Embed Size (px)
Citation preview
IAM Committee
Meeting Notes
11/12/2018
Attending: Cam Beasley, CW Belcher, Tim Fackler, Ladd Hanson, Ed Horowitz, Trice Humpert, Alison Lee,
Ty Lehman, Darin Mattke, Jason Mayhew, Luke McEnery, Mike McIntosh, Chris Owan, Shelley Powers,
Dustin Slater.
Absent: Felipe Lee, Steve Rung, Charles Soto. Note: Hatty Bogucki, Cesar de La Garza, and Bernie Sanfeliz
were unable to join the meeting remotely due to a problem with the conference bridge that will be
addressed for the next meeting.
IAM Team Members Present: Emily Hurt, Marta Lang, Mario Leal, Reece Price, Autumn Shields
1. Introductions (Including phone attendees)
2. Leadership Change (Mario Leal)
ITS Applications has been merged with ITS Systems to form one department. Trice Humpert is
leading the combined department. The department will have a new name, to be determined.
3. Multi-Factor Authentication Expansion Update (Mario Leal & Cam Beasley)
Mario: Expansion has been going well. Office 365 and Workday have been added. The team has
seen an increase in usage as expected. In September 2017 we had 75,900 multi-factor
authentication requests. In September 2018 we had 157,835 requests, more than double the
number of requests. When UTlogin V2 rolls out we will be adding new features, including
remembered devices.
Cam: Steady growth, a good spread of student staff and faculty using Duo. We have seen a good
uptick in interest from groups that are using other tools.
Q: Any updates on getting Ubikeys at campus computer store
A: We are still working on this, and have been in talks with a vendor that has previous higher-ed
experience and has worked with campus computer stores.
4. Project Updates:
a. UTLogin Stability Roadmap Progress (Marta Lang)
Reference 2 handouts, status for last month and the transition plan
Status: The team has completed testing in the TEST environment. We are currently in
the middle of testing in the QUAL environment and starting to build the STAGING and
PROD environments. QUAL testing includes accessibility, security, and load/stress
testing in addition to functional testing. We are assessing a finding from security testing
and have a ticket open with the vendor, ForgeRock. We are still on track to complete the
Verify QUAL stage in December.
Transition Plan: The team will begin contacting UTLogin v1 customers in December.
Customers have been broken down into 5 different transition groups. Groups 1 through
4 are 12 weeks long, each with 2 6-week transition windows. We will be asking
customers to commit to a specific 6-week window. Each customer will have an
individual action plan to outline what needs to be done, by whom, and when. Group 5 is
for services that we know are more complicated and need more time, like UT Direct and
UTWeb. The team will support transitions from WPA to SAML or a different method as
long as it fits within the transition group time period.
The transition plan has a defined, written escalation process for customers that do not
meet their transition schedule commitments.
Q: If WPA is still used will they have to move again at some point?
A: Yes, at some point in the future the customer will have to move off of WPA, but we
are not forcing that change for this transition.
Q: Is UT Direct going to transition off WPA?
A: Not sure at this time.
b. IAM Workday Readiness Coordination (Marta Lang)
The Workday cutover playbook is being executed. At this point we have processed
everyone from the Workday full employee file and have pushed the data to downstream
systems. We have run into some minor issues that will be addressed in upcoming
releases.
c. Password Security Improvements (Autumn Shields)
The team rolled out new EID password rules in October. The next step in the process will
be to get users who have not changed their passwords since 2015 to change them. The
password change process will involve sending users a notification and several reminders
before forcing them to change their passwords. The team expects to start the password
change campaign in the Spring semester around April. We have started engaging the
Service Desk in our planning effort since the password change campaign will impact
their call volume. Soon we will also be engaging with the focus group members
suggested by IAM Committee members to get their feedback on our plan, and any
communications or help documentation that will be needed to support this effort. We
expect the first focus group meeting around the first week of December so we will be
reaching out to the suggested members of that group soon.
5. IAM Strategic Roadmap (CW Belcher)
Reference handout.
Proposed key directions for Authentication area are:
Finish stabilization of UTLogin
Support Expanded MFA use
Adopt standards-based Web SSO
Separate Guest (External) and Enterprise (Internal) Web SSO
Proposed key directions for Identity Governance and Administration area are:
Finish password hash upgrade
Drive value from authorization management tool – use known implementation patterns to
streamline onboarding process and focus on integrations that deliver value more quickly
with lower effort/risk/cost using in-house resources
Modernize identity administration tools – improve end user experience and reduce
technical debt
Model major relationships with identity lifecycles – separate guests from members and
affiliates
Q: If we did this approach, let’s says people started using their personal email address as their
guest ID to apply for a job or to apply to come to school here, when they became an employee
or a student they would get an EID and follow that process?
