Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Conference2017
Identity Management and Service Integration in
Higher EducationBCNet Identity Management Working
Group
Conference 2017
Speakers:
• Corey Scholefield | BCNet EduTrust, UVic• Keir Novik | SFU • Andy Zoltay | RRU• Rahim Virani | KPU• Sebastian Gonzalez | UBC • Sabrina da Silva | BCIT
2
Conference 2017
General Overview
3
User
DigitalIdentity
Applications&HostedServices
InstituteHigherEd.
OtherOrganizationsApplicationsonpremise
Applicationsoffpremise
Conference 2017
Identity & Access - Planning Context
4
Identity
SecurityPrivacy
Conference 2017
Identity and Access - Planning + Project Process
5
Initiating Planning Executing
MonitoringClosing
DoIDAMconsulthere!
Conference 2017
Services Integration Phases
6
SystemSelection ••RFP?
SystemIntegration
••Business/Technical?
ChangeManagement
••Outreach/Training?
Go-Live
Conference 2017
Identity and Access – Planning Alphabet
7
• autheNtication
• authoriZation
• accounts Provisioning
• accounts De-provisioning
*ThankstoLucaFilipozzi andDougGregg(UBC)
Conference 2017
Identity and Access – Planning Alphabet
8
• autheNtication• Campus options vs. system capability
• authoriZation• Permissions assignment – roles / groups / local vs. centralized
• accounts Provisioning • Business Process ? Just-in-case vs. Just-in-time ?
• accounts De-provisioning• Disable / timeline / retention / ongoing-access / grace-period ?
Conference 2017
BC EduTrust Federated Services - Updates
9
• Goals• every BCNET member:
• runs eduroam WiFi service• runs federated SSO Identity Provider (IdP) in the
Canadian Access Federation• support BCNET IT Shared Services adoption
Conference 2017
BC EduTrust – CAF Community Group
10
Conference 2017
BC EduTrust / CAF / BCcampus – Federated Wordpress
11
Conference 2017
BC EduTrust – eduroam for @bc.net accounts on Azure AD
12
Conference 2017
BC EduTrust – CAF Research & Scholarship Entity Category Support
13
https://www.canarie.ca/identity/support/research-and-scholarship-entity-category/
Conference 2017
BC EduTrust – Education Planner (phase 3)
14
Conference 2017
Royal Roads University
15
• Strategies• Consolidating identities into a single repository with multiple
roles• Move towards central authentication• Streamlining account provisioning synchronization
• Challenges• Shibboleth is complicated and has a steep learning curve• Each service provider implementation has proven slightly
different or non-standard• e.g. use of the “unspecified” format• e.g. Shibboleth vs ADFS
• Shibboleth versioning differences has caused challenges• i.e. Version 3 of IdP and version 2 of SP
Conference 2017
Royal Roads University
16
• Newly on-boarded off-premise services:• WorldShare Management Services (Library system)• WebSpace (WPCloud)• Lynda.com• HRSmart
Conference 2017
Royal Roads University
17
Conference 2017
Royal Roads University
18
Conference 2017
IDAM - KPU strategies
§ User Experience (UX) driven§ Minimize security footprint§ IaaS and SaaS (“Cloud-enabled”)
19
Conference 2017
IDAM Struggles
§ Exceptions to calculated roles and definitions (vendors, visiting scholars, recruiters etc.)
§ Single identity, multiple role vs. multiple identity, multiple role service mapping
§ Creative account access workflows§ Federated Identity knowledge barrier of entry§ Some applications just don’t support
Single/SameSignon
20
Conference 2017
IDAM Accomplishments
§ Simple architecture, no heavy ETL and staging processes as well as data processing overhead.
§ Future ready:§ Directory Consolidation§ SSO onboarding§ Banner XE
§ In process of onboarding most popular candidates to SSO (Self-Service, Learning Management System, Navigation Portal, SharePoint, Office 365 etc..)*
21
Conference 2017
Current State
22
CentralAuthenticationSystem(CAS)
Shibboleth(SAML)
ActiveDirectoryFederationServices(ADFS)
Office365
UPASS UPSwing
RegroupWordpress Kaltura
Conference 2017
Future State
23
CentralAuthenticationSystem(CAS)SelfService(OSS) HorizonsCSM Symplicity CSM
Shibboleth(SAML)
ActiveDirectoryFederationServices(ADFS)Office365 DirectAccess
UPASS UPSwing Regroup KalturaWordpress
SharepointFAST
Moodle OneCampus
Conference 2017
High Level Metrics - KPU
24
TotalApplications 60
TotalApplicationsOff Premise 25%
SupportingSSO(SingleandSameSignOn) 50%
SingleSignOn Implemented 10%
SameSignOn Implemented 80%
Conference 2017
Simon Fraser University
• Strategies § Be principally a provider of cloud services§ Use cloud services with maximum value while minimizing
risk§ Single sign-on through CAS§ Federated identity through CAF
§ Struggles§ Preserving privacy§ Value proposition of IDAM
§ Accomplishments§ Compute Canada ARC site at SFU§ SFU Vault
25
Conference 2017
UBC
• IAM as an integrator for ERP renewal (Cloud Landscape)
• IAM Realignment• Office of CIO under the CISO portfolio
• Transitioning form a Infrastructure Dept. with a Security component to a Security Discipline with Infrastructure Responsibilities.
• Heavy lifting into the cloud.
26
Conference 2017
IAM as an integrator for ERP renewal(Changing Cloud Landscape)
27
DataGovernance
EnterpriseIntegra2on
IAM
Iden%tyHub
Conference 2017
IAM Realignment
28
Business Security Reference Model
Security Intelligence & Analytics
Governance, Risk, Compliance (GRC)
Advanced Security and Threat Research
InfrastructureApplications & ServicesDataPeople
Foundational Security Management
Physical Asset Management
Risk & Compliance Management
Security Policy Management
Command & Control Management
Identity, Access & Entitlement Management
Data & Information Protection Management
Threat & Vulnerability Management IT Service Management
Security Services and Infrastructure
Security Info & Event Infrascructure
Identity, Access & Entitlement Infrastructure
Security Policy Infrastructure
Crypto, Key & Certificate Management
Service Management Infrastructure
Storage Security Host & Endpoint Security Application Security Network Security Physical Security
Code Policies Events & LogsIdentity AttributesData Repository &
ClassificationSecurity Service
LevelsDesigns Config Info &
RegistryIT Security Knowledge
Operational Context
Software, System & Service Assurance
Conference 2017
Transitioning form a Infrastructure Dept. with aSecurity component to a Security Discipline withInfrastructure Responsibilities.
Drasticallyreduceattack
surface
StrengthenControls
IncreaseAnalytics
Capabilities
29
Conference 2017 30
Payment Plan on “Technical Debt”
Conference 2017 31
Heavy lifting into the cloud
Conference 2017 32
wireless
library
Integration of Services and Applications
BCITpublicwebsite
Conference 2017 33
• Strategieso Enhance user experienceo Simplification and optimization of services
• Struggles:o Preserving privacyo IDAM road map
• AccomplishmentsoOnboarding new serviceso Consolidating services
Integration of Services andApplications
Conference 2017
Questions
34