Transcription
Identity and Access ManagementPROGRAM PLANCreated January 2014 Revised June 2014
TABLE OF CONTENTS1.0 Program Plan Objectives.31.1Document Purpose.32.0 Program Overview.32.1 What is Identity and Access Management?.32.2 Why is Identity and Access Managementa Strategic Initiative?.32.3 What are the Tenets of a SuccessfulIAM Program?.42.4 What is the Vision of theIAM Program for Harvard?.52.5 What External Factors Influence Our Success?.62.6 What Organizational Structure is Required?.72.7 Governance Structure.73.0 Program Approach.103.1 Program Implementation Framework.104.0 Program Implementation and Delivery.124.1 Simplify the User Experience.124.2 Enable Research and Collaboration.204.3 Protect University Resources.244.4 Facilitate Technology Innovation.275.0 Program Communication.306.0 Benefits to the University.317.0 Appendices.32Appendix A: Glossary.32Appendix B: IAM ProgramAccomplishments to Date.33Appendix C: IAM Program Timeline.33
Identity and Access ManagementPROGRAM PLAN1.0 PROGRAM PLAN OBJECTIVE1.1 Document PurposeThe purpose of this plan is to provide a comprehensive overview of all facets of the Identity and Access Management(IAM) program within a three-year horizon.This plan will provide executive-level overview of the IAM program inclusive of the program goals, program structure,planning approach, and overall implementation roadmap.The IAM program team will review this plan on a quarterly basis. The status of the projects described by this document willbe presented on a monthly basis, by means of an executive dashboard, to senior leadership and program stakeholders.2.0 PROGRAM OVERVIEW2.1 What is Identity and Access Management?Identity and Access Management refers to a set of business processes and supporting technologies that enable thecreation, maintenance, and use of a digital identity. As such, the impact of Identity and Access Management to Harvard’suser community, application portfolio, and information resources is extensive. The IAM program and its relatedservices are responsible for the management of faculty, administration, and student information; access to Harvardapplications and information; and the distribution of such information externally. For a list of terms that may be helpful inunderstanding this program plan, please refer to Appendix A.2.2 Why is Identity and Access Management a Strategic Initiative?The first impression that any student, faculty member, researcher, or administrative staff member has of IT at Harvardis formed from his or her initial experience at the login screen. Today, the implementation of identity and accessmanagement at Harvard is maddeningly redundant and complex. The impact of such distributed complexity includes: Lost User Productivity: New users lose productivity and time as they wait for accounts to be created. Delaysin users’ ability to access resources often result when manual, paper-based workflows and approvals cannot bestreamlined or easily orchestrated. There can often be lengthy wait times for users to gain access to resources theyneed, and have the right, to access.Harvard University Information Technology June 20143 of 33
Poor User Experience: Issuing and managing multiple user accounts and passwords to support access to differentapplications and resources across the University results in user confusion and frustration. Limited Information Sharing Across Applications: Applications are unable to share information that should beshared, such as contact information, files, and common data for calendars and other frequently used functions. Unnecessary Administrative Overhead: The high volume of calls to the IT help desk to address basic account orapplication management functions, such as password management, creates an unnecessary burden on support staff. Reduced Security Stature: The inability to streamline the deprovisioning of users or manage user access privilegesto applications and resources exposes the University to the risk of unauthorized access and audit compliance issuesThe reach of these problems and their associated impact is vast — such that, universally, all School IT leadershiphas become united in their concern. Because IAM affects all of the University’s people, resources, and systems, thereputation of Harvard University Information Technology is stigmatized as a direct result of the limitations of the currentIAM solution set.2.3 What are the Tenets of a Successful IAM Program?The IAM program originated from the need to eliminate perceived complexities surrounding identity. Above all, theIAM program’s activities and deliverables will focus on achieving this fundamental objective. Additionally, the programis designed to improve core competencies of the University, particularly in the realms of research and learning. Thefounding IAM program guiding tenets are described below.Tenet #1: Identity and Access Management ImpactsEveryone and EverythingIf implemented correctly, identity and access management shouldbe simple and intuitive to an end user. Nevertheless, its importanceshould not be underrated. IAM is a core technical service thatexists to ensure that only verified people access online resourcesand knowledge assets of the University via managed permissions.Without IAM, people at the University cannot easily access, provideaccess to, or share information.If implemented correctly,identity and accessmanagement should be simpleand intuitive to an end user.Nevertheless, its importance asa core technical service shouldnot be underrated.In an ideal state, IAM enables new applications and services tobe brought up quickly, provides necessary user information toapplications so that they can properly function, and allows usersto partake in new services with minimal effort. The identity storescentral to IAM hold critical information about the identities and attributes of the University’s internal and externaluser communities. In addition to enabling account creation and application access decisions, these identity assetscan be data-mined by the University and leveraged to enable efforts that range from supporting business intelligenceinitiatives, to mitigating information security risks, to streamlining alumni fundraising via continuous user identitydespite affiliation changes.Tenet #2: Identity and Access Management Simplifies the User ExperienceThe Identity and Access Management program will reduce complexity for end users, application owners, and peopleadministrators. The IAM program will streamline identity and account creation for end users via eliminating paperbased, manual processes. It will enable end users to have insight and control over their accounts through self-serviceaccount management and placing the control of basic requests — such as username creation, password changes, andaccess requests — into the hands of the user and off the shoulders of a help desk.IAM services will allow users to select the credential of their choice for access needs, and will reduce the burdenof remembering credentials that span the systems they use to work, study, or collaborate. IAM efforts will enableproductivity by means of quick provisioning, granting user access to protected systems, resources, and physicallocations with little to no intervention by administrative staff.4 of 33Identity and Access Management Program Plan
