Dell ONE Identity Manager: Why, What and When By Tom Golson, TAMU IT Security
Key Concepts ● ●
●
● ●
Subject: A physical person Identity: The set of information that pertains to a Subject. This information is used to uniquely identify the Subject and communicate with the Subject. It may also include memberships, roles and eligibility Credential: A unique identifier and associated authentication material used by a Subject in the authentication process Credential Binding: Verifying the Subject is in control of the Subject’s Credentials Provisioning: The process of creating, modifying disabling or deleting a user account based on the presence or changes to an Identity
What is Identity Management? Identity and Access Management is the ● ● ●
Policies Processes, and Technologies
put in place for the purpose of establishing Subject digital identities and controlling access to digital resources.
Which means ●
●
●
●
Stakeholders, service owners and data owners Meeting to discuss how they need access to data and what rules exist around releasing data To form a framework for collecting data about people And reflecting that data into directories and databases
Today ...
After 16 years, why change? ●
●
●
Current data store is very good. Better than the rest, I would say. But value is in services, and services require a level of development and management resources that TAMU IT can’t afford to devote. Dell ONE, we believe, is the best option out there
So what’s changing? ● ●
Dell ONE Identity Manager is many products We bought: ○ ○ ○ ○
●
The core, Identity Manager Password Manager Data Governance (probably not what you think) Cloud Access Manager
Identity Manager and Password Manager change how we store person data and manage credentials (all internal)
The value add ●
●
The person repository is a relational database with relatively fine-grained access controls College/Division provisioning can be delegated and the lifecycle of an account in your directory can be separated from the lifecycle of an account overall
But wait, that’s not all •
•
Data Governance -- Once a delegation relationship is set up, this functionality allows Colleges/Divisions to set up requestapproval-attestation flows to things like shared drives and security groups Cloud Access Manager -- A captive portal (like SSO) that can leverage Shib to send equivalent login messages to non-Shib applications (think Sharepoint)
The goal •
•
•
The current Identity Management System (IdMS) consumes nearly 40 separate sources of data Phase 1 has begun with the goal of replacing the current ingest process and populating downstream, TAMU IT targets by the end of August 2016 Phase II will be access delegation (Fall/Winter 2016)
Questions? The goals are ambitious, but the team has deep understanding of the current data and processes. I’m optimistic …. Questions?