IAM Program Plan - Harvard University
Identity and Access ManagementProgram PlanJanuary 28, 2014
IAM Program PlanEffective Date: January 28, 2014Revisions nitial versionIAM TeamDocument Section(Sec. #) and (Pg. #)Description ofRevisionIAM Program PlanJanuary 28, 2014Page 2 of 43
IAM Program PlanEffective Date: January 28, 2014Table of ContentsRevisions Table. 21.0 Program Plan Objectives . 41.1 Document Purpose. 42.0 Program Overview . 42.1 What is Identity and Access Management? . 42.2 Why is Identity and Access Management a Strategic Initiative? . 52.3 What are the Tenets of a Successful Identity and Access Management Program? . 52.4 What is the Vision of the Identity and Access Management Program for Harvard? . 72.5 What External Factors Influence the Success of the Identity and Access Management Program? . 92.6 What Organizational Structure is required to Support the Program? . 92.7 What is the Governance Structure for the Identity and Access Management Program? . 113.0 Program Approach . 133.1 Program Implementation Framework . 134.0 Program Implementation and Delivery . 164.1 Simplify the User Experience . 164.2 Enable Research and Collaboration. 254.3 Protect University Resources . 314.4 Facilitate Technology Innovation . 355.0 Program Communication . 396.0 Benefits to the University . 407.0 Appendix . 41Appendix A - Glossary. 41Appendix B - IAM Program Accomplishments to Date . 43Appendix C - IAM Program Timeline . 43IAM Program PlanJanuary 28, 2014Page 3 of 43
IAM Program PlanEffective Date: January 28, 20141.0 Program Plan Objectives1.1 Document PurposeThe purpose of this plan is to provide a comprehensive overview of all facets of the Identity and Access Management Program(IAM) with a three-year horizon.This plan will provide executive level overview of the IAM Program inclusive of the program goals, program structure, planningapproach and overall implementation roadmap.The IAM Program Team will review this plan on a quarterly basis. The status of the projects described by this document will bepresented to Senior Leadership and Program Stakeholders by means of an Executive Dashboard on a monthly basis.2.0 Program Overview2.1 What is Identity and Access Management?Identity and Access Management is a set of business processes and supporting technologies that enable the creation,maintenance, and use of a digital identity. As such, the impact of Identity and Access Management to Harvard’s usercommunity, application portfolio, and information resources is extensive. The IAM Program and Services are responsible for themanagement of faculty, administration, and student information, access to Harvard applications and information, and thedistribution of such information externally. For a list of terms that are helpful for understanding the Program Plan, please refer toAppendix A.IAM Program PlanJanuary 28, 2014Page 4 of 43
IAM Program PlanEffective Date: January 28, 20142.2 Why is Identity and Access Management a Strategic Initiative?The first impression of any Harvard student, faculty, researcher, or administrative staff of IT is formed from their experience atthe login screen. Today, the implementation of Identity and Access Management at Harvard is maddeningly redundant andcomplex. The impact of such distributed complexity includes: Lost User Productivity - Reduced productivity results as users wait for their new accounts to be created. Delays inthe ability of a user to access resources that result when manual, paper-based workflows and approvals can not bestreamlined or easily orchestrated. There can be a lengthy wait time for users to get access to the resources they needand have the right to access. Poor User Experience - The issuance and management of multiple user accounts and passwords to support accessto different applications and resources across the University results in user confusion and frustration. Limited Information Sharing Across Applications - The applications are unable to share information that they couldshare, such as contact information, files and common data for calendaring and other common functions. Unnecessary Administrative Overhead - The high volume of calls to the IT help desk to address basic account orapplication management functions, like a password management, creates an unnecessary burden on support staff. Reduced Security Stature - The inability to streamline the de-provisioning of users or to manage user accessprivileges to applications and resources exposes the University to the risk of unauthorized access and auditcompliance issues.The reach of these problems and their associated impact is vast; such that, universally, all School IT leadership has becomeunited in their concern. Because IAM affects all of the University’s people, resources and systems, the reputation of HarvardUniversity IT is stigmatized as a direct result of the limitations of the current IAM solution set.2.3 What are the Tenets of a Successful Identity and Access Management Program?The IAM Program originated from the need to eliminate perceived complexities surrounding identities. Above all, the IAMProgram activities and deliverables will focus on achieving this fundamental objective. Additionally, the IAM Program isdesigned to improve the core competencies of the University, particularly in the realms of research and learning. The foundingIAM Program guiding tenets are described below:IAM Program PlanJanuary 28, 2014Page 5 of 43
