2.1. The Change Itself
• What Are the Critical Components?
• Thoughtful Consolidation
• Policy and Process
• Governance and Stakeholder Involvement
• Technology
Taken together, accommodating these Drivers for Change requires the
- Changing of existing common practice to accommodate these trends and migrate toward a model that is more consistent with an evolving federated world.
- Adopting an IT governance approach that centralizes policy and management responsibilities for authentication and other identity services that underlie campus-wide and high
LoA services.- Understanding of the need for broad ownership of authentication-related business processes
This approach does not preclude organizational units from managing independent services for specific portions of the community.
You might have a campus-wide or more modest scope in mind for your authentication project. Whatever the focus, we encourage you to read this section: even internal IT projects can begin to the lay the groundwork for this approach.
What Are the Critical Components?
- Thoughtful Consolidation. Longer term trends point towards increased centralization of authentication
as the most capable, cost effective, and risk-adverse solution. Note that centralization is a continuum:
- differentiated approaches for services managed at department levels may be particularly attractive when an institution maintains different levels of assurance (LoAs) for specific campus populations or for specific types of services, such as accommodating the increased requirements of a health care center.
- federating technologies can also provide sites with the ability to meet many of their goals without requiring a complete centralization of identity management and authentication. However, introducing unnecessary internal federations can require substantial resources to integrate a large number of applications and limit an organization's choice of applications due to the current lack of federation support by the commercial software sector.
- Policy and Process. Any institution-wide approach to authentication services and identity management
must include policies and processes consistent with the community's needs and values. Policy states the “what”
or “why”; it articulates the long-term institutional position, identifies mandates, scope, roles and
responsibilities and requires a shared vision of the:
- legal and regulatory landscape.
- business drivers of the institution.
- values and ethics of the institution, as they apply to the online services that the institution intends to offer.
- Governance and Stakeholder Involvement. Planning and policy development can
be done using a broad committee structure or, in a smaller stakeholder community, by having lunch with key people. Educating
the campus stakeholders takes a lot of effort, and yet can save time and reduce risk in the future when important and
critical decisions need to be made. The method is up to you to consider, but the goal is the same. An ongoing managed
function:
- enables effective, transparent, and accountable process and policy development, including decisions on issues of value, risk, related processes, implementation implications, and subsequent tradeoffs.
- comprises an educated forum of technologists, functional leaders, and policy makers.
- recognizes the role of IT as fundamental to the success of the academic institution.
- articulates the guiding principles for the information technology enterprise.
- Technology. In general, because of the variability of institutional goals, drivers, skill sets, and resources across the community, there isn't one technology that addresses all needs of all institutions. Therefore, this Authentication Roadmap does not attempt to make a definitive statement about which technology (or technologies) to adopt.
Business process is the "how" and can refer to, for example, the way a physical person is verified that he or she is truly represented by the electronic person recorded in the Human Resources system or to internal IT processes of how to support the infrastructure (security procedures, for example).