Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Identity and Access Management June 9 – 10, 2016 Jared Galbraith and Andrew Hamilton IAM Our need to store and access data is growing. Job performance and success is impacted by two systems, what identity and how do you get the access needed. A successful community has a flexible heterogeneous environment. Current State of Provisioning Challenges of Current State • Complexity • Multiple Accounts and passwords • In house Development • • Primary user portal developer left Maintenance of code has been minimal • Manual provisioning • Spelling typos, dirty data • Only Daily syncs from Banner. • Long provisioning times Self Service – User Portal Netid.unm.edu to claim account • Users choice Reset passwords • Rigid question/answer is hard to remember • Missing SMS verification, One time password etc. Initiates synchronize process • Communicates with PUB which pushes the accounts and passwords to AD, LDAP et al. Admin Portals Netid.unm.edu to admin account • User verification Reset passwords • High load on service desk LAMB • Guest account creation • Troubleshooting • Audits and Logging • Unix groups, quota and home directory Others • Support Center/Accounts Office has to use other portals to look up information Authorization Auto populating groups based on Banner data. • Correlations based on external factors should be considered Access Requests • Workflow process to bridge the gap Manually configured exports • Applications use their own code and process for access. • Groups create custom mechanisms. Current Authentication Authentication - challenges Direct connections to directories No standard or control No administrator/developer guidance as to what technology to use Multiple authentication portals (CAS, AD FS, Shibboleth) Limited flexibility for new technologies (e.g. missing) • OpenID • OAUTH 2.0 • 802.1x • PKI Future Directions Exploring implementation of off the shelf products 1. Reduced tools required by support staff 2. Closer Integration with Banner 3. Unified Access portal for Authentication 4. Authorizations based on roles Provisioning – goals On Demand Provisioning o Automated and error free Just in Time o React to changes in identity sources right away instead of daily reconciliation. Reduce dependence on one person’s knowledge o Reduction of in-house customized code/scripts Consume multiple identity sources o Better prepared for future enhancements Clean up directories/establish property ownership Future State of Provisioning Self-Service Enhancements User portal o Commercial off the shelf solution o Enhanced security features such as SMS, OTP o Integration with provisioning system Admin Portal o More granular delegation options o Fewer places to look for information Authorization extensibility User access request for resources o Web based portal for delegation and registration Role based modeling o Provision resources based on business function Workflow o Self-service registration with oversite and management approvals Authorization Modeling Governance o Predictive Modeling o Unstructured data mining o Proactive Design Authentication Goals o Reduce direct access to Directory Services (AD/LDAP) o Single authentication portal for authentication o Provide path to enable future authentication services o Increased community collaboration through user groups Unified Experience Questions?