SlideShare a Scribd company logo

CAUDIT IAM Framework_v1.1

Download as PPT, PDF
The University of Queensland
The University of Queensland

This document discusses the development of an Identity and Access Management (IAM) framework for higher education and research institutions in Australia and New Zealand. It was presented at an EDUCAUSE Australasia conference. The framework is being built as an online compendium of IAM resources through a wiki to facilitate collaboration. It includes sections on IAM governance, identification, attribute aggregation, authentication, transport, relying parties, and a maturity model. Contributors are invited to provide case studies, policies, processes, and resources to further develop the framework.

1 of 21
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 An Identity and Access Management Framework for Australian and New Zealand Higher Education and Research Rodney McDuff and Patricia McMillan The University of Queensland EDUCAUSE AUSTRALASIA, PERTH, 6 MAY 2009
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 CONTENTS Background What are we doing? An introduction to the IAM framework How you can participate Wiki, discussion list, blog
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 SOME THOUGHTS ON IDENTITY
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 BACKGROUND An initiative of the CAUDIT Standing Committee on Technical Standards Grew out of the MAPS Project (Middleware Action Plan & Strategy)
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 WHY IDENTITY AND ACCESS MANAGEMENT? IAM ranks among the most important issues facing CIOs and IT Directors on CAUDIT and EDUCAUSE annual surveys.
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 WHAT ARE WE BUILDING? An online compendium of IAM resources A wiki designed to grow through community contributions Information providing the benefit of the community's prior experiences A common language and shared vision A framework for prioritising actions
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 WHAT THE COMPENDIUM CONTAINS Business case for IAM Glossary Framework for the spectrum of IAM processes Advice – evaluating technologies; federating with other organisations A set of resources
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 SOME THOUGHTS ON IDENTITY The real meditation is the meditation on one’s identity. You try it. You try finding out why you’re you and not somebody else. And who in the blazes are you anyhow? • Ezra Pound, US poet, 1885-1972
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Identity and Access Management Lifecycle is? • A sequence of orchestrated business processes – Performed by many actors – Governed by some set of policies – Implemented using some array of technologies • All so that an individual can gain authorized access to some set of resources
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Identity and Access Management Lifecycle is? • Prior to this point…. – Many processes have been performed by many actors – Most individuals and relying parties are not familiar with these actors or their roles – Some of these actors may not understand their own roles – And how they fit into the bigger IAM picture. • Need a way to allow interested parties to understand the bigger picture • Need an IAM framework to illuminate: – Relationships across the spectrum of business processes – Governing policies, – Technologies – Actors and their roles • Need a maturity model to: – define what improved IAM means for your organisation – prioritise actions.
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 AN INTRODUCTION TO THE FRAMEWORK • The CTSC IAM framework is based on a logical timeline of significant processes in the life-cycle of an IAM event • 6 classes of IAM processes • To help classify and simplify IAM ideas and concepts
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Governance and Policy • IAM Governance is the management, control, and orchestration of IAM business processes guided by – The policies & business requirements of the organisation. – The policies & business requirements of Trust Federations. – Local, national and (possibly) international legislation. • Answers such questions as: – How are the enterprise's IAM business requirements to be achieved? – How may the enterprise's policies constrain or shape this achievement? – Who within the enterprise is responsible for the various IAM processes and sub-processes? – When are these processes enacted? • IAM Governance also needs to benchmark itself – so that it may evolve and mature to meet the IAM requirements of the enterprise. • IAM Governance is the most important of the six classes. – Unfortunately its usually the most neglected.
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Identification and Credentialing • The “digital identity” of an entity is at the crux of IAM. – Its is also a complex entity in itself. • A “digital identity”* consists a set of claims made by one “digital subject” about itself or another “digital subject“ • A “digital subject” is a person or thing represented or existing in the digital realm which is being described or dealt with". • A “subject” is the central substance or core of a thing as opposed to its attributes. • It is this “subject” that needs to be identified. • Once identified: – Sets of claims and attributes can be accrued and pinned to it. – Credentials can be issued to it – To proving the binding “subject” and its “digital identity” to some level of assurance. *Kim Cameron's Laws of Identity <http://www.identityblog.com/?p=354>