Tenet #3: Identity and Access Management Enables Research and CollaborationThe Identity and Access Management program will facilitate collaboration. It will break down the barriers to access forend users, opening the ability to share information and work safely together across School and institutional boundaries.The IAM program will demand the implementation of standards and will leverage these standards to federate decisionmaking with external systems.Through the use of authentication standards set forth by InCommon, the IAM program will lay the groundwork tocarefully share identity information that enables access to resources that cannot currently be viewed via any othermeans. It will provide the University with a competitive advantage over institutions that cannot offer the same level ofease and expediency — enticing students and faculty to come to or stay at Harvard to study and perform research.Tenet #4: Identity and Access Management ProtectsUniversity ResourcesIdentity and access management is a vital information safeguard.It exists to protect sensitive data and information from the everevolving landscape of security threats. Properly implemented,IAM solutions help enable proactive security risk identification andmitigation, allowing the University to identify policy violations orremove inappropriate access privileges without having to waste timeand effort searching across disparate systems. IAM will allow theUniversity to easily assert that proper controls and measures are inplace, meeting audit and regulatory requirements.Tenet #5: Identity and Access ManagementFacilitates Technology InnovationGood identity and accessmanagement practices helpHarvard weather the storm ofdisruptive innovation, includingpositioning the University toquickly and securely integratewith or implement cloudplatforms and services. IAMan important precursor tosuccessfully implementing newUniversity initiatives.Identity and access management increases the agility of applicationdevelopment and deployment by eliminating the need for applicationdevelopers to reinvent and duplicate potentially vulnerableauthentication systems. IAM also removes the need for applicationowners to manage such duplicate systems. IAM helps weather the storm of disruptive innovation, including positioningthe University to quickly and securely integrate with or implement cloud platforms and services.IAM enables key technology initiatives, and is an important precursor to the successful implementation of newUniversity initiatives. The Student Information System, the next-generation Unified Communications System, and theLearning Management Ecosystem at Harvard rely on sound IAM process re-engineering, design, and implementationto extend improved services to the end-user community.2.4 What is the Vision of the IAM Program for Harvard?Simply stated, the vision of the IAM program is the following:Provide users, application owners, and IT administrative staff with secure, easy accessto applications; solutions that require fewer login credentials; the ability to collaborateacross and beyond Harvard; and improved security and auditing.The IAM program will be implemented to fulfill this vision in accordance with the tenets defined above. Additionally,heightened emphasis will be placed upon a secondary set of guiding principles for the program: Harvard Community needs will drive how technology supports the Identity and Access Management program Tactical project planning will remain aligned with program strategic objectives Solution design will allow for other Schools to use foundational services to communicate with IAM systems in aconsistent, federated fashion Communication and socialization of the program are critical to its successHarvard University Information Technology June 20145 of 33
Strategic objectives, guiding principles, and key performance indicators intended to guide the IAM program in achievingour vision are outlined below.Strategic ObjectivesGuiding Principles1. Simplify the User Experience:To simplify and improve user accessto applications and informationinside and outside of the University Harvard Community needs willdrive how technology supports theIdentity and Access Managementprogram2. Enable Research andCollaboration: Simplify the abilityfor faculty, staff, and students toperform research and collaborationwithin the University and withcolleagues from other institutions Tactical project planning willremain aligned with programstrategic objectives3. Protect University Resources:Improve the security stature ofthe University using a standardapproach4. Facilitate TechnologyInnovation: Establish a strongfoundation for IAM to enableuser access regardless of new ordisruptive technologiesKey Performance Indicators Solution design will allow forother Schools to use foundationalservices to communicate with IAMsystems in a consistent, federatedfashion The number of help deskrequests that relate to accountmanagement per month The number of registeredproduction applications that useIAM systems per month The number of user logins andaccess requests via the IAMsystem per month The number of productionsystems to which the IAM systemprovisions per month Communication and socializationof the program are critical to itssuccessTable 2.4.1: Strategic Objectives, Guiding Principles, and Key Performance Indicators2.5 What External Factors Influence Our Success?The definition of a critical success factor is an external area of influence that has significant impact upon program scopeand delivery. In order for the Identity and Access Management program to meet its goals, the following critical successfactors must be closely managed:Strategic ObjectivesGuiding PrinciplesExecutive SponsorshipEngage proactively with key stakeholders to maintain program support andmake key decisionsResource PlanningRecruit qualified staff according to project timelinesBudget PlanningRetain and maintain ability to spend at budgeted funding levels over thecourse of FY14 - FY17School Partnership andParticipationForm strong relationships with, and understanding of, users within theSchool communitiesTransition PlanningGarner support for cloud infrastructure and ITSM transition processesTable 2.5.1: Critical Success Factors for the IAM Program6 of 33Identity and Access Management Program Plan