A: Yes
Q: Eventually they would be dropped off the guest list. If they came back they would just have
to re-establish we would not keep them forever?
A: Yes
Q: If you went to school here in 1978 and got an EID when you were a student, you still have
that EID when you came to apply for a job today?
A: In the new approach what would happen is someone could apply as a guest and would not
need to know their EID. During the hire process the business area would use an identity match
process to locate the existing EID.
Q: So we would quit defining EIDs for people who had no affiliation other then they applied to
be a student or a job twenty years ago?
A: Yes. The closer a person comes in their affiliation to university that more likely we would be
to retain some record of you. But if you have only been loosely affiliated as a guest, that record
would eventually fade away.
Proposed key direction for Directory Services area is:
Unify enterprise directory services platform
6. Other Initiatives/Updates
a. IAM Team Staffing (Mario Leal)
We are currently reviewing applications for Lead IT Manager have an offer in process for
the Software Engineer vacancy. Scott Doane, Senior Software Engineer, has resigned.
We will be working to get that position posted and start recruiting.
b. Authentication Integrations (Emily Hurt)
The team has not received any new integration requests in the last month. We are still
in the Workday maintenance blackout, so the team has been working on existing
integration requests and getting it up to the point that we are ready to make
configuration changes. We will pick those back up once the Workday blackout has lifted.
i. Start (October 1): 19
ii. 0 New: ()
iii. 0 Reopened: ()
iv. 2 Completed: (FBS, MyUT)
v. 6 Cancelled: (JIRA Enterprise, EZProxy-Tarlton, Jenkins, AWS-Project 2021,
Equifax ACA, GoSignMeUp)
vi. End (October 31): 11
c. SailPoint Integrations (Autumn Shields)
New SailPoint integrations have been paused while the SailPoint team has been focused
on employee data integrations with Workday and UT System. Both the Workday
integration and the UT System employee integration went live in the past week. We are
now resuming the process for bringing on new integrations. We will be reaching out to
resume work with our early adopters and will be in communication with groups that
have reached out to request an integration or to find out more about SailPoint.
UTLogin Stability Roadmap
November IAM Committee Report
November 12, 2018 Page 1
UTLogin Stability Roadmap Status EXECUTIVE SUMMARY
There were no service disruptions to report during the month of October. Efforts are focused on Action 2 of the UTLogin Stability Roadmap.
UTLOGIN ROADMAP STATUS
Action 1: Stabilize Current UTLogin Environment (Complete) - As of June 8, 2017, the IAM team disabled the self-service Realm Policy Agent and put the existing UTLogin environment in a “critical fix only” mode. Efforts will now focus on Action 2. Action 2: Simplify & Standardize UTLogin Environment (In Progress) - The QUAL environment verifications are in progress, including accessibility, load/stress, and security testing. The configuration of the STAGING and PROD environments are in progress. Transition planning is underway. Customers will be contacted by January 2019 to plan and confirm a transition window. The project status chart reflects status against schedule and budget. Action 3: Measure & Report Progress (Ongoing) - KPIs have been identified and are being published on a weekly basis (See: http://iamservices.utexas.edu/projects/utlogin-stability-report/). Monthly status updates will be provided outlining incidents, KPI’s, and project status.
Project
Planned
Start Actual Start
Planned
Finish
Projected
Finish Actual Finish
Status
against
Schedule
BUDGET
Budgeted
Work
ACTUAL
Actual
Work
ETC
Remaining Work
EAC
ACT + ETC
VAC
BUDGET - EAC
Status
against
Budget
IAM Project - UTLogin Stability Roadmap
Simplify and Standardize - Verify TEST Environment 4/9/2018 4/9/2018 8/24/2018 10/12/2018 10/12/2018 Complete 1338 1518 0 1518 -180 Complete
Simplify and Standardize - Build QUAL Environment 6/11/2018 6/11/2018 8/24/2018 10/12/2018 10/19/2018 Complete 376 389 0 389 -13 Complete
Simplify and Standardize - Verify QUAL Environment 10/15/2018 10/15/2018 12/7/2018 12/7/2018 0.0% 560 168 392 560 0 0.0%
Simplify and Standardize - Build STAGING & PROD Environments9/24/2018 9/24/2018 12/21/2018 12/21/2018 0.0% 432 8 424 432 0 0.0%
Simplify and Standardize - Create and verify ID Store 10/1/2018 10/1/2018 1/25/2019 1/25/2019 0.0% 456 135 337 472 -16 -3.5%
Deployment & Transition - Plan Transition to UTLogin v2 10/1/2018 10/1/2018 2/15/2019 2/15/2019 0.0% 650 121 529 650 0 0.0%
Status Against Schedule Status Against Budget
Task complete, or ahead, or on schedule Task complete, or below, or on budget
Task more than 10% but less than 20% behind schedule Task over budget by less than 20%
Task greater than 20% behind schedule Task over budget by greater than 20%
Schedule Budget Hours
UTLogin Stability Roadmap
November IAM Committee Report
November 12, 2018 Page 2
UTLOGIN AVAILABILITY
This graph represents UTLogin’s overall availability since July 12, 2018 along with UTLogin’s published SLO of 99.42%. This data shows that since UTLogin was put into critical/fix only mode on June 8, 2017, the number of service disruptions has decreased. There were no service disruptions to report during the month of October. A full list of ITS incidents can be found at: https://wikis.utexas.edu/display/itsincidents/ITS+Incident+Reports. Historical data and other Key Performance Indicators (KPI’s) which reflect the stability of UTLogin are published every Friday. The weekly report is viewable here: https://iamservices.utexas.edu/projects/utlogin-stability-report/.