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Attribute Aggregation • As soon as a subject is identified it can start to accrue attributes. – Usually first are subject's personal details – first-name, surname, gender, … – Enterprise attributes soon to follow. • Attributes are stored in information store called System of Record – An enterprise may have several SORs. – HR, SIS, Library, PABX, … – Digital Identity is inevitably scattered across a number of SORs. • To combat this a system like metadirectory or virtual directory can be deployed to construct a consolidated view of the shattered digital identities.
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Authentication and Assertions • Authentication is the act of proving possession and control of the authentication credentials – Used to assure the identity of an end entity to a relying party. – Also binds the subject to its digital identity for the duration of the transaction. • Authentication based on the familiar 3 factor metaphor: – Something you know -- a secret, such as a password or PIN. – Something you have -- such as a physical token . – Something you are -- a biometric evaluation. • Many authN technologies – Each have pros & cons protecting against attacks. – Enterprise must choose appropriate technologies based onS: – Risk assessment of erroneous access to a particular resource. – Ease of use of the technology to individuals. • When subject authenticates a assertion is normally constructed. – May range from a simple “OK” response, … – To a digitally signed SAML assertion.
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Transport • Once an assertion has been constructed it must be transported to the relying party so it can consume it. – Possibly to make an informed authorisation decision • However it is quite possible that during its transport: – Assertion may be tampered with. – Its content revealed to unauthorised parties. • Relying parties needs to understand the LoA provided by the transport mechanism – Understand the risks associated with consuming assertion. • In some cases this transport is trivial and LoA maybe high. – Eg. Assertion generator and consumer on same server. • In other case it may not be so high – Eg. Transport of assertion over network. – RP may need to consider the assertion's security, confidentiality, and integrity.
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Relying Parties and Resources • Once an assertion has been transported to a relying party it must process it according to: – The information contained within (or implied by) the assertion based on a shared semantic understanding of the attributes and claims within. – The ability to verify the truth of the assertion based on the understanding of the IAM business processes, policies and technologies that led to its construction and their LoA which manifests trustworthiness. – Its own business plan, processes, risk analysis and requirements as well as its obligation, if any, to other parties such as actors in the IAM process. • Relying parties shoulder most of the risk burden in IAM transactions.
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Identity and Access Management Compendium • Organised in to 6 volumes inline with the 6 classes • Each volume explains how this aspect of IAM fits into the framework • Addresses issues such as – Policy considerations – Risk assessment, risk management and LoAs – Relevant standards – Evaluating technology solutions – Maturity model – Federating with other organisations – Communication and education – Resources for further information
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 WHAT YOU CAN CONTRIBUTE Case studies on IAM within your organisation, whether these deal with business, process, policy, or technology aspects; Policy considerations and risk management related to IAM; Good IAM processes and practices extending to all parts of an enterprise; How to evaluate technology solutions; Pointers to useful resources on IAM; Comments and feedback as sections are added.
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 HOW TO CONTRIBUTE https://wiki.caudit.edu.au/confluence/dashboard.action Email patricia.mcmillan@uq.edu.au to be added to the mailing list and wiki. Regular blog entries will pose issues and questions to keep the discussion going.
An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 SOME THOUGHTS ON IDENTITY Americans may have no identity, but they do have wonderful teeth. • Jean Baudrillard, French semiologist

Recommended

Finding IP Jobs Using the Web
Finding IP Jobs Using the WebFinding IP Jobs Using the Web
Finding IP Jobs Using the WebProfessor Jon Cavicchi, UNH School of Law
 
06.09.2015 Professor Tony Bendell TOCICO Conference Keynote Slides
06.09.2015 Professor Tony Bendell TOCICO Conference Keynote Slides06.09.2015 Professor Tony Bendell TOCICO Conference Keynote Slides
06.09.2015 Professor Tony Bendell TOCICO Conference Keynote Slides
aliciaandrews
 
