Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009 Mark Scheible Manager, Identity.

Published byShonda Randall Modified over 8 years ago

Similar presentations

Presentation on theme: "Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009 Mark Scheible Manager, Identity."— Presentation transcript:

1 Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009 Mark Scheible Manager, Identity & Access Management Security & Compliance Office of Information Technology mark_scheible@ncsu.edu http://oit.ncsu.edu/iam

2 Identity and Access Management is … What? “Identity Management has evolved to include policies, procedures and the broad spectrum of technologies required to establish institutional identity management (IdM) systems” – Educause IdM Working Group Major Operational areas of interest include: Credentialing - the issuing of a “username and password” for authentication purposes Identity Vetting & Proofing - making sure the information provided about an individual (e.g. name, DOB, address, phone number, degree(s) earned, etc.) is accurate and verified, and insuring a credential is issued to the appropriate person Directories – database(s) containing information associated with individuals and resources (in this context, identity data or “attributes”) Authentication Services – used to authenticate someone (think “login”) Authorization Services – used to determine what access an individual has to applications, resources, etc., based on who they are, or their membership in a group

3 Identity and Access Management at NC State University … The IAM Initiative is a campus-wide collaborative effort to improve the overall infrastructure used to authenticate users and provide access (authorization) to campus resources. It involves the secure storage and access of student, faculty, staff, affiliate and guest identity data and the use of federated identities for access to both internal and external resources. The IAM Objectives (from the IAM Charter) are: Create and implement a cohesive Identity and Access Management Roadmap Provide leadership in the definition, protection and use of identity data for Students, Employees, Affiliates and Guests of the University Simplify and enhance the campus authentication infrastructure Enable secure, reliable access to campus resources and services for the NC State community that is easily maintained through the use of roles and group membership Implement an Enterprise Directory Service for campus to provide a single, secure location for commonly accessed authoritative user and resource data Enable and support the use of federated identity management for campus Reduce overall administrative costs and ensure effectiveness and adaptability of IAM services

4 IAM and Admissions at NC State … (in the near future)

5 A New Student Identity and Identity-Proofing … Jennifer, whose mother is an NC State alumna, applies through the NC State Admissions portal (wolfPAW) and is issued a wolfPAW ID and password. After going through the admissions process, she is accepted to the university and receives her UnityID (a non name-based combination of letters and numbers) and password online. She signs up for an Orientation session and arrives on campus with her parents during the summer. When she goes to get her Student ID (All Campus Card), she’s asked to show a government-issued photo ID and produces her NC drivers license. The person at the desk checks her ID and matches the name to her student record. She then has her picture taken (which is uploaded to her student record) and is asked to change her Unity account password and fill in her UIA questions.

6 A New Student Identity and Identity-Proofing … continued Jennifer asks why she needs to do this and is told that for the security of her student records and future transactions, this is the point at which the university is sure that she is the only person that has access to her account. When Jennifer completes this task, the time and date of the password change is recorded and a “level of assurance” field is updated in her student record. When Jennifer completes this update, the application “asks” whether she wants to create a “parent” account to have access to her student financial record (to pay bills), her class schedule and/or her grades. Jennifer decides to create an account for her mother to access all of the above options and enters her mother’s email address. She decides to wait on creating an account for her father (he’s a Carolina alum) until she thinks about whether or not to give him access to her grades, and exits the application.

7 IAM and Account Provisioning (near future?) … Patrick has just been offered a position by the university and after accepting the offer his HR record is updated to show his affiliation with the university is no longer “applicant”, but “staff” with an effective start date. The account credential he has been using to access the NC State job site consists of his personal email address (patrick82@yoohoo.com) and a password. He receives an email at this address with his new UnityID and directions on how to access the NCSU initial password page to pick a password and select his challenge/response (UIA) questions.patrick82@yoohoo.com

8 IAM and Account Provisioning (near future?) … continued On the effective date of his employment a process is “triggered” to move his login account from the NC State “Guest Authentication System” to the university authentication system which contains active students, employees and “tightly affiliated” community members (e.g. Federally paid employees, research assistants, contractors, visiting scholars, etc.). At the same time, a “university email account” is created for him and selected directory information (Name, department and phone number) is referenced from the campus Enterprise Directory Service that contains all his identity information. Predefined distribution lists are also populated with Patrick’s name and email address. When Patrick shows up the next morning, he logs in to his desktop device using his new UnityID and recently changed password and has access to email and all the campus applications he needs on his first day.

