity information is standardised across all
systems. The identity information is use to map an LUID to an
individual within each system. Systems are fed the LUID.
Monache, University of Western Sydney
Theme 2
One place for all Information All people that have any association with the
university must have an ID first. All systems access profile details from this one
source. All systems use a single ID.
Auckland University, University Florida
What’s the difference between us and them?
Person Profile
SystemsUseIn Person Repository
LUIDGenerate
Maintain
Situation 2 – One place for all Identity Information – Auckland, UF
Person Profile
SystemsGenerate
Maintain
InPerson
Repository
LUID
Situation 1 – Multiple places of Information – Monache, UWS
Match
Person Profile
SystemsGenerate
Maintain
InPerson
Repository??? Match ???
USE
AUT
USE
Pros and ConsTheme 1 Theme 2
Impact on existing processes High Low
Impact on existing systems Low High
Requirement on new systems Moderate Low
Risk of duplicating people details None Low
Impact of duplicating people details None Low
Main Advantage of Theme 2 over Theme 1:•All profile details are sourced from one place•Mapping does not need to occur•Duplicate data is eliminated•Managing the information is easier•Less complicated business rules
Main Advantage of Theme 1 over Theme 2:•Low impact on current processes•Faster rate of quick wins•Theme 1 can be adapted over time to Theme 2
Person Registry
Mappings Table
Profile Attributes
LUID
Standard ID AttributesUser
Verification Process
CRM ARION HR Other
Business Rules
Primary Source Systems of People (Data Providers)
Secondary Systems using People (Data Users)
ID Exchange Process
Matching Process
Attributes Exchange
Assurance Layer
Assurance Level
Manages
IAM Practice
Enforces
Information Policy
Enforces
Feeds
FederationIRIS Epicor Other
Data Exchange
Directory services
Where authentication is not available a
service to provide the
LUID is available
Authentication
Theme 1
Why are we doing this?
Key Success Criteria
• Achieve cross platform interoperability• Gain efficiencies in on and off boarding processes• Students to gain access to federated services• Reduce risks around authenticating users• Improve level of verification of users• Achieve Asynchronous Access lists• Improve system access management
Addressing Key Success Criteria
Goal 1 - Get our identity information correct and standardised across AUT
Goal 2 – Clean up our Boarding Processes Goal 3 – Setup IDM Person Registry Goal 4 - Setup Federation Services Goal 5 – Deal with RBAC and Access Management
Goal 1- Get our information correct and standardised it across AUT
• Step 1 – Define and AGREE to implement a standard set of attributes to identify a user.
• Step 2 – Determine gaps in information for all systems that use identities.
• Step 3 – Define and AGREE IAM Practice and levels of assurance.
• Step 4 – Define and AGREE to implement changes to processes and technologies to fill in the gaps in information and implement personal identity verification processes.
• Step 5 – Release the Standard and IAM Practice to the rest of AUT and use the Information Policy to enforce the standard.
Goal 2 - Clean up our Boarding Processes
Step 1 – Examine current process and systems dealing with people’s identities
Step 2 – Highlight weaknesses and changes that could be made to deal with these weaknesses.
Step 3 – Develop and AGREE to implement change to processes and systems.
Step 4 – Test the changes for holes
Goal 3 - Setup IDM Person Registry Step 1 – Identify current gaps in xgab to function
as the Person Registry. Step 2 – Determine, Prioritise and AGREE to
implement changes to xgap if it is appropriate, otherwise look for an alternative solution.
Step 3 - Begin interfacing Primary Source Systems of People with the Person Registry.
Goal 4 - Setup Federation Services
Step 1 – Define and AGREE upon the schema Step 2 – Determine gaps in information currently
held in source systems. Step 3 – Identify source systems for information
and work with IGG to source the info. Step 4 – Implement Shibboleth. Step 5 – Advertise new available services.
Comments from other experts
• The trap that many get into is that they try to plan the IdM schema before they know how the downstream components will be using the directories, which may have a direct impact on the schema attributes required in an IdM - Phillip Moore
• ..the directory schema is not the final bulls eye of the business but an evolution to data quality improvements and service management and service improvements.. Alan Lloyd
• ..single most common mistake people make is not putting the proper focus on strategy, architecture and integration planning mapped back to requirements.. - Mark Prince
• Make sure you have identified ALL the stakeholders, as nothing is more dangerous than a stakeholder scorned - Byron Tice
• ..have a good understating of all the customer requirements... keep extending your schema over the time – Behruz Rushenas
• Don't try to do application authorization at the macro level. Leave that to the applications.. - Byron Tice
The Experts and Ackowledgments
• Mark Prince - Senior Director, Cyber Security Practice - US Navy 15 years experience
• Behruz Rushenas – IAM specialist at Amgen Inc• Graham Williamson - Consulting Director at Internet
Commerce Australia – UWS – Monache• Bryon Tice - Senior Consultant at Controls Integrity and
Computer & Network Security Consultant• Alan Lloyd – Owner of convergence and governance
platform software• Brian Kreh - Identity Management Strategist Phillip Moore - Enterprise Architect
Points for Discussion
What is the business reason for having an LUID? Business Reason for having multiple login Ids Achieve Theme 2 first then convert to Theme1 Running IAM initiative as a structured project Password Assertion versus Identity Assertion Convincing others that we need to do IAM Is single sign-on a priority? Data Custodians Versus Owners?
Key Notes
IAM is about quality of information IDs are not the key to IDM IDs must serve a purpose other than to be unique
Recommendation
Run initiative as a project to achieve the goals as set out in this presentation.
Identify a list of people systems owners who will become the steering committee.
Run a workshop for them to: Identify what they want to get out of IAM Identify what their key success criteria are Determine the benefits of IAM Determine usage scenarios with which we can test the outcomes Determine what will and will not work for them Determine what they are willing to do