UTLOGIN V2 TRANSITION PLAN
10/19/2018 1
EXECUTIVE SUMMARY
UTLogin system components will be upgraded to current and well-supported versions as part of the UTLogin Stability Project. When the Production release of UTLogin v2 occurs in Spring 2019, current UTLogin v1 customers will begin transitioning their applications and systems to UTLogin v2. At the end of the transition, UTLogin v1 will be retired.
TRANSITION SCOPE AND SCHEDULE
The primary focus of this effort is to move all systems, applications, and integrations from UTLogin v1 to v2 with minimal impact to users and customers. This effort will involve:
• 46 customer groups (grouped by school/department/unit) with a total of 816 WPA/SAML integrations
• Five (5) transition groups with an average of 163 integrations per group. Customers will be grouped by college,
department, and/or school. Transition Group 5 contains customers and applications with complex dependencies
and/or high-risk integrations that require deeper planning and simultaneous transition. As a result, this group is
structured differently runs concurrently with the other transition groups
• Each transition group will last 12 weeks and will consist of two 6-week transition windows
• Customer transition will last 17 months (February 2019 – June 2020)
If customers want to convert an integration from one authentication type to another (i.e., WPA to SAML), the project team will work with customers to determine if the request is feasible within the planned transition window. If it’s not, then the customer will transition with the current configurations and schedule the conversion at a later date.
CUSTOMER TRANSITION SUPPORT
The UTLogin team will provide resources to support each customer migration, including policy conversion and setup, debugging, testing, and support. Customers will be asked to commit resources and availability during their transition window. The following tools will help manage the customer transition:
• Action Plans – The project team will work with each customer to identify the tasks needed to transition a customer's
integration(s) from v1 to v2 using action plan templates, including resources and timeframes. Each action plan will be
customized as needed, but is expected to last six (6) weeks.
• Customer Support documentation – The project team will create and publish customer support documentation within
ServiceNow (e.g., system requirements, installation instructions, testing checklists, FAQs).
• Escalation Process – Each action plan will include three checkpoints, which the project team will use to monitor a
customer’s progress. The team will send reminder communications as each checkpoint/deadline approaches. If a
customer fails to meet a checkpoint, the UTLogin Transition Manager will activate the escalation process:
Feb Apr Jun Aug Oct Dec Feb Apr Jun
2019 2020
Feb 2019 May 2019Transition Group 1
May 2019 Sep 2019Transition Group 2
Sep 2019 Dec 2019Transition Group 3
Jan 2020 Apr 2020Transition Group 4
May 2019 Jan 2020Transition Group 5
Apr 2020 Jun 2020Contingency
UTLogin Stability Roadmap Transition Plan
UTLOGIN V2 TRANSITION PLAN
10/19/2018 2
1. 1st Escalation – Notify the customer and their IT Manager and ask customer to complete tasks immediately.
The project team will work with the customer to adjust the timelines within the customer action plan, but will
keep the original completion date within the transition window.
2. 2nd Escalation – If checkpoint tasks are not completed within 1 week after the 1st escalation - notify customer,
IT Manager, department Tech Dean or director, ITS Systems/Applications Director, and ISO. The project team
will also work with the customer and their IT manager to adjust the timeline of the customer action plan.
3. 3rd Escalation – If checkpoint tasks are not completed within 1 week after the 2nd escalation - Notify customer,
IT Manager, department Tech Dean or director, ITS Systems/Applications Director, ISO, and CIO. The project
team will schedule a meeting with the customer to create an updated customer action plan that must be
reviewed and approved by above listed leadership.
