Building an IAM Program at Portland State University. Polling URL:...

Transcription

1 Building an IAM Program at Portland State University Polling URL:... PRESENTED BY: 2018 Internet2 Ryan Bass, Associate CIO, Portland State University Jessica Coltrin, Associate Director, Portland State University

2 Asking Questions You have the option to ask questions via the URL above, you can also upvote your favorite questions. I2I

3 Building an Identity and Access Management (IAM) Program at Portland State University (PSU) Agenda About PSU IAM Maturity The Beginning of IAM at Portland State IAM and beyond: Future Plans I3I

4 Optional second line PRESENTED BY: Presenter Name, Title, Organization

5 Audience CIOs Other leadership not focused on IAM? IAM leadership IAM developer/administrator Other I5I

6 About Portland State University

7 I7I

8 IAM Maturity

9 Gartner ITScore for IAM Maturity Poll:... I9I

10 I 10 I

11 I 11 I

12 The Beginning of IAM at Portland State

13 PSU Gartner ITScore for IAM in 2000 I 13 I

14 The Beginning I 14 I

15 Gartner ITScore for IAM in 2010 I 15 I

16 2012 The lingering Sun Identity Manager project team meetings becomes IAM Operations and is recognized as a long-term IT coordination group. Membership includes IAM, Windows Server Team (Active Directory), Unix Team (LDAP & CAS), Banner ERP, and Helpdesk Affiliate account process created - ERP integrated and paperless New Architecture and Integration Team with an IAM focus is created Sun Identity Manager In house Ragve custom provisioning engine for LMS, etc Sailpoint Identity IQ is selected to replace Sun Identity Manager I 16 I

17 I 17 I

18 PSU Gartner ITScore for IAM in 2013 I 18 I

19 Changing Landscape in 2013 Oracle support for Sun Identity Manager is ending soon Project to migrate to SailPoint Identity IQ is underway PSU Single Sign-On adoption has grown rapidly - added to Banner ERP self-service Staff turnover creates opportunity for rebuilding IAM team I 19 I

20 Launching IAM PSU in 2014 Large queue of lingering work to do: Complete migration from Sun Identity Manager to Sailpoint Identity IQ Take on operational responsibilities for custom provisioning tool Federated login with Shibboleth and InCommon Multi Factor Authentication Service account management Privileged account management Architecture and Integration team becomes 100% IAM focused, and is renamed to the Identity and Access Management team Hired new leadership I 20 I

21 Identity and Access Management PSU

22 Creating a Vision First, look at what the rest of Higher Education is doing. Experience with Kuali community and Kuali Identity Management Awareness of InCommon and earlier phases of what became TIER (OSIdm4HE, CIFER) Research with Gartner & Educause Attended Internet2 Technology Exchange Also look at prior work at PSU Some foundational work in architecture and integration, Sailpoint chosen PSU had already joined InCommon but wasn t using it yet We had Active Directory, LDAP, and Google in place with SunIDM We had a custom system (ragve) built for D2L provisioning and other one-off provisioning And institutional priorities and goals First area of focus was finishing the Sailpoint project Simplify the user experience and the support experience Applications coming on board requesting SSO via SAML2 I 22 I

23 Vision for IAM Odin Account Manager for all account/access mgmt Create Account (Banner, Destiny, etc.) Single Sign-On CAS & Shibboleth password management service account management privileged account management access requests LDAP Sailpoint IIQ for identity store & provisioning AD Most PSU Applications Google ragve for custom apps Sailpoint wouldn t support D2L, etc. I 23 I

24 Strategy/Priorities 1) Manage Identities 2) Access Management 3) IAM Improvements I 24 I

25 Developer-Focused Implementation Methodology With the addition of Strategic Operational Fixes over Project Work Small Iterations over Large Features I 25 I

26 Projects Completed To Date 1) Manage Identities - OAM 2.0 (Sailpoint project) - Definitions, Individual & Service - Service Accounts - Support/Re-architect ragve 2) Access Management 3) IAM Improvements - Access Management Strategy - Automated Offboarding - Shibboleth IdP - Implement MFA - MFA for ACH & SSO - Limited Lifetime Accounts - Sailpoint 7 Upgrade Lessons Learned It takes time to build experienced resources. And it hurts when you lose them. Defining & establishing common meanings for terms like service account is important, and it takes more time than expected. Tie access to roles; we use the same account for a user with student and employee roles Limit vendor solutions to what they do well. Write custom code instead of trying to modify vendor code. IAM Operations always takes up more time than you think it will. I 26 I

