1. A CASE OF IDENTITY
Building Solutions to Assist
2. 3
WHAT IS IDENTITY & ACCESS MANAGEMENT?
Identity and access management (IAM) technologies and services
enable the right individuals to access the right resources at the
right times for the right reasons.
We all use IAM solutions many times a day:
• Logging in to websites, servers, and other resources
• Accessing research materials at Harvard and beyond
• Checking a colleague’s calendar for a meeting
• Adding, removing, or changing employee records
At Harvard, the IAM Program exists to streamline these interactions
and make it easier for you to do your day-to-day tasks.
3. 4
WHAT IS IDENTITY & ACCESS MANAGEMENT?
Simplify User Experience
Simplify and improve access to
applications and information inside
and outside of the University
Enable Research & Collaboration
Make it easier for faculty, staff, and
students to research and
collaborate within the University
and with other institutions
Protect University Resources
Improve the security stature of the
University with a standard approach.
Facilitate Technology Innovation
Establish a strong foundation for
IAM to enable user access
regardless of new and/or disruptive
technologies
Objectives Guiding Principles Key Performance Indicators
Harvard Community needs will
drive our technology
Tactical project planning will
remain aligned with the Program
strategic objectives
Solution design should allow for
other Schools to use the
foundational to communicate with
the IAM system in a consistent,
federated fashion
Communication and socialization
are critical to our success
Monthly number of help desk
requests relating to account
management
Monthly number of registered
production applications using IAM
systems
Monthly number of user logins and
access requests through IAM
systems
Monthly number of production
systems to which IAM provisions
Our vision: Provide users, application owners, and IT administrative staff
with secure, easy access to applications; solutions that require
fewer login credentials; the ability to collaborate across and
beyond Harvard; and improved security and auditing.
4. 5
ABOUT THE IDENTITY LIFECYCLE
Provisioning
Authentication
Permissions
Self-Service
Deprovisioning
Authorization
Alumni
HKS
HMS
5. Harvard Medical School:
Improved User Provisioning
Erica Bradshaw
Director, Identity and Access Management Strategy and Planning, HUIT
Tyson Kamikawa
Director, Shared Platforms and IT Effectiveness, HMS
A CASE OF IDENTITY
6. 7
HMS: IMPROVED USER PROVISIONING
MADRIS
HSPH
XML
Guest
Test
• Difficult to change
• Potential duplication of
HU efforts
• Aging guest account
process
• Account EOL not
managed well
Current State
Apps Server
7. 8
HMS: IMPROVED USER PROVISIONING
Future State
MADRIS
HSPH
XML
Guest
Test
• Leverage HU platform
• Reduce complexity & effort
• Robust toolset
• Improved business
process
• Long-term redundancy
reduction
8. Harvard Kennedy School:
Federated Authentication
Gretchen Grozier
IAM Community Program Manager, HUIT
Steve Duncan
Director of Information Technology, HKS
Paul Hermany
Information Developer, HKS
A CASE OF IDENTITY
9. Authentication Design in 2008
• Standardized on Active Directory
• Focused on HKS faculty, staff, and students
- Manual process put in place to provision “sponsored accounts”
for HKS affiliates
• Single sign-on a key requirement
• Kept it simple:
- Selected products and solutions built to work with AD
- Minimized the amount of custom code needed for
authentication and authorization
10
HKS: FEDERATED AUTHENTICATION
10. 11
Pressures on the System
• Increased collaboration between Schools means more and more
accounts provisioned each year
- Jointly-listed courses
- Cross-registration
- Research collaboration
• More reliance on timely access to digital classroom materials
- HKS has gone digital for all course materials
- Significant growth in the number of digital cases
• HKS goal to actively engage alumni
• Higher user expectations
• Security concerns
HKS: FEDERATED AUTHENTICATION
11. 12
User Frustrations
• Additional usernames and passwords
• Time delay in provisioning accounts
• Complicated process for requesting accounts
Staff Frustrations
• IT Help Desk overrun each semester with calls from non-HKS
students who have forgotten passwords or are otherwise
confused
• IT operations staff burdened with process of deprovisioning
accounts
HKS: FEDERATED AUTHENTICATION
12. 13
Advantages of Federation
