Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Identity Management Issues for Multi-Campus Institutions - University of California - David Walker Jacqueline Craig Office of the President University of California © Copyright Regents of the University of California Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors.

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor The University of California ● Ten campuses, three national labs, five medical centers ● Most operational responsibilities on campuses – Payroll, Student Information, etc. – Each campus does its own identity management ● A few services are central – Employee self-service and benefits central – Most licensed library materials – Multi-campus collaborations

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Identity Management at UC ● Separate identity management at each campus ● In general, authentication is per-service ● Campuses are starting to develop common authentication – UCB: Kerberos – UCI: Kerberos – UCLA: Home grown – UCSD: Home grown – All four have home-grown identity management

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor What is the problem? ● How can services of one UC campus be accessed by users of another UC campus? ● Moving toward a new business environment – UC employee self-service and benefits – access to any UC campus library system – Inter-campus access to course management systems – collaboration within the Academic Senate – administrative applications

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Federations ● Federations authenticate locally, share identity information globally – Sharing is controlled by policy – Good fit for UC ● Other Structures – Public Key Infrastructure (PKI) ● We tried it. – Active Directory and LDAP-based structures – UC is not hierarchical; one size doesn’t fit all

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor What are we building? ● Trustworthy exchange of identity attributes ● Trustworthy identity attributes ● Create a trust environment – Services trust campuses to provide correct identity information – Campuses trust services not to misuse information they receive – Participants trust campuses not to reveal information in appropriately and application snot to misuse that information

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor InCommon ● Defines technology for trustworthy exchange of identity attributes. ● Defines common identity attributes ● Emphasis is on broad membership. – Specific agreements (e.g., requirements for identity management) are pairwise.

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor UCTrust ● Establishes global requirements to facilitate system-wide agreements. ● Creates trust in identity attributes through policy. – Policy controls the release of information – Technology enforces that policy – Technology ensures secure transit of identity attributes ● Extends InCommon

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor UCTrust ● Pilot project with three campuses – UC San Diego – UC Los Angeles – UC Irvine ● UCOP applications – Your Benefits Online – California Digital Library

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor InCommon Requirements ● InCommon criteria – IdM systems “fall under the purview of organization’s executive management – Appropriate risk management practices for issuing end-user credentials – Must be documented ● UCTrust requires greater assurance in identity management practices for conformance with existing UC policies

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor UCTrust Requirements ● Campuses must provide authoritative and accurate attribute assertions ● Campuses must have practices that meet minimum standards – establishing electronic credentials and – maintaining individual identity information ● Providers receiving individual identity attributes must ensure its protection and respect privacy constraints defined by the campus

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Governance ● UCTrust Task Force – Composed of campus Identity Providers, Service Providers, UCTrust Administration, UCOP – Manages operational policies and procedures – Oversight and conflict resolution provided by UC’s Information Technology Leadership Council, the group of UC’s CIOs.

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Administration ● UCTrust Federation Administration – Provides operational coordination, when needed – Maintains documentation repository – Not a major resource drain; technology and end- user support is with the Identity and Service Providers.

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Identity Provider Responsibilities ● Identification, registration, and authentication processes – Accuracy and timeliness of identity information; tools to update – Availability of access to enterprise directory, authentication, etc. – Audit logs to enable investigation – Support for end-users, service providers and UCTrust Administration ● Dissemination of policy and best practices

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Service Provider Responsibilities ● Secure operation of services – Awareness of Identity Provider service levels – Audit logs to enable investigations – Compliance with Identity Provider standards and best practices – Support for end-users, identity providers, and UCTrust administration

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Community Member Responsibilities ● Community members are the individuals who have officially established an affiliation with a campus ● Community members are responsible for – assurance that their credentials are not given to others – compliance with Identity Provider standards and best practices

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Current State of UCTrust ● Vetting with various UC constituencies – Campus CIOs – Controllers – Vice Chancellors of Administration – Academic Senate IT Committee ● External review for Your Benefits Online ● We expect official creation by campus CIOs in late May

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Interesting Issues – Risk Analysis Potential Risks – Identification: Is correct identification supplied when individual is hired? – Registration: Can someone else’s credential be provided during registration? Can an unauthorized individual obtain a credential? What about legacy information on individuals? – Authentication: Can exchange of user name and password be intercepted or passwords be guesed? What about unattended sessions?

