2. What is Identity & Access Management?
Identity and access management (IAM) technologies and services
enable the right individuals to access the right resources at the
right times for the right reasons.
We all use IAM solutions many times a day:
• Logging in to websites, servers, and other resources
• Accessing research materials at Harvard and beyond
• Checking a colleague’s calendar for a meeting
• Adding, removing, or changing employee records
At Harvard, the IAM program exists to streamline these interactions
and make it easier for you to do your day-to-day tasks.
2
3. What is Identity & Access Management?
Our vision: Provide users, application owners, and IT administrative
staff with secure, easy access to applications; solutions that require
fewer login credentials; the ability to collaborate across and
beyond Harvard; and improved security and auditing.
3
Objectives Guiding Principles Key Performance Indicators
Simplify User Experience
Simplify and improve access to
applications and information inside
and outside of the University
Enable Research & Collaboration
Make it easier for faculty, staff, and
students to research and collaborate
within the University and with other
institutions
Protect University Resources
Improve the security stature of the
University via a standard approach
Facilitate Technology Innovation
Establish a strong foundation for IAM
to enable user access regardless of
new and/or disruptive technologies
Harvard Community needs will drive
our technology
Tactical project planning will remain
aligned with the program’s strategic
objectives
Solution design should allow for other
Schools to use foundational services
to communicate with the IAM system
in a consistent, federated fashion
Communication and socialization are
critical to our success
Monthly number of help desk
requests relating to account
management
Monthly number of registered
production applications using IAM
systems
Monthly number of user logins and
access requests through IAM
systems
Monthly number of production
systems to which IAM provisions
4. A New Provisioning System: SailPoint IdentityIQ
Provisioning and deprovisioning are key to the IAM program:
• Add new users quickly and accurately
• Reduce manual processes and delays by issuing access through a
central identity store
• Make role changes simpler and easier
• Streamline the revocation of access when necessary
The IAM program is now transitioning to the use of SailPoint IdentityIQ
to manage provisioning and deprovisioning.
4
5. • Thousands of accounts are claimed every year
• Passwords are synched to multiple systems:
– Active Directories (used for email)
– LDAP (used for file sharing, and application access management)
– Google (@college, @g)
– Home directories and Kerberos
• Sponsored accounts processed by Service Desk
• Self-service password resets using Oracle Waveset
• Automatic disabling of accounts (different rules for different
types of accounts)
FAS IAM Details
5
6. • Improve the user experience
– Claiming should be easy to use, and work on mobile devices
– Self-service password reset without security questions
• Simplify onboarding for all types of users
• Enable early access when appropriate
• Put sponsored account processes online (!)
• Enable sponsored account managers to extend or end-date
accounts directly
The Wishlist
6
7. Connect with Harvard (Claim an Account)
Ready
• Data are in the
Identity
Management
System
• Name
• Date of birth
• Role
• Onboarding email
(used when
applying, or
supplied by
onboarding admin)
Set
• HR, Registrar, or
department admin
directs new user to
the account
claiming application
Connect
• New user enters
name, DOB, HUID
for basic validation
• Email sent to the
onboarding email
• Use the temporary
password you
receive in email to
login
• Choose username
• Set permanent
password
• Provide recovery
information
• Set security
questions
• Connected!
7
8. Types of Sponsored Accounts
Affiliate Accounts (People)
Service Accounts (Course, Group, Department,
Application)
Kiosk, Machine and other Special Accounts
8
9. Sponsored Account Process: Affiliate Process
The sponsored The end user…
requester…
• Submits data about
the new user: name,
DOB, last 4 digits of
SSN, email, reason,
etc.
• System sends an
email
Request
Validate
• Receives email and
navigates to the
account claiming
application
• Logs in with email as
login name and
temporary password
• Picks a user name
• Sets password
• Sets recovery info
• Sets security
questions
• Account is created in
sponsor’s department
• Notification email sent
to sponsored
requester
Create
9
The end user…
10. Manage Accounts You Own
View a list of
the accounts
you manage
View the
resources
assigned to
your users
Your
Accounts
End-date or
renew accounts
for your users
Request access
to specific
resources or
deprovisioning
(Future — 2015)
Manage
Access
10
11. The Sponsored Account Process is Evolving
Helpdesk
Enters
Sponsored
Accounts
Initial
2015
Enable
Sponsored
Requester
Self-
Service
Wider
Release
2015
Self-
Registered
Guests
(Replace
XID)
Future
TBD
1. Focus first on getting SailPoint up and running, plus managing
sponsored accounts
2. Then, enable distributed data entry by faculty and staff using
web tools
3. Replace XID (self-registered guest) with new tool
11
12. Opportunity: Simplify by Consolidating Processes
MIDAS “POI”:
Consultant
Contractor
Vendor
Security
FAS “Sponsored
Account”:
Collaborator
FAS-Specific Access for POIs
Early Access for Pending
Employees
Sponsored
Identity:
Same Account
Creation Process
Single Username
HUID
(card in some cases)
Single UUID
Misc. Identities
& Accounts from
Schools
12
Clearer sponsorship information for audit, end-user self-service,
hands-on management by sponsors to set up and remove access
13. Sponsored Accounts: Before and After
FAS Today
• Paper Form & Fax/Mail
• HUIT Service Desk Enters
• Sponsor gets the password and conveys it to the
end user
FAS+ in the
Future
• Online process open to eligible sponsors
• End users set up accounts via email and web tool
• Password remains private; account self-service
reduces helpdesk load
13
Key concepts: Simplify user experience, improve security,
and reduce overhead.
14. In Summary …
• All members of the Harvard Community are affected by identity and
access management — from the first login screen
• IAM exists to make onboarding, day-to-day use, role changes, and
access to resources easier for everyone at Harvard
• Our efforts will improve productivity and make day-to-day life
simpler for faculty, staff, students, researchers, people
administrators, application owners, and more
• And when IAM services are done right, you don’t even notice the
effects — things just work
14