Identity Management Program Update

1
Identity Management Program Update

• Andrea Beesing
• CCD Meeting 3/10/04

2
Service categories for initiatives

• Provisioning
• Authentication
• Authorization/access management
• Directory services
• Identity Management policies and processes

3
Provisioning

• NetID life cycle roadmap
• Campus stakeholder group led by Butch Labrecque
• CCD members Rob Bandler, Craig Trowbridge
• Recommendations incorporated in Identity
  Management program plans for FY05 and beyond
• Range from
• short-term items such as re-establishing regular
  clean-up schedule to
• longer-term items such as creating specifications
  of administrative data needed to define a
  relationship profile

4
Provisioning

• RFP to identify tools to more efficiently
• assign Cornell digital identities
• grant and remove access to electronic resources
• Will engage campus community in requirements
  gathering in mid May timeframe
• Create a guest identity infrastructure for
  short-term access (high priority for FY05)

5
Authentication

• SideCar replacement prototype completed, full
  design in development for internal review
• Various updates, incremental improvements in
  authentication components
• Planned for FY05
• Retire Kerberos 4 in favor of K5 (FY05)
• Secure password enforcement for Kerberos (FY05)

6
Authentication

• More FY05 plans
• Investigate Kerberos authentication for Windows
  domains
• On-site distribution of Verisign server certs
• PKI test bed and pilot

7
Authorization/access management

• Implementation of authorization directory
• Phase I supporting PeopleSoft self-service
• Phase II converting permit database to authZ
  directory
• Phase III make public permits dynamic (groups)
• Phase IV add distributed capability for group
  (permit) creation and maintenance
• Retire permit server in favor of authZ directory
• Shibboleth test bed and pilot to position Cornell
  to take advantage of federated identity in higher
  education

8
Directory Services

• Architecture improvements
• White pages vs. authorization vs. email directory
• Better load balancing and redundancy
• Enhanced search capability
• vCard support
• Future of directory white pages
• Service ownership
• Data of record issues

9
Policies and processes

• Exit procedures for members of the community
• Assess and revise processes that allow manual
  edits of identity information
• Authentication/authorization policy
• Identity Management governance
• Advisory Group/SIG?
• Reporting to IT governance board

10
Further information

• Web sites
• Program http//www.cit.cornell.edu/services/ident
  ity/
• For developers http//aads.cit.cornell.edu/
• Specific requests/problems aadssupport_at_cornell.e
  du
• General questions/escalations amb3_at_cornell.edu