2.6 What Organizational Structure is Required?IAM Organizational OverviewUnder the direction of the IAM Program Director, the IAM program is organized into four distinct teams: Strategy andPlanning, Product, Technical, and Architecture. A summary of each team, its associated management, and its overallfunctional responsibilities are listed below.Strategy and Planning Team (Erica Bradshaw)The IAM Strategy and Planning Team is responsible for providing communication, strategic planning, and outreachacross Schools, HUIT, and the IAM program itself. Staff will be added to assist in the development of the focus areaslisted below: Program Plan Creation Communications Community Planning and Outreach IAM Human Resources Cloud Infrastructure Planning IAM FinanceProduct Team (Jane Hill)The IAM Product Team provides functional and product support, including business process evaluation, servicedefinition, and the development of IAM as a series of supportable products. Staff will be added to assist in thedevelopment of the focus areas listed below: Business Analysis Solution Support Services Service Definition Quality Assurance Product ManagementTechnical Team (Magnus Bjorkman)The IAM Technical Team implements, tests, and releases the IAM solution set. Staff will be added to assist in thedevelopment of the focus areas listed below: Project Planning Identity Repositories Identity Management Practice Management Access Management Systems IntegrationArchitecture Team (Scott Bradner and Marlena Erdos)The IAM Architecture Team provides subject-matter expertise, best practices and patterns for implementation,technical problem resolution approaches, and strategic direction recommendations. Responsibilities include: IAM Policy Creation University IAM Standards IAM Solution Architecture and Design2.7 Governance StructureThe IAM program is split into three individual governing committees: the Executive Committee, the Lifecycle AdvisoryGroup, and the Technical Oversight Committee. The following is a description of the responsibilities and objectives foreach group.Harvard University Information Technology June 20147 of 33
Executive CommitteeThe primary objective for the IAM program’s Executive Committee is to provide consistent, timely, and meaningfuloversight for the Identity and Access Management program. The Executive Committee will identify and championbusiness process improvement, provide program oversight, and guide the strategy for implementation and rollout. Thecommittee will meet on a monthly basis.ObjectivesGuiding Principles Guide and approve suggestedbusiness process changes, andprovide strategic direction for theirintroduction Promote change and acknowledgeareas that need improvementacross the University Provide direction and approveprogram policy Identify and assist in the resolutionof obstacles to the program’sstrategic objectivesStanding Agenda Urge the crossing of silos where itwill improve business processes Encourage broad communicationand support among stakeholders Be transparent in our processesand decisions Provide direction forcommunication initiatives tostakeholders Use criteria and metrics toevaluate ideas and measure themagainst desired outcomes Determine prioritization of IAMprogram projects and strategicapproaches Accept uncertainty, ambiguity,and lack of absolutes whennecessary Approval of Prior Minutes Co-Chairs’ Report Program Report Decisions Policy Business Process Communications Areas for Assistance General Discussion Topics Track the status of projects andassist in the mitigation strategy foridentified risks Monitor ongoing impact, servicelevels, and service improvementsTable 2.7.1: IAM Executive CommitteeIdentity Lifecycle CommitteeThe mission of the Identity Lifecycle Committee is to work toward improving the end-user experience at Harvard. Thiswill be accomplished by bringing the collective and varied expertise of a representative set of campus business processowners to bear on topics related to the management of identity-related processes and services.The primary objective of the group is to contribute meaningful recommendations on process improvement and serviceofferings, as well as to serve as a catalyst for projects across the University that improve onboarding and the lifecycle ofuser experience through better systems, processes, education, and raising awareness of process and policy.The group will advise the product and practice management teams of the Identity and Access Management program,including endorsing recommendations to the IAM Executive Committee. The committee will meet on a monthly basis.8 of 33Identity and Access Management Program Plan
ObjectivesGuiding PrinciplesStanding Agenda Participate in improving the enduser experience at Harvard Commit to improving the userexperience Approval of Prior Minutes Provide a catalyst for projectsacross the University thatmeasurably improve onboardingand other lifecycle processes Act in the interest of Harvard as awhole Program Update Openly acknowledge problem areasand promote change when needed Working Group Updates Recommend IAM serviceenhancements and new offerings Work towards eliminating historicalsilos that may have previouslyhindered the improvement ofprocesses and systems Provide a forum for related policydiscussion Provide input on IAM productstrategy Serve as a sounding board for newideas and approaches to providingidentity and access m
Tenet #1: Identity and Access Management Impacts Everyone and Everything If implemented correctly, identity and access management should be simple and intuitive to an end user. Nevertheless, its importance should not be underrated. IAM is a core technical service that exists to
