Policy and Technology in Policy and Technology in Enterprise Directory and Enterprise Directory and Authentication ServicesAuthentication Services

No Room to Swing a CatNo Room to Swing a Cat

Michael Gettes, MACE, Duke UniversityKeith Hazelton, MACE, University of Wisconsin - MadisonCarrie Regenstein, University of Wisconsin - MadisonAnn West, NMI-EDIT Outreach, EDUCAUSE/Internet2

SERC, June 7, 2004

A Word from the sponsors: A Word from the sponsors: What is NSF interested in? What is NSF interested in?

Analogous to building the NSFnet NSF Middleware Initiative (NMI)

– Scientists and engineers can transparently use and share distributed resources, such as computers, data, and instruments

– Research and education communities can effectively collaborate using advanced communications tools

– Internet users around the world can benefit.

SERC, June 7, 2004

What is NMI-EDIT?What is NMI-EDIT?

NMI-Enterprise and Desktop Integration Technologies Consortium (NMI-EDIT)– Internet2, EDUCAUSE, and SURA– Project Goals

Create a common, persistent and robust core middleware infrastructure for the R&E community

Provide tools and services in support of inter-institutional and inter-realm collaborations

Focus on intra and inter-institutional identity and access management and related services

SERC, June 7, 2004

Range of Motion: Cat SwingingRange of Motion: Cat Swinging

Definition of key terms Context Strategies for success Moving it forward

SERC, June 7, 2004

Today’s goal: Focus on Today’s goal: Focus on people, people, service and functionality!service and functionality!

To support the synergistic relationship among technologists, policy folks, and administrators as an ongoing modus operandi (m.o.)

A perspective or methods of managing, deploying and maintaining future infrastructures, IT and more.

SERC, June 7, 2004

Key termsKey terms

Enterprise Directory Authentication Authorization

Taken together constitute

“Identity Management System” (IdM)

SERC, June 7, 2004

““Identity Management System”Identity Management System”

Suite of campus-wide security, access, and information services– Integrates data sources and manages

information about people and their contact locations

– Establishes electronic identity of users– Issues identity credentials– Uses administrative data and management

tools to assign affiliation attributes – …and gives permission to use services based

on those attributes

SERC, June 7, 2004

Key terms: Key terms: Enterprise Directory ServicesEnterprise Directory Services

Enterprise Directory Services - where electronic identifiers are reconciled and institutional identity is established and maintained for all entities of interest

–Very quick lookup function

–Machine address, voice mail box, email box location, address, campus identifiers

SERC, June 7, 2004

More key termsMore key terms

Authentication (AuthN)– Process of proving your identity by

“presenting” an identity credential – In IT systems, often done by a login

process Authorization (AuthZ)

– Process of determining if policy permits a requested action to proceed using attribute & group information

– Often associated with an authenticated identity, but not always and not necessarily

SERC, June 7, 2004

SERC, June 7, 2004

Context

SERC, June 7, 2004

Context: What’s the problem?Context: What’s the problem?

Accommodate increased demand for integration across traditional data sources

Deliver services to new populations Resolve tension between appropriate

privacy and security regulations

SERC, June 7, 2004

Context: Viewing anglesContext: Viewing angles

User view–One stop–Presentation similarities–Accurate data

Developer view–One source–Ease of development

SERC, June 7, 2004

Context: What happens?Context: What happens?

Traditional data sources integration

–Updating information

–How soon can we serve new staff, students?

–Adding individuals to identity management system

SERC, June 7, 2004

Context: What happens?Context: What happens?

New constituencies – Beyond faculty, staff, and students– Alumni, retirees, new kinds of learners– A portal for parents

Challenge to “the join” Can’t ask for the key linking attributes

like DoB Students vouch for them? Separate

DB??

SERC, June 7, 2004

Strategies for Success

SERC, June 7, 2004

Strategies for SuccessStrategies for Success

Know your environment

Establish core principles

Oversight

Real Life

Topics to consider

SERC, June 7, 2004

Strategies: Know your environment! Strategies: Know your environment! Guiding questionsGuiding questions

Is campus governance centralized or distributed?

How has central administration demonstrated commitment to policy leadership?

What partnerships are in place to support policy development among, e.g., IT, Legal, internal audit, police, Student Affairs?

SERC, June 7, 2004

Are there best practices already defined for your campus? Processes to create best practices?

Are there existing policies that just need to be interpreted to cover the e-World?