Blake lapthorn academies conference - September 2011
Blake lapthorn academies conference - September 2011Blake lapthorn academies conference - September 2011
Blake lapthorn academies conference - September 2011
Blake Morgan
 
20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing
Jesse Wilkins
 
Steve Walker & Seth Earley - Understanding the DX Ecosystem & Developing a Ma...
Steve Walker & Seth Earley - Understanding the DX Ecosystem & Developing a Ma...Steve Walker & Seth Earley - Understanding the DX Ecosystem & Developing a Ma...
Steve Walker & Seth Earley - Understanding the DX Ecosystem & Developing a Ma...
Digital Experience (DX) Summit 2016
 
Shadow IT Risk and Reward
Shadow IT Risk and RewardShadow IT Risk and Reward
Shadow IT Risk and RewardChris Haddad
 
FINM4100Analytics in Accounting, Finance and Economics
FINM4100Analytics in Accounting, Finance and EconomicsFINM4100Analytics in Accounting, Finance and Economics
FINM4100Analytics in Accounting, Finance and Economics
ShainaBoling829
 
What is Content Analytics
What is Content AnalyticsWhat is Content Analytics
What is Content Analytics
Atle Skjekkeland
 

Recommended

Finding IP Jobs Using the Web
Finding IP Jobs Using the WebFinding IP Jobs Using the Web
Finding IP Jobs Using the WebProfessor Jon Cavicchi, UNH School of Law
 
06.09.2015 Professor Tony Bendell TOCICO Conference Keynote Slides
06.09.2015 Professor Tony Bendell TOCICO Conference Keynote Slides06.09.2015 Professor Tony Bendell TOCICO Conference Keynote Slides
06.09.2015 Professor Tony Bendell TOCICO Conference Keynote Slides
aliciaandrews
 
Blake lapthorn academies conference - September 2011
Blake lapthorn academies conference - September 2011Blake lapthorn academies conference - September 2011
Blake lapthorn academies conference - September 2011
Blake Morgan
 
20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing
Jesse Wilkins
 
Steve Walker & Seth Earley - Understanding the DX Ecosystem & Developing a Ma...
Steve Walker & Seth Earley - Understanding the DX Ecosystem & Developing a Ma...Steve Walker & Seth Earley - Understanding the DX Ecosystem & Developing a Ma...
Steve Walker & Seth Earley - Understanding the DX Ecosystem & Developing a Ma...
Digital Experience (DX) Summit 2016
 
Shadow IT Risk and Reward
Shadow IT Risk and RewardShadow IT Risk and Reward
Shadow IT Risk and RewardChris Haddad
 
FINM4100Analytics in Accounting, Finance and Economics
FINM4100Analytics in Accounting, Finance and EconomicsFINM4100Analytics in Accounting, Finance and Economics
FINM4100Analytics in Accounting, Finance and Economics
ShainaBoling829
 
What is Content Analytics
What is Content AnalyticsWhat is Content Analytics
What is Content Analytics
Atle Skjekkeland
 
Enterprise Knowledge - Taxonomy Design Best Practices and Methodology
Enterprise Knowledge - Taxonomy Design Best Practices and MethodologyEnterprise Knowledge - Taxonomy Design Best Practices and Methodology
Enterprise Knowledge - Taxonomy Design Best Practices and Methodology
Enterprise Knowledge
 
Estrat social2014
Estrat social2014Estrat social2014
Estrat social2014Lee Schlenker
 
Securing your Cloud Deployment
Securing your Cloud DeploymentSecuring your Cloud Deployment
Securing your Cloud Deployment
Hrusostomos Vicatos
 
Data Protection: An Approach to Privacy
Data Protection: An Approach to PrivacyData Protection: An Approach to Privacy
Data Protection: An Approach to Privacy
Symptai Consulting Limited
 
Business Outsourcing to Asia
Business Outsourcing to AsiaBusiness Outsourcing to Asia
Business Outsourcing to AsiaConferencias FIST
 