4. If no progress has been made within two weeks after the 3rd escalation, UTLogin access will be blocked for the customer’s applications and systems.
• Exception Process – If a customer wants to change their assigned transition group or window, they can submit an exception request using the existing ISO Exception Process. ISO and the UTLogin team will evaluate the exception request. Customers can only be granted one exception during the project. Any additional exception requests will require review and approval by the ITS Systems/Applications Director, ISO, and the CIO.
REPORTING
The UTLogin monthly status report will provide status updates on the customer transition progress. These updates will
include a graph displaying the progress of successful migrations and highlight at risk customers.
RISKS
• Unexpected issues with converting existing integrations to the upgraded version of UTLogin.
• Internal resource constraints, competing priorities, and new integration requests may limit the availability of UTLogin
technical resources for troubleshooting during customer transition.
• The current supported WPA version (5.5) requires Apache 2.4. The upgrade from Apache 2.2 to 2.4 can be complex and
could cause delays.
• Issues requiring vendor assistance and escalation (i.e., engaging ForgeRock) could impact the transition timeline.
• Managing a large number of communications and transition schedules will be a logistical challenge and could lead to
customer frustration.
• Issues during transition cutovers could potentially create outages for individual customers.
• Customer resource constraints may delay or extend planned transition windows.
PASSWORD SECURITY IMPROVEMENT
PROJECT
11/12/2018 1
EXECUTIVE SUMMARY
The Password Security Improvement project includes the implementation of new person EID password rules, the retirement of legacy password hashes, and the transition to newer, more secure hashes. Changes to the person EID password rules were rolled out in October 2018. The next step in the password hash retirement effort is an EID password change campaign. All EID holders who have not changed their passwords since November 2015 will be required to do so in phases grouped by affiliation. This password change effort is required to enable the upgrade to more secure password hash technology.
SCOPE AND SCHEDULE
The IAM team will apply a password change process to all EID holders who have not changed their passwords since November 2015. Over the course of three weeks, impacted EID holders will receive multiple notifications, including an initial notification, two reminders, and a final notice to alert the EID holder that they must change their password before they are able to log in again. The EID holder will be able to change their password at any time during the password change process. Once their password has been changed, the EID holder will stop receiving notifications.
In order to apply the password change process, EID holders will be grouped into eight (8) groups: ITS staff, current staff, current faculty, current students, official visitor, retiree, other affiliate class, and guest class. The password change process will be executed daily, in a rolling fashion to minimize the impact to Service Desk resources. The size of the daily group will vary based on the population. If unexpected issues arise, the IAM team will adjust the number of EID holders impacted daily.
The schedule is being finalized with input from Service Desk staff, stakeholders, and the focus group. The project team expects that the password change process could start in late spring and finish in the fall of 2019.
CUSTOMER SUPPORT
The following tools will be used to help facilitate the password change process:
• Focus group – the IAM team will work with a group of stakeholders, Service Desk staff, and other IT support staff to understand the best timing, support needs, and communications for each group.
• Communications – the password change process will include notifications that alert EID holders to change their passwords. Based on focus group feedback, additional communications may be developed to notify EID holders before the password change process.
• Customer Support documentation – The project team will create and publish customer support documentation within ServiceNow.
RISKS
• The volume of EID holder support requests exceeds the Service Desk’s capacity, impacting the transition timeline.
• EID holders are confused by the password change request or are wary of the messaging (e.g. phishing concerns), which
would impact the volume of requests to the Service Desk.
• Unexpected technical issues occur within or during the password change process.
• Password hash security is exploited and password change processes have to be accelerated.
• Internal resource constraints and competing priorities could impact the timeline.
