EDUCAUSE Security Presentation Chad Rabideau Senior Consultant Identity Management AegisUSA
Agenda Overview of Security & Identity and Access Management (IAM) Essential Functions of IAM Identity in Higher Education Stages of Implementing IAM solutions
Company Overview Over 30 Customers in Higher Ed in last 24 months Architecture, Design, Development and Deployment of IAM systems RFP development 50% Higher Ed, 50% in Defense, Healthcare, and Manufacturing
Overview: Security & Identity Management
The Perfect Storm
Convergence in Higher Education
Essential Functions of Identity and Access Management Provision access - Establish, change, and remove user accounts and privileges Authenticate - Confirm that users are who they claim to be Authorize - Allow access to services based on business rules for group affiliations and roles Protect Privacy and Comply with Regulations
Identity Addresses Top Priorities in Education IAM Can Improve Security, Reduce Costs, and Protect Privacy, the Top Three Business Priorities in Education Security breaches/ business disruptions Operating costs/ budgets Data protection and privacy Top ten business trends in 2004 according to a Chronicle of Higher Education/Gartner survey of selected Chronicle subscribers, December 2003
Why Identity Is So Important in Education More stringent regulations Complex identity requirements & rapidly changing user roles Enormous scale 85% have experienced security breaches in the last 12 months Managing access to licensed digital content Federation to support collaborative research
Higher Education Faces More Regulations 1 External regulations requiring greater protection of personal information e.g. Gramm-Leach-Bliley Act, Student and Exchange Visitor Information System, HIPAA, and FERPA New legislation regarding copyright protection Threats of lawsuits over intellectual property abuse or identity theft 1 Zastrocky, Yanosky, and Harris, Higher Education Faces More Regulations, Gartner, Research Note, December 23, 2003.
Identity Requirements in Edu are Many roles with different access requirements Users often have multiple roles Frequently changing roles Multi-campus environment Legacy of multiple fragmented identity databases Complex
Rapidly Changing User Identities Faculty member leaves Student graduates or drops out Research contracts expire Non-digital resources retrieved and/ or canceled User info entered via student admissions, faculty hiring, etc. Accounts provisioned to enterprise systems, applications, directories Non-digital resources assigned and/ or initiated Faculty job/ role/ status changes Student classes change at end of term Password changes and resets Profile or contact information changes Additional requests for account access or non-digital resources
Security Incidents on the Rise More Than 85% Have Experienced IT Security Incidents in the Past 12 Months* Unauthorized access to sensitive institutional data Threats or abusive behavior Altered/vandalized Web site Research database hacked * Based on a Chronicle of Higher Education/Gartner survey of selected Chronicle subscribers, December 2003
Stages of Implementing Identity and Access Management
Stage 1 Every Application for Itself Many Institutions Still Function Without a Centralized Directory Service, Despite the Inefficiencies Authentication and logging functionality only Every application for itself in performing these functions Multiple user names and passwords must be remembered by users
Stage 2 Central Authentication Applications have access to centralized authentication services Support for single signon Web Initial Sign- On (Web ISO) The beginnings of Federated Identity to simplify collaboration Services Enables Web Initial Sign-On for Participating Applications
Stage 3 Complete Identity Workflow task automation Roles and rules-based authorization System-wide auditing and reporting Password selfadministration Federation of identity information Management
Components of Complete Identity Management* * Based primarily on data from a presentation delivered by Keith Hazelton, University of Wisconsin-Madison, Identity Management CAMP, Nov. 15, 2004
Benefits of Complete Identity Management Layer Enhanced Security and Privacy Improved scalability and reduced cost/complexity Improved user experience Lower systems integration costs Real World SOA
Summary A Strategy for Success Adopt A Strategic Roadmap... Know where you are going Align with Business Strategy and Existing Infrastructure Know where you are Use best of breed technology Leverage and Extend Execute consistently over time Phased successes Complete, integrated, centralized solution Centralized authentication, authorization and auditing Integrated components Modular and scalable Start small with specific components and extend to a full solution Integrate-able Open standards-based interfaces allow investment protection