Business Outsourcing to Asia
Business Outsourcing to AsiaBusiness Outsourcing to Asia
Business Outsourcing to AsiaConferencias FIST
 
Issuers Story - PCI Congress London 23Jan14
Issuers Story - PCI Congress London 23Jan14Issuers Story - PCI Congress London 23Jan14
Issuers Story - PCI Congress London 23Jan14
Patrick Wheeler
 
How To Eliminate Security Exposures in Office 365 Webinar
How To Eliminate Security Exposures in Office 365 WebinarHow To Eliminate Security Exposures in Office 365 Webinar
How To Eliminate Security Exposures in Office 365 Webinar
Concept Searching, Inc
 
KM Implementation Framework for Special Library
KM Implementation Framework for Special LibraryKM Implementation Framework for Special Library
KM Implementation Framework for Special Library
Alwi Yunus
 
What is Information Governance
What is Information GovernanceWhat is Information Governance
What is Information Governance
Atle Skjekkeland
 
Future Ready SMPs
Future Ready SMPsFuture Ready SMPs
Future Ready SMPs
International Federation of Accountants
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
Livingstone Advisory
 
Cloud Security Summit - InfoSec World 2014
Cloud Security Summit - InfoSec World 2014Cloud Security Summit - InfoSec World 2014
Cloud Security Summit - InfoSec World 2014
Bill Burns
 
Aaum case studies
Aaum case studiesAaum case studies
Aaum case studies
Aaum Research and Analytics Private Limited
 
A smarter way to manage identities
A smarter way to manage identitiesA smarter way to manage identities
A smarter way to manage identitiesMatthew Zielinski, CISSP, CBCP
 
Making Accessibility Affordable - NAGW 2013
Making Accessibility Affordable - NAGW 2013Making Accessibility Affordable - NAGW 2013
Making Accessibility Affordable - NAGW 2013Elle Waters
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
PECB
 
It's All About the Data!
It's All About the Data!It's All About the Data!
It's All About the Data!
Rochester Security Summit
 
How Global Records Management Practices and Standards Are Evolving for Busine...
How Global Records Management Practices and Standards Are Evolving for Busine...How Global Records Management Practices and Standards Are Evolving for Busine...
How Global Records Management Practices and Standards Are Evolving for Busine...
AIIM International
 
Mobility Risk, Strategy and Policy
Mobility Risk, Strategy and PolicyMobility Risk, Strategy and Policy
Mobility Risk, Strategy and PolicyH Contrex
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 

More Related Content

Similar to CAUDIT IAM Framework_v1.1

Enterprise Knowledge - Taxonomy Design Best Practices and Methodology
Enterprise Knowledge - Taxonomy Design Best Practices and MethodologyEnterprise Knowledge - Taxonomy Design Best Practices and Methodology
Enterprise Knowledge - Taxonomy Design Best Practices and Methodology
Enterprise Knowledge
 
Securing your Cloud Deployment
Securing your Cloud DeploymentSecuring your Cloud Deployment
Securing your Cloud Deployment
Hrusostomos Vicatos
 
Data Protection: An Approach to Privacy
Data Protection: An Approach to PrivacyData Protection: An Approach to Privacy
Data Protection: An Approach to Privacy
Symptai Consulting Limited
 
Business Outsourcing to Asia
Business Outsourcing to AsiaBusiness Outsourcing to Asia
Business Outsourcing to AsiaConferencias FIST
 
Business Outsourcing to Asia
Business Outsourcing to AsiaBusiness Outsourcing to Asia
Business Outsourcing to AsiaConferencias FIST
 
Issuers Story - PCI Congress London 23Jan14
Issuers Story - PCI Congress London 23Jan14Issuers Story - PCI Congress London 23Jan14
Issuers Story - PCI Congress London 23Jan14
Patrick Wheeler
 