IAM ROADMAP RENEWAL 2018
IAM Committee11/12/2018
IAM Roadmap Planning Timeline
May: Brainstorm problems &
needs
June: Review
problems & needs
July: Review
objectives & prioritize
August: Review
proposed initiatives; estimate value v. effort
September-November:
Draft & review
roadmap
December:Finalize updated roadmap
11/12/2018
Quarterly:Check progress and
adjust roadmap
2
Key Roadmap Directions
• Authentication
• Identity Governance & Administration (IGA)
• Directory Services
11/12/2018 3
Authentication Key Directions
• Finish stabilization of UTLogin
• Support expanded MFA use
• Adopt standards-based Web SSO
• Separate Guest & Enterprise Web SSO
11/12/2018 4
Authentication:
Finish Stabilization of UTLogin
• Deploy UTLogin v2 to Production
• Migrate UTLogin v1 customers to v2
• Retire UTLogin v1
11/12/2018 5
Authentication:
Support Expanded MFA Use
• Deploy MFA enhancements (e.g., 30-day sessions) to UTLogin
• Implement requirement for MFA for Web SSO for all current students, faculty & staff
11/12/2018 6
Authentication:
Adopt Standards-Based Web SSO
• Transition UTLogin WPA users to SAML or OAuth/OIDC
• Implement proxy solution if needed
11/12/2018 7
Authentication:
Separate Guest & Enterprise Web SSO
• Deploy Guest Authentication, including BYOId– Early adopters Basic svc Enhanced svc
– Migrate Guest-focused applications to Guest AuthN
• Leverage ADFS + Shib for Enterprise AuthN– Build on current cloud-resilient ADFS solution
– Migrate Member/Affiliate applications to Enterprise AuthN
11/12/2018 8
Identity Governance & Administration
Key Directions
• Finish password hash upgrade
• Drive value from authorization mgmt tool
• Modernize identity administration tools
• Model major relationships with identity lifecycles – separate Guests from Mem/Aff
11/12/2018 9
Identity Governance & Administration:
Finish Password Hash Upgrade
• Complete password change campaign
• Switch UTLogin, Shib, TED & FI/ST mainframe authentication to new hash
• Retire old hashes and purge hash history
11/12/2018 10
Identity Governance & Administration:
Drive Value from Authorization Mgmt Tool
• Use known implementation patterns to streamline onboarding process– Prioritize use cases that match implementation patterns
– Defer use cases that require heavy customization
• Train and leverage in-house resources, use consultants only sparingly
11/12/2018 11
Identity Governance & Administration:
Drive Value from Authorization Mgmt Tool
11/12/2018 12
Use 4-stage model to realize value from onboarding efforts
more quickly:
Adapted from Gartner IGA Best Practices research note G00316251
Monitoring • Correlate accounts
(Who has access to
what?)
• Find and remediate
orphan accounts
• Tie account lifecycles
to identity lifecycles
Ad
min
istr
atio
n • Clean up
accumulated
access
• Define resource
roles (groups of
entitlements)
• Support access
requests for
entitlements
Go
ve
rna
nce • Support access
requests with approval
workflows
• Define people roles
• Support access review
campaigns (formalize
access cleanup)
• Support separation of
duties controls
Pro
vis
ion
ing • Replace manual
fulfillment with
automated fulfillment
Lower Risk & Complexity / Faster Value Higher Risk & Complexity / Slower Value
Identity Governance & Administration:
Drive Value from Authorization Mgmt Tool
11/12/2018 13
Use 2-layer role management framework to maintain loose
coupling between people roles and resource roles:
Adapted from Gartner IGA Best Practices research note G00293794
People
Layer
Resource
Layer
People roles are organized
by relationship, CSU, authority
level, job function, project, etc.
Resource roles are
collections of entitlements/
authorizations that make it
easier to assign them
Can have
“bands” within
the people roles
and resource
roles to support
hierarchies and
inheritance
Identity Governance & Administration:
Modernize Identity Administration Tools
• Improve password management user experience• Enable applications to subscribe to notifications of
identity data changes• Reduce technical debt:
– Replace aging custom identity data provisioning interfaces– Deploy enterprise identifier management micro-service– Implement modern identity registry (internal & external
identities)11/12/2018 14
Identity Governance & Administration:
Model Relationships with Identity Lifecycles
• Define identity perimeters for Guest and Member/Affiliate relationships
• Model relationships as roles controlled by identity lifecycles:– Authoritative source (employee, student, etc.)– Sponsorship & expiration (sponsored affiliates)– Self-registration (guests)
11/12/2018 15Adapted from Gartner IGA Best Practices research note G00271345
Identity Governance & Administration:
Model Relationships with Identity Lifecycles
11/12/2018 16
Guests
External Identity Registry
Creation
Active
Skeleton
Oblivion
Self-registration
Creation
Grace
Authoritative
system or
sponsorship
Limbo
Active
Members/Affiliates
Internal Identity Registry
Guest Authentication / BYOId UT EID Authentication
Directory Services Key Directions
• Unify enterprise directory services platform
11/12/2018 17
Directory Services:
Unify Enterprise Directory Services Platform
• Design unified service that addresses use cases of Austin AD and TED and leverages cloud for resilience
• Deploy unified enterprise directory service
• Transition from existing directory services
11/12/2018 18
Next Steps
• Review key directions with stakeholders
• Establish priorities
• Define deliverables for next 2 quarters
11/12/2018 19