What resources are available to support policy development and implementation?

Strategies: Know your environment!Strategies: Know your environment! Guiding questionsGuiding questions

SERC, June 7, 2004

Strategies: Core principlesStrategies: Core principles

Guiding philosophy of new infrastructure Defined before design and implementation

phases Criticality of service: 24x7 operations. All apps

must be dir enabled? Rooted in view of data as a strategic resource

– Enterprise directory Link to all people of interest ..and all the needed identity information

SERC, June 7, 2004

Strategies: Core principlesStrategies: Core principles

Sample core principles– Data infrastructure serves more than one institutional

application– Data is protected and requires permission for its use

unless declared “public” by the data custodians or owners

– Access to private directory data must be granted for each application and be approved by the data custodians.

– Applications using that data should meet the security and data definition guidelines put forth by the technical service administrators.

– Data will be made available for all valid administrative and educational purposes

SERC, June 7, 2004

Strategies: OversightStrategies: Oversight

Oversight and ownership Data and technical service may be different Application and infrastructure may be different

– Create, read, update, and delete (CRUD)– On-going legal, source system, and policy

changes Requires business functions to be involved Requires changes in the infrastructure

SERC, June 7, 2004

Strategies: OversightStrategies: Oversight

Sample Oversight functions: Access and use of the data and compliance with

University policy Access and use of service for performance and

security implications Dissemination of directory maintenance

information and changes Documentation of applications and attribute use Changes in requirements, procedures, and

applications using the directory once per year

SERC, June 7, 2004

Strategies: People IssuesStrategies: People Issues

Whom did you include? Whom did you forget? In what order did you include them? What did you hope for or expect from

each one to bring to the table? Where are the more difficult

interactions/relationships?

SERC, June 7, 2004

Strategies: Real lifeStrategies: Real life

Cultural / technical assumptions vs. reality– “Public directories will be mined by

spammers” Honeypot: “Does it really happen?” Nope! (How we show data matters)

– Centralization vs. flexibility Distributed management tools Be careful what you ask for

–Most anything can be done -- cost??

SERC, June 7, 2004

Strategies: Topics - 1Strategies: Topics - 1

When should a policy be developed vs. a technical fix?

What are some strategies for creating polices on-the-fly? When should this be done?

How does a technical person know when a policy decision needs to be made?

SERC, June 7, 2004

Strategies: Topics - 2Strategies: Topics - 2

How might we modify services to encourage high-level customers/stakeholders to work more effectively on policy issues?

SERC, June 7, 2004

Strategies: Topics - 3Strategies: Topics - 3

What should we do with special cases or exceptions?

–Title entries in white pagesChancellor, Provost, VP, EVP, etc

–Vanity netIDs?

–Nicknames?

–Privacy opt-in, opt-out?

SERC, June 7, 2004

Moving it Forward

SERC, June 7, 2004

Forward: Applying what we learned?Forward: Applying what we learned?

Consider the problem, scope, and alternatives

–Big P Policies

–Little p policies

SERC, June 7, 2004

Big P policies– FERPA FERPA FERPA– USA Patriot Act

Policy supports compliance Practice includes guidelines for operational staff

– HIPAA Defining Health Care Components (HCCs) on

campus How can a central IT organization support

compliance?

Forward: Compliance with Federal regulations-Forward: Compliance with Federal regulations-Due Diligence and the central IT organizationDue Diligence and the central IT organization

SERC, June 7, 2004

Forward: Compliance with State regulations-Forward: Compliance with State regulations-Due Diligence and the central IT organizationDue Diligence and the central IT organization

Big P policies

–Electronic Records Management

–Education and communication

Example:

http://archives.library.wisc.edu/rm/rechome.htm

SERC, June 7, 2004

Forward: Core principlesForward: Core principles

Big P policies

–Data and service as strategic resources

–Data and service ownership and stewardship

–Use of infrastructure

–Attribute privacy

SERC, June 7, 2004

Forward: Local considerationsForward: Local considerations

Little p policies– Relates to environment, role, and culture

NetID –Assignment, self-selection, activation,

password management Physical access security (devices)

–Assignment, activation, and implementation

Others?

SERC, June 7, 2004

ResourcesResources

www.nmi-edit.org/roadmap

middleware.internet2.edu www.cit.cornell.edu/oit/PolicyOffice.html EDUCAUSE/Cornell Institute for

Computer Policy and Law • www.educause.edu/icpl/

SERC, June 7, 2004 end