How To Eliminate Security Exposures in Office 365 Webinar
How To Eliminate Security Exposures in Office 365 WebinarHow To Eliminate Security Exposures in Office 365 Webinar
How To Eliminate Security Exposures in Office 365 Webinar
Concept Searching, Inc
 
KM Implementation Framework for Special Library
KM Implementation Framework for Special LibraryKM Implementation Framework for Special Library
KM Implementation Framework for Special Library
Alwi Yunus
 
What is Information Governance
What is Information GovernanceWhat is Information Governance
What is Information Governance
Atle Skjekkeland
 
Future Ready SMPs
Future Ready SMPsFuture Ready SMPs
Future Ready SMPs
International Federation of Accountants
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
Livingstone Advisory
 
Cloud Security Summit - InfoSec World 2014
Cloud Security Summit - InfoSec World 2014Cloud Security Summit - InfoSec World 2014
Cloud Security Summit - InfoSec World 2014
Bill Burns
 
Making Accessibility Affordable - NAGW 2013
Making Accessibility Affordable - NAGW 2013Making Accessibility Affordable - NAGW 2013
Making Accessibility Affordable - NAGW 2013Elle Waters
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
PECB
 
It's All About the Data!
It's All About the Data!It's All About the Data!
It's All About the Data!
Rochester Security Summit
 
How Global Records Management Practices and Standards Are Evolving for Busine...
How Global Records Management Practices and Standards Are Evolving for Busine...How Global Records Management Practices and Standards Are Evolving for Busine...
How Global Records Management Practices and Standards Are Evolving for Busine...
AIIM International
 
Mobility Risk, Strategy and Policy
Mobility Risk, Strategy and PolicyMobility Risk, Strategy and Policy
Mobility Risk, Strategy and PolicyH Contrex
 

Similar to CAUDIT IAM Framework_v1.1 (20)

Enterprise Knowledge - Taxonomy Design Best Practices and Methodology
Enterprise Knowledge - Taxonomy Design Best Practices and MethodologyEnterprise Knowledge - Taxonomy Design Best Practices and Methodology
Enterprise Knowledge - Taxonomy Design Best Practices and Methodology
 
Estrat social2014
Estrat social2014Estrat social2014
Estrat social2014
 
Securing your Cloud Deployment
Securing your Cloud DeploymentSecuring your Cloud Deployment
Securing your Cloud Deployment
 
Data Protection: An Approach to Privacy
Data Protection: An Approach to PrivacyData Protection: An Approach to Privacy
Data Protection: An Approach to Privacy
 
Business Outsourcing to Asia
Business Outsourcing to AsiaBusiness Outsourcing to Asia
Business Outsourcing to Asia
 
Business Outsourcing to Asia
Business Outsourcing to AsiaBusiness Outsourcing to Asia
Business Outsourcing to Asia
 
Issuers Story - PCI Congress London 23Jan14
Issuers Story - PCI Congress London 23Jan14Issuers Story - PCI Congress London 23Jan14
Issuers Story - PCI Congress London 23Jan14
 
How To Eliminate Security Exposures in Office 365 Webinar
How To Eliminate Security Exposures in Office 365 WebinarHow To Eliminate Security Exposures in Office 365 Webinar
How To Eliminate Security Exposures in Office 365 Webinar
 
KM Implementation Framework for Special Library
KM Implementation Framework for Special LibraryKM Implementation Framework for Special Library
KM Implementation Framework for Special Library
 
What is Information Governance
What is Information GovernanceWhat is Information Governance
What is Information Governance
 
Future Ready SMPs
Future Ready SMPsFuture Ready SMPs
Future Ready SMPs
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
Cloud Security Summit - InfoSec World 2014
Cloud Security Summit - InfoSec World 2014Cloud Security Summit - InfoSec World 2014
Cloud Security Summit - InfoSec World 2014
 
Aaum case studies
Aaum case studiesAaum case studies
Aaum case studies
 
A smarter way to manage identities
A smarter way to manage identitiesA smarter way to manage identities
A smarter way to manage identities
 
Making Accessibility Affordable - NAGW 2013
Making Accessibility Affordable - NAGW 2013Making Accessibility Affordable - NAGW 2013
Making Accessibility Affordable - NAGW 2013
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
It's All About the Data!
It's All About the Data!It's All About the Data!
It's All About the Data!
 
