PowerPoint - Technology Days

Download Report

Transcript PowerPoint - Technology Days

Identity and Access Management
June 9 – 10, 2016
Jared Galbraith and Andrew Hamilton
IAM
Our need to store and access data is growing.
Job performance and success is impacted by two systems, what
identity and how do you get the access needed.
A successful community has a flexible heterogeneous environment.
Current State of Provisioning
Challenges of Current State
• Complexity
•
Multiple Accounts and passwords
• In house Development
•
•
Primary user portal developer left
Maintenance of code has been minimal
• Manual provisioning
•
Spelling typos, dirty data
• Only Daily syncs from Banner.
•
Long provisioning times
Self Service – User Portal
Netid.unm.edu to claim account
• Users choice
Reset passwords
• Rigid question/answer is hard to remember
• Missing SMS verification, One time password etc.
Initiates synchronize process
• Communicates with PUB which pushes the accounts and
passwords to AD, LDAP et al.
Admin Portals
Netid.unm.edu to admin account
• User verification
Reset passwords
• High load on service desk
LAMB
• Guest account creation
• Troubleshooting
• Audits and Logging
• Unix groups, quota and home directory
Others
• Support Center/Accounts Office has to use other portals to look
up information
Authorization
Auto populating groups based on Banner data.
• Correlations based on external factors should be considered
Access Requests
• Workflow process to bridge the gap
Manually configured exports
• Applications use their own code and process for access.
• Groups create custom mechanisms.
Current Authentication
Authentication - challenges
Direct connections to directories
No standard or control
No administrator/developer guidance as to what technology to use
Multiple authentication portals (CAS, AD FS, Shibboleth)
Limited flexibility for new technologies (e.g. missing)
• OpenID
• OAUTH 2.0
• 802.1x
• PKI
Future Directions
Exploring implementation of off the shelf products
1. Reduced tools required by support staff
2. Closer Integration with Banner
3. Unified Access portal for Authentication
4. Authorizations based on roles
Provisioning – goals
On Demand Provisioning
o Automated and error free
Just in Time
o React to changes in identity sources right away instead of daily
reconciliation.
Reduce dependence on one person’s knowledge
o Reduction of in-house customized code/scripts
Consume multiple identity sources
o Better prepared for future enhancements
Clean up directories/establish property ownership
Future State of Provisioning
Self-Service Enhancements
User portal
o Commercial off the shelf solution
o Enhanced security features such as SMS, OTP
o Integration with provisioning system
Admin Portal
o More granular delegation options
o Fewer places to look for information
Authorization extensibility
User access request for resources
o Web based portal for delegation and registration
Role based modeling
o Provision resources based on business function
Workflow
o Self-service registration with oversite and management
approvals
Authorization Modeling
Governance
o Predictive Modeling
o Unstructured data mining
o Proactive Design
Authentication Goals
o Reduce direct access to Directory Services (AD/LDAP)
o Single authentication portal for authentication
o Provide path to enable future authentication services
o Increased community collaboration through user groups
Unified Experience
Questions?