• Better user experience
– Users use an account they already know
– No delays in provisioning
• Lower HKS IT support costs
– No need to provision/deprovision accounts or maintain
passwords
• Active Directory Federation Services works well with HKS key
technologies
• Attributes can be delivered for authorization decisions
HKS: FEDERATED AUTHENTICATION
14. Harvard Alumni Association:
A Seamless Transition
Jane Hill
Director, IAM Product Management, HUIT
Julie Broad
Director, Alumni Affairs & Development Technology
A CASE OF IDENTITY
15. Diverse Alumni Populations from Multiple Sources
More than 380,000 alumni
Executive
Education
Programs
One semester
or 9+ weeks
of program
work
Degree
Recipients
16
HAA: A SEAMLESS TRANSITION
16. Harvard Alumni Association Supports
Online
Directory ToolsDonate
Event
HubEvents Clubs
Online
Career
Advising
ServicesNetworking
17
HAA: A SEAMLESS TRANSITION
17. Process Challenges and Cranky Users
• New admits are
in the system
right away
• Regular updates
flow from Registrar
• But as graduation
approaches, we ask
students to register
(huh?) so we can
issue them a new,
separate account
REGISTER
• Challenging to
know if user
registering is who
they say they are
• Lack of a process
for HUID/PIN to
be reset after
graduation
frustrates recent
grads
CREDENTIAL
• Some schools
have their own
separate
credentials and
services
• Multiple
Helpdesks add to
user confusion
SUPPORT
18
HAA: A SEAMLESS TRANSITION
18. • Eliminate the need to register with HAA
• Allow student accounts to work forever
• Use standard processes for password reset, account management
• Enable separate help desk and tailor process designs for alumni
• Standard Harvard credentials make it simpler for application
owners to extend access to HAA-approved resources
• Provide information on what resources are available
• Standard credential model provides opportunities to offer services
to new groups of people in future — donors, parents, etc.
• Improve self-service password reset by enabling option to specify
both phone and email recovery information
• Tailor onboarding and proofing to HAA populations
• Provide standard protocols for easier integration of new
applications
IAM Objectives Support Alumni Engagement
19
HAA: A SEAMLESS TRANSITION
Improve
End User
Experience
Expand
Access to
Resources
Balance
Convenience
and Security
19. 2
0
Stakeholder Experience Today Future Goals
End Users
Different user names and credentials to
access Harvard and non-Harvard apps and
data
Creating and managing user accounts is
manual and paper-based
No access to external sites, or forced to
register for accounts
Access to services and resources
interrupted when users change, add, or leave
roles
Access information and perform research
across schools (and with other institutions)
using a single credential
Manage own accounts and sponsor others
through a centralized web application
Use internal Harvard credentials to access
common external sites
Use the same set of credentials despite
changes in status, roles, or affiliations
Application
Owners
Tough to integrate access management,
meaning long implementation timelines and
higher costs
Forced to grant application access to users
with the same rights on a one-by-one basis
Easily integrate Harvard users with internal
and external applications via an application
portal
Control user access in groups, not individuals
People
Administrators
Must create sponsored guest identities
manually, resulting in delays and loss of
productivity
Can’t streamline deprovisioning of users’
access privileges across multiple systems
Sponsors can create and manage external
parties’ identity and access
Automated provisioning reduces the burden on
people administrators of disparate systems
and improves Harvard’s security posture
HOW DOES THIS BENEFIT ME?
20. (Didn’t pick up a chart? Raise your hand, we’ll get you one.)
21
HOW DOES THIS BENEFIT ME?
21. 22
• Identity begins at the first login screen
• IAM exists to make onboarding, day-to-day use, role
changes and access to resources easier for
everyone in the Harvard Community
• Our efforts will improve productivity and make day-
to-day life simpler for faculty, staff, students,
researchers, people administrators, application
owners, and more
• And when IAM services are done right, you don’t
even notice the effects — things just work
IAM: IN SUMMARY
22. Take the mystery
out of identity.
Learn more about
our program at
iam.harvard.edu