9 Enterprise Directory Services - huh?… A “single” directory of user identity data Populated by authoritative sources (Systems of Record) The data is consumed by applications and authorization services Data is as close to the source as possible – no “aged” data Eliminates the need for many extracts that need to be updated The data elements (attributes) contained in the Enterprise Directory Service are based what’s needed by the data consumers Common users of the data:  Campus “Find People” directory  Shibboleth Service Providers (SPs)  Departmental Applications

10 Group and Role Management … Sandra is a web developer for PAMS and is setting up a front end to a new application for the Physics Department. She has instructions to restrict the application to members of the department or students taking Physics classes. She installs the kit for Shibboleth on her web server and configures it to check authenticated employees for a department attribute of “physics” and also looks for “students” (a value in the affiliation attribute) with an entitlement attribute containing the value “member of PHYxxx”. If she gets a value match on either of these attributes the user is passed along to the application. Jim is working on the helpdesk and needs to lookup a user to check their account information. He accesses a web app that references his role attributes looking for “helpdesk”. After finding a match it automatically passes him through to the user lookup application.

11 Federated Identity Management (FIM) and Shibboleth … Mark brings up his browser and connects to the MyPack Portal. He’s redirected to the campus login page for Shibboleth and enters his UnityID and Password He then visits an external wiki where he collaborates with peers from other universities and is automatically logged into the site with his NC State credential. After reviewing some documents at the wiki site, he connects to his Google Apps account – again without needing to login – and updates a document with information from the wiki…

12 Review (Pop-Quiz to follow) …

13 Pop Quiz … 1. How many slides are in this presentation? 2. What does IAM stand for? 3. What critical connection does ID-Proofing provide? 4. Why should you care “who” is using your UnityID? 5. Where does the data in an Enterprise Directory come from? 6. What are the benefits of having an identity federation? 7. What does OIT stand for? 8. Name a key “affiliation group” that was mentioned in one of the slides

14 Your Turn … Questions?

Download ppt "Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009 Mark Scheible Manager, Identity."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)

- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
WEB CONNECT FOR EASYNVR : 2015. WEB CONNECT INCREASES YOUR PROFITABILITY BY REDUCING INSTALLATION LABOR COSTS WHILE SIMULTANEOUSLY CREATING NEW REVENUE.

WEB CONNECT FOR EASYNVR : WEB CONNECT INCREASES YOUR PROFITABILITY BY REDUCING INSTALLATION LABOR COSTS WHILE SIMULTANEOUSLY CREATING NEW REVENUE.
Managing Student Access. What will we cover Registration Options Student Uploads Login Options Alumni Access versus Student Access.

Managing Student Access. What will we cover Registration Options Student Uploads Login Options Alumni Access versus Student Access.
Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.

Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.

Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
BENUE STATE UNIVERSITY, MAKURDI The Directorate of Information and Communication Technology (ICT), BSU Makurdi.

BENUE STATE UNIVERSITY, MAKURDI The Directorate of Information and Communication Technology (ICT), BSU Makurdi.
National Service Trust Automation Project Training Materials: Members and Alumni Corporation for National & Community Service (CNCS) National Service Trust.

National Service Trust Automation Project Training Materials: Members and Alumni Corporation for National & Community Service (CNCS) National Service Trust.
Identity Management at USC: Collaboration, Governance, Access Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity.

Identity Management at USC: Collaboration, Governance, Access Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity.
RVCC FACULTY FERPA WORKSHOP OCTOBER 2011 DAN PALUBNIAK REGISTRAR

RVCC FACULTY FERPA WORKSHOP OCTOBER 2011 DAN PALUBNIAK REGISTRAR
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Social Security Numbers. What is “Social Security”? Social Security (SS) is primarily a U.S. government fund that supports elderly and/or disabled citizens.

Social Security Numbers. What is “Social Security”? Social Security (SS) is primarily a U.S. government fund that supports elderly and/or disabled citizens.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.

Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
UNIVERSITY OF CALIFORNIA, RIVERSIDE COMPUTING AND COMMUNICATIONS “GETTING CONNECTED” Presented by: Computing and Communications Josee Larochelle September.

UNIVERSITY OF CALIFORNIA, RIVERSIDE COMPUTING AND COMMUNICATIONS “GETTING CONNECTED” Presented by: Computing and Communications Josee Larochelle September.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
On-Line Database Placement Application Tutorial. How to Change Your Information On York’s System.

On-Line Database Placement Application Tutorial. How to Change Your Information On York’s System.

Similar presentations

Ads by Google