27 Milestones Team reformed as a software development team that also handles operations Introduced JIRA/Confluence to document and collaborate Establishment of versioned releases & standard processes for development life cycle Establishment of IAM governance model, formalizing IAM-Ops, security rep Integration with Enterprise Application governance & high level IT Advisory Committee OAM 2.0 with Sailpoint Added Additional Staff Shibboleth, Duo, OAM Admin Documented IAM Architecture I 27 I

28 PSU Gartner ITScore for IAM in 2016 I 28 I

29 Current Architecture Banner SOR for all accounts (entry via application or HR) Odin Account Manager for all account/access mgmt Shibboleth Idp 3 Single Sign-On CAS & Shibboleth password management service account management high account management access requests (custom Django web app) LDAP AD OAM Admin for backend administration (custom Django web app) Sailpoint IIQ for identity store & provisioning Duo Most PSU Applications Google ragve for custom apps Sailpoint wouldn t support D2L, Pebblepad, etc. I 29 I

30 Projects In Progress 1) Access Management - OAM Access Requests (OAR) - Proxy Management in OAM - Research Access Improvements 2) Manage Identities - Affiliate Accounts Rewrite - Privileged Accounts 3) IAM Improvements - Lenel Provisioning in Ragve Lessons Learned Switched Focus to Access Management Improvement projects like Affiliate Accounts always seem to take the backseat The organization has to be ready to embrace certain changes Vendor apis are often not as ready or complete as you need Custom user-facing webapps shield complexity and allow for replacing components without impacting the user experience I 30 I

31 I 31 I

32 PSU Gartner ITScore for IAM in 2018 We re now almost to Level 4. Still more work to do on EA architecture alignment. I 32 I

33 2019 and beyond: Future Plans

34 Future Projects IAM Improvements Core Identity and Access Management Features are in Remaining work is improving and streamlining IAM - Incorporate TIER - Identity First Design - Application PIN Recovery - AWS/Azure Accounts in OAM - Orphan Management - Search/Match in OAM - Temp/Guest Accounts in OAM I 34 I

35 Incorporate TIER Investigate the TIER deliverables and incorporate them into our IAM Program where appropriate. Move Shibboleth to provided Docker containers Implement Grouper with provided Docker containers Investigate COmanage/MidPoint for identity store for low assurance accounts Investigate Shibboleth UI Look into Banner/Ethos working group on to streamline Banner integrations Follow id match initiative as it evolves I 35 I

36 Identity First Concept: The first time we collect identity information from a user, it should come through creating a record in the identity system. Identity system becomes the System of Record (SOR) for identity. Principles Track users from their first touch point at the university through their last interaction. Different levels of assurance, different levels of access throughout the identity lifecycle. Visibility & automation around provisioning/deprovisioning of accounts & access. Flexibility, modularity, and shared ownership. Accounts are provisioned on an as-needed basis to additional systems I 36 I

37 Identity Creation Create Account (OAM) Login (Single Sign-On) Talisma Prospects Grad App (CollegeNet) Undergrad App (Banner) Applicants Registration (Banner) Students Destiny Non-Credit New Employee (Banner) Employees I 37 I

38 Levels of Assurance Level Info Collected Validation Uses 1 - minimal First, Last, External exists Prospects, temporary accounts, applicants, non-credit students 2 - matched Contact info, SSN requested, etc. Search/match Admitted students 3 - verified* n/a Id document verification Verified student, verified employee Each level builds upon the previous level, adding more assurance that the identity is valid * Verified requires examination of an identity document, i.e. social security card, passport, driver s license Note: We ll be looking into InCommon Identity Assurance Levels to see where/how they fit. I 38 I

39 PSU Gartner ITScore for IAM in 2020 Time for community collaboration I 39 I

40 I 40 I

41 Questions and Discussion Building an IAM Program at Portland State University PRESENTED BY: 2018 Internet2 Jessica Coltrin, Associate Director, Portland State University Ryan Bass, Associate CIO, Portland State University