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Interesting Issues – Recommended Practices ● Multifactor authentication – If asking for multiple pieces of information, only one should be a password; others should be well- known to the end-user. ● Synchronization with repositories of record – Payroll – Student Information System

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Interesting Issues – Liability ● Intra-institutional liability and trust – Not legal liability – UC is legally a single entity ● Who is liable when something goes wrong? – E.g., whose budget is impacted? ● Retirement fund represents a large sum of money, even for only one retiree.

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Interesting Issues - Dual Campus Authorities ● Two identity authorities for different, but overlapping, subcommunities ● Resulted in better alignment of campus IT organizations

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Interesting Issues – Log Retention ● Logs are required for forensic purposes – So, keep them as long as practical. ● Logs contain private information. – So, don’t keep them. ● Three to six months seems about right.

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Identity Management in the CSU Mark Crase, Sr. Director Technology Infrastructure Services CSU Office of the Chancellor Copyright 2005 Mark Crase. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Secure Identity Management Infrastructure ● SIMI – A system-wide technology and policy infrastructure that will enable CSU campuses to manage identity information and assure efficient and secure transactions that fully respect individual privacy.

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor SIMI Goals ● SIMI will improve the secure integration of information technology services across the CSU, to support and enhance learning and improve administrative efficiency. ● SIMI will create the foundation that will enable secure transactions amongst key educational, business and government partners, while protecting personal privacy.

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor The Identity Management Collaborative: A SIMI Pilot Project ● Collaboration between Cal Poly San Luis Obispo, CSU Stanislaus and the Office of the Chancellor with funding from Internet2/NSF through EDUCAUSE ● Goals: – Provide robust Identity Management services by leveraging talent and other resources at one campus to serve the needs of a second campus – Strengthen the operations at the provider campus – Improve services at the client campus – Provide test-bed to address issues related to the system- wide SIMI Project

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor IdMC: Objectives ● Create an inter-campus service/support model – Develop needs assessment tools to determine programmatic needs and resources required to meet them – Develop service proposal templates – Develop performance metrics – Conduct performance assessments ● Document and disseminate lessons learned within the CSU and out to the greater education community

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor IdMC: Progress-to-date ● Stanislaus Requirements defined – Enterprise directory – Authentication for PeopleSoft Access – Authentication for Blackboard Access ● SOW Completed – Project Description, Deliverables, Timelines and Milestones ● MOUs Completed – Campus-specific roles & responsibilities codified

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor IdMC: Progress-to-date (cont.) ● Stanislaus directory configured at Cal Poly ● Secure path established between campuses ● Stanislaus test data sent to Cal Poly ● Directory populated ● Issues remaining: – Determining what data to make viewable – Establishing password change procedures – Directory-enabling access to PeopleSoft

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor IdMC: Benefits ● Stanislaus: – Gain a Directory and Basic Authentication Service – Learning experience for staff re: Id Management – Gain working knowledge of implementing an Enterprise Directory ● San Luis Obispo: – Improved campus buy-in regarding middleware – Input from other middleware team regarding Cal Poly’s implementation – Collaboration process

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor IdMC: Challenges ● Stanislaus – Staff buy-in – Selling the concept of remote directory services – Ensuring secure, reliable access – Staff resources ● San Luis Obispo – Prioritizing resources for the project

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Lessons Learned So Far… ● Synchronizing activities at two campuses is not trivial ● External forces are also at play – Oracle Portal Grant ● Receiving help from a provider campus does not negate the need to do significant preparation at client campus

Information Resources and Communications University of California, Office of the President Information Technology Services The California State University Office of the Chancellor Questions?