Presentation on theme: "1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University."— Presentation transcript:
1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University of California
2 Overview The Environment UCTrust Stakeholders and Changing Roles
3 The University of California Ten campuses, three national labs, five medical centers Most operational responsibilities on campuses Payroll, Student Information, etc. Each campus does its own identity management A few services are central Employee self-service and benefits Most licensed library materials Multi-campus collaborations
4 A (Secure) Online Environment Academic Library Course Management Federal agencies Administrative Travel Employee Training Personal Employee Benefits
5 At Your Service Online (AYSO) UC's centrally-operated employee self-service application to manage tax withholding, retirement benefits, etc. Potentially, hundreds of thousands of dollars of employee's funds. Requires High level of identity assurance Help desk coordination Coordinated log management for investigations Legal and fiduciary compliance
6 What is the problem? Identity is application centric Access is not removed timely when people leave the organization Difficult to terminate individual’s access to all systems when needed Security of ID and password controls vary Users must maintain multiple passwords Each application must design, build and maintain the identity management infrastructure.
7 What Do We Need? Trustworthy exchange of identity attributes Trustworthy identity attributes In general, a trust environment Service Providers trust Identity Providers to provide correct identity information Identity Providers trust Service Providers not to misuse information they receive Community Members trust Identity Providers not to reveal information inappropriately and Service Providers not to misuse that information
8 UCTrust Establishes global requirements to facilitate system-wide agreements. Creates trust in identity attributes through policy. Policy controls the creation and release of information Technology enforces that policy Technology ensures secure transit of identity attributes Extends InCommon with multiple levels of assurance
9 UCTrust Requirements Identity Providers must provide authoritative and accurate attribute assertions Identity Providers must have practices that meet minimum standards establishing electronic credentials and maintaining individual identity information Service Providers receiving individual identity attributes must ensure its protection and respect privacy constraints defined by the campus
10 Governance IT Leadership Council (ITLC) The body of campus CIOs Provides oversight and conflict resolution UCTrust Work Group Composed of campus Identity Providers, Service Providers, UCTrust Administration, UCOP Manages operational policies and procedures
11 Many Stakeholders Application Owners Identity Providers CIOs Academic Senate Vice Chancellors of Administration Controllers Legal Counsel Consensus requires policy, implementation standards, and creative politics.
12 Changing Roles and Responsibilities Service Providers are dependent on Identity Providers Identity Providers are dependent on Service Providers to protect personal information Service Providers and Identity Providers are co-dependent for availability, user assistance, problem resolution, security investigation, etc. End-users have a greater role in the protection of their credentials.
13 Role of Audit Participate in the project development i.e. make sure proper controls established Because ID management is a better system, advocate for change to others Periodic review and validation to provide independent assurance to ID and service providers
14 Influence to Adopt UCTrust Trust in the people who manage the new ID system Agreement from outside experts that this change the proper course Passion from the UCTrust to deliver Logical reasons for the change