Iden'ty and Access Management Governance Real world prac'ces that work in Higher Educa'on Roopa Chowbey Manager, Iden'ty management 1
Agenda Background Iden'ty and Access Management (IAM) program at George Washington University (GWU) Why do we need Governance? Iden'ty Governance Council (IGC) Structure IGC Charter IGC Composi'on Sample agenda items Examples of IGC recommenda'ons Success Factors 2
Background Identity Program at GWU 2011 2012 20142012 IAM Phase 1 IAM Phase 2 IAM Phase 3 IAM Phase 2 2016 IAM Phase 4 IAM Phase 1: Establish digital iden'ty infrastructure Provisioning to legacy Directory (SunOne iplanet) J2EE Web Applica'ons for iden'ty claiming IAM Phase 2: ERP user account provisioning Provisioning to current Directory (Ac've Directory) IAM Phase 3: Implement Shibboleth, SAML integra'on with InCommon Service Providers and other Cloud applica'ons Establish Ac've Directory authen'ca'on service IAM Phase 4: Web Single Sign-On and Mul'-factor authen'ca'on Access management using RBAC for all applica'ons, RBAC authoriza'on for ERP applica'ons 3
Background Target State of Identity program at GWU Cloud Directory with on-premise component Iden'ty Management Dynamic Groups (RBAC/ ABAC) Self-managed Groups One GW Iden'ty Store Mobile Device Management Access Management using RBAC & single SSO tool Configurable Mul'-Factor authen'ca'on Privileged Account Management Role based Digital Rights Management Preven've Threat Analy'cs 4
Why do we need Identity Governance? Establish policies and processes that guide the IAM program Ensure that IAM policies and processes are aligned with business policies and processes Set priori'es based on organiza'onal needs around security, provisioning and access management Provide Iden'ty assurance 5
Identity Governance Council Structure at GWU Iden'ty Governance Council (composi'on described in next slide) Technology Working Group (composed of Division of IT members, IT Directors from schools) Policy Working Group (composed of Risk/ Compliance, DIT members, HR, Dean of Students, Alumni Office, CFO office, Librarian) Ac've Directory Governance (most members of the Iden'ty Governance Council) 6
IGC Charter Establish university-wide governance for Iden'ty and Access Management Have a cross-ins'tu'onal membership to help provide insight Assure that risk and compliance elements are balanced with use of technology 7
IGC Composition IT Front Office Back-office IAM Program Owner (Chair) CIO & DCIO Informa'on Security IAM Service Manager Directory Services Registrar Dean of Student HR Faculty Representa've Academic Technologies Alumni Office HRIS General Counsel University Risk and Compliance CFO Office External Rela'ons 8
Working Groups Charter Policy Working Group Help define the actual policies that govern access to resources, including network and systems. Work closely with the other working groups to determine the standards that establish the policy and therefore help define the excep'ons as well. Include governance regarding systems of records for the different iden'ty life cycle as well as the standards that systems within the university must adhere to regarding iden'ty. List of poten'al policy discussion topics is expected to be fluid and the expecta'on is that the list will become progressively shorter as recommenda'ons are put forth to the council. Technology Working Group Focus on technology to support the recommenda'ons of other working groups and the governance established by the council as a whole. Align technology to the strategic technical architecture of the university as well as the integrated nature of iden'ty and its components 9
Policy Working group - sample agenda NetID policy (change required?): self-select or assign? Granularity of Roles: Review role selec'on criteria regularly and define new roles if necessary Grace periods for access: Define access requirements ager loss of a role Elevated security (Mul'-factor authen'ca'on): define which type of applica'ons are automa'cally protected by MFA Birthright provisioning/access: define RBAC requirements 10
Technology Working group - sample agenda Roadmap of Role-based access control to enable groups management to control system access Roadmap of Single Sign On Determine systems of records for Iden''es (example Ellucian s Banner for Students & employees, Advance for Alumni, Custom sources for Summer residents, library patrons and so on) Define Iden'ty lifecycle from incep'on to termina'on ques'ons about when does an en'ty become an Iden'ty for us to track? 11
Examples of IGC recommendations Data Classifica'on (regulated, restricted or public) Informa'on system Access policies NetID policies User experience for MFA Iden'ty roadmap planning Granularity of roles 12
IGC Success Factors Execu've sponsorship Effec've communica'on and awareness Business, stakeholder par'cipa'on Par'cipant interest and con'nued enthusiasm 13
Questions? 14