Several new business needs are pushing campuses to rethink their authentication and related identity management infrastructures. These include: increasing legislation addressing identity protection and accompanying negative publicity associated with an identity “spill” or breach; the need to provide login credentials to non-traditional groups of users, such as student applicants, alumni, contractors, and friends of the library, and related concerns about how the recipients are managing these credentials and/or when to revoke them; and the work being done by the Federal government to streamline access to their applications that will require participating institutions to meet minimum operational, process, and policy requirements.
Taken together, accommodating these drivers requires:
- Changing existing common practice to accommodate these trends and migrate toward a model that is more consistent with an evolving federated world.
- Adopting an IT governance approach that centralizes policy and management responsibilities for authentication and other identity services that underlie campus-wide and high-security services.
- Understanding of the need for broad ownership of authentication-related business processes.
This approach does not preclude organizational units from managing independent services for specific portions of the community.
The first step to develop a high-level plan to help you move forward by identifying functions, process, policies, and technologies you need to implement to address your specific institution's drivers. Having this plan in hand allows you to address the identified gaps as the opportunity arises, such as coupling a new Web Single Sign-on service with an upgraded portal or establishing a higher level of assurance for higher-risk applications when implementing a new finance system.
To develop the plan:
- Define your challenge for change, including drivers to help determine where you need to go.
- Understand your organizations service requirements and accompanying framework to manage authentication on your campus.
- Develop a set of guiding principles that can be used to guide decision making.
- Inventory how your campus operates today.
- Analyze your target online services, who is using them, and what the risk issues are, and develop a list of technical architecture, business process, and policy gaps that need to be addressed to achieve 1 and 2 above.
This section provides a process you can use when working with the constituencies across campus to ensure your policy, business process, and technologies are all in sync with each other. It is important to work on these concurrently to achieve the right balance, since they are so interdependent.
- Policy - Since the authentication service is so tightly bound to identity and access management, you should use your IT governance structure to develop the policy framework for the authentication project and incorporate it into your overall identity management and security policy framework. This should address identification, electronic credentials, registration, and service provider requirements.
- Business Processes - Key to business process change is the education of all the affected parties and an on-going review channel for reporting issues and problems with the new procedures. Managers and policy makers need to understand the basics of authentication technology and implementation decision points, and this process also ensures that a variety of viewpoints and sufficient data inform the decisions about authentication. Similar to the policy aspect, the business process effort should consider identification and registration, electronic credentials, account management, support, security and compliance, and staff training. The Federal E-Authentication Initiative's Password Credential Assessment Profile provides overall guidance on the operations, processes, and structures needed to adequately support your authentication system and related identity-management infrastructures.
- Technology - A critical goal of the design or architecture of your infrastructure is ensuring that it supports the business and policy requirements to a sufficient degree. If unacceptable gaps exist, the technology leaders must work with their policy and process colleagues to achieve consensus on how to proceed to address the gaps. The first steps are to identify existing constraints, map the business requirements to technology requirements, and finally decide on mechanisms and products. The last step in this stage of the process is to perform the initial system integration in a test environment and test the processes and technology infrastructure.
To migrate the new infrastructure to production, pick a staging strategy, which might include selecting relatively low-impact or low-risk services for initial integration in order to prove the functionality and, gradually, the scalability of the new system. Also consider integrating one or two on-campus systems with business owners who are strong partners with whom you can work through political and technical issues early on.
Lastly, the campus authentication requirements will very likely evolve as new end-user groups are identified, and new technologies and services become available. As a result, decide how best to migrate the project governance team to an on-going function. The creation of a new or enhancement of an existing forum where these new issues can be brought to the attention of stakeholders for the ongoing maintenance of the authentication system is critical to the integrity of the integrated service and preserving the risk tolerance level of the institution.
Have a Nice Trip
As with many journeys, the road traveled becomes almost as important as arriving at the destination. The authentication landscape is a dynamic environment. It's time to review and adjust your institution's Roadmap again to determine next steps in your authentication service. Over time there will be new emerging needs and technologies to consider, and you may have to make adjustments with your governance team on the order or priority of items in your Roadmap as you progress.
Click [next] below for a look at some common concepts and terms referred to throughout the Roadmap.