How Global Records Management Practices and Standards Are Evolving for Busine...
How Global Records Management Practices and Standards Are Evolving for Busine...How Global Records Management Practices and Standards Are Evolving for Busine...
How Global Records Management Practices and Standards Are Evolving for Busine...
 
Mobility Risk, Strategy and Policy
Mobility Risk, Strategy and PolicyMobility Risk, Strategy and Policy
Mobility Risk, Strategy and Policy
 

Recently uploaded

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 

Recently uploaded (20)

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 

CAUDIT IAM Framework_v1.1

  • 1. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 An Identity and Access Management Framework for Australian and New Zealand Higher Education and Research Rodney McDuff and Patricia McMillan The University of Queensland EDUCAUSE AUSTRALASIA, PERTH, 6 MAY 2009
  • 2. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 CONTENTS Background What are we doing? An introduction to the IAM framework How you can participate Wiki, discussion list, blog
  • 3. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 SOME THOUGHTS ON IDENTITY
  • 4. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 BACKGROUND An initiative of the CAUDIT Standing Committee on Technical Standards Grew out of the MAPS Project (Middleware Action Plan & Strategy)
  • 5. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 WHY IDENTITY AND ACCESS MANAGEMENT? IAM ranks among the most important issues facing CIOs and IT Directors on CAUDIT and EDUCAUSE annual surveys.
  • 6. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 WHAT ARE WE BUILDING? An online compendium of IAM resources A wiki designed to grow through community contributions Information providing the benefit of the community's prior experiences A common language and shared vision A framework for prioritising actions
  • 7. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 WHAT THE COMPENDIUM CONTAINS Business case for IAM Glossary Framework for the spectrum of IAM processes Advice – evaluating technologies; federating with other organisations A set of resources
  • 8. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 SOME THOUGHTS ON IDENTITY The real meditation is the meditation on one’s identity. You try it. You try finding out why you’re you and not somebody else. And who in the blazes are you anyhow? • Ezra Pound, US poet, 1885-1972
  • 9. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Identity and Access Management Lifecycle is? • A sequence of orchestrated business processes – Performed by many actors – Governed by some set of policies – Implemented using some array of technologies • All so that an individual can gain authorized access to some set of resources
  • 10. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Identity and Access Management Lifecycle is? • Prior to this point…. – Many processes have been performed by many actors – Most individuals and relying parties are not familiar with these actors or their roles – Some of these actors may not understand their own roles – And how they fit into the bigger IAM picture. • Need a way to allow interested parties to understand the bigger picture • Need an IAM framework to illuminate: – Relationships across the spectrum of business processes – Governing policies, – Technologies – Actors and their roles • Need a maturity model to: – define what improved IAM means for your organisation – prioritise actions.
  • 11. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 AN INTRODUCTION TO THE FRAMEWORK • The CTSC IAM framework is based on a logical timeline of significant processes in the life-cycle of an IAM event • 6 classes of IAM processes • To help classify and simplify IAM ideas and concepts
  • 12. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Governance and Policy • IAM Governance is the management, control, and orchestration of IAM business processes guided by – The policies & business requirements of the organisation. – The policies & business requirements of Trust Federations. – Local, national and (possibly) international legislation. • Answers such questions as: – How are the enterprise's IAM business requirements to be achieved? – How may the enterprise's policies constrain or shape this achievement? – Who within the enterprise is responsible for the various IAM processes and sub-processes? – When are these processes enacted? • IAM Governance also needs to benchmark itself – so that it may evolve and mature to meet the IAM requirements of the enterprise. • IAM Governance is the most important of the six classes. – Unfortunately its usually the most neglected.
  • 13. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Identification and Credentialing • The “digital identity” of an entity is at the crux of IAM. – Its is also a complex entity in itself. • A “digital identity”* consists a set of claims made by one “digital subject” about itself or another “digital subject“ • A “digital subject” is a person or thing represented or existing in the digital realm which is being described or dealt with". • A “subject” is the central substance or core of a thing as opposed to its attributes. • It is this “subject” that needs to be identified. • Once identified: – Sets of claims and attributes can be accrued and pinned to it. – Credentials can be issued to it – To proving the binding “subject” and its “digital identity” to some level of assurance. *Kim Cameron's Laws of Identity <http://www.identityblog.com/?p=354>
  • 14. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Attribute Aggregation • As soon as a subject is identified it can start to accrue attributes. – Usually first are subject's personal details – first-name, surname, gender, … – Enterprise attributes soon to follow. • Attributes are stored in information store called System of Record – An enterprise may have several SORs. – HR, SIS, Library, PABX, … – Digital Identity is inevitably scattered across a number of SORs. • To combat this a system like metadirectory or virtual directory can be deployed to construct a consolidated view of the shattered digital identities.
  • 15. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Authentication and Assertions • Authentication is the act of proving possession and control of the authentication credentials – Used to assure the identity of an end entity to a relying party. – Also binds the subject to its digital identity for the duration of the transaction. • Authentication based on the familiar 3 factor metaphor: – Something you know -- a secret, such as a password or PIN. – Something you have -- such as a physical token . – Something you are -- a biometric evaluation. • Many authN technologies – Each have pros & cons protecting against attacks. – Enterprise must choose appropriate technologies based onS: – Risk assessment of erroneous access to a particular resource. – Ease of use of the technology to individuals. • When subject authenticates a assertion is normally constructed. – May range from a simple “OK” response, … – To a digitally signed SAML assertion.
  • 16. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Transport • Once an assertion has been constructed it must be transported to the relying party so it can consume it. – Possibly to make an informed authorisation decision • However it is quite possible that during its transport: – Assertion may be tampered with. – Its content revealed to unauthorised parties. • Relying parties needs to understand the LoA provided by the transport mechanism – Understand the risks associated with consuming assertion. • In some cases this transport is trivial and LoA maybe high. – Eg. Assertion generator and consumer on same server. • In other case it may not be so high – Eg. Transport of assertion over network. – RP may need to consider the assertion's security, confidentiality, and integrity.
  • 17. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Relying Parties and Resources • Once an assertion has been transported to a relying party it must process it according to: – The information contained within (or implied by) the assertion based on a shared semantic understanding of the attributes and claims within. – The ability to verify the truth of the assertion based on the understanding of the IAM business processes, policies and technologies that led to its construction and their LoA which manifests trustworthiness. – Its own business plan, processes, risk analysis and requirements as well as its obligation, if any, to other parties such as actors in the IAM process. • Relying parties shoulder most of the risk burden in IAM transactions.
  • 18. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 Identity and Access Management Compendium • Organised in to 6 volumes inline with the 6 classes • Each volume explains how this aspect of IAM fits into the framework • Addresses issues such as – Policy considerations – Risk assessment, risk management and LoAs – Relevant standards – Evaluating technology solutions – Maturity model – Federating with other organisations – Communication and education – Resources for further information
  • 19. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 WHAT YOU CAN CONTRIBUTE Case studies on IAM within your organisation, whether these deal with business, process, policy, or technology aspects; Policy considerations and risk management related to IAM; Good IAM processes and practices extending to all parts of an enterprise; How to evaluate technology solutions; Pointers to useful resources on IAM; Comments and feedback as sections are added.
  • 20. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 HOW TO CONTRIBUTE https://wiki.caudit.edu.au/confluence/dashboard.action Email patricia.mcmillan@uq.edu.au to be added to the mailing list and wiki. Regular blog entries will pose issues and questions to keep the discussion going.
  • 21. An IAM Framework for Australian and New Zealand Higher Education and Research May 2009 SOME THOUGHTS ON IDENTITY Americans may have no identity, but they do have wonderful teeth. • Jean Baudrillard, French semiologist