IAM Program PlanEffective Date: January 28, 2014Tenet #1 - Identity and Access Management Impacts Everyone and EverythingIf implemented correctly, Identity and Access Management should be simple and intuitive to an end user. Nevertheless,its importance should not be underrated. IAM is a core technical service that exists to ensure that only verified people accessonline resources and knowledge assets of the University via managed permissions. Without IAM, the people at the Universitycould not easily access, provide access to, or share information.In the ideal state, IAM enables new applications and services to be brought up quickly, provides necessary user information tothe applications so they can properly function, and allows users to partake in the new service with minimal effort. The identitystores central to IAM hold critical information about the identities and attributes of the University's internal and external usercommunity. In addition to enabling account creation and application access decisions, this identity asset can be data mined bythe University and leveraged to enable efforts that range from supporting business intelligence initiatives to mitigatinginformation security risks to streamlining alumni fundraising by providing a continuous identity for a userdespite affiliation changes.Tenet #2 - Identity and Access Management Simplifies the User ExperienceIdentity and Access Management will reduce complexity for end users, application owners, and people administrators. IAM willstreamline identity and account creation for end users through the elimination of paper-based, manual processes. It will enablethe end user to have insight and control over their accounts through self-service account management, placing the control ofbasic requests, like user name creation, password changes and access requests, into the hands of the user and off theshoulders of a help desk.IAM will allow a user to select the credential of their choice for access needs and will reduce the burden of rememberingcredentials that span the systems they use to work, study, or collaborate. IAM will enable productivity, by means ofquick provisioning, granting user's access to protected systems, resources, and physical locations with little to no interventionby administrative staff.Tenet #3- Identity and Access Management Enables Research and CollaborationIdentity and Access Management will facilitate collaboration. It will break down the barriers to access for the end users and openup the ability to share information and work safely together across School and institutional boundaries. IAM willdemand the implementation of standards, and will leverage these standards to federate decision making with external systems.Through the use of authentication standards set forth by InCommon, IAM lays the groundwork to carefully shareidentity information about users that enables access to resources that can't currently be viewed through any other means. It willprovide the University with a competitive advantage over institutions that can't offer the same level of ease and expediency –enticing students and faculty to come to or stay at the University to study and perform research.Tenet #4- Identity and Access Management Protects University ResourcesIdentity and Access Management is a vital information safeguard. It exists to protect sensitive data and information from theever-evolving landscape of security threats. Properly implemented, IAM solutions help enable proactive security riskidentification and mitigation, allowing the University to identify policy violations or remove inappropriate access privileges,without having to waste time and effort searching across disparate systems. IAM will allow the University to easily assert thatproper controls and measures are in place that meets audit and regulatory requirements.IAM Program PlanJanuary 28, 2014Page 6 of 43
IAM Program PlanEffective Date: January 28, 2014Tenet #5- Identity and Access Management Facilitates Technology InnovationIdentity and Access Management increases the agility of application development and deployment; it eliminates the needfor application developers to reinvent and duplicate potentially vulnerable authentication systems. IAM also eliminates the needfor application owners to manage such duplicate systems. IAM helps weather the storm of disruptive innovation; it positions theUniversity to quickly and securely implement or integrate with cloud platforms and services.IAM enables key technology initiatives; it is a key precursor to the successful implementation of new University initiatives. TheStudent Information System, the next generation Unified Communications System and the Learning Management Ecosystemrely on sound IAM process reengineering, design, and implementation to extend improved services to the end-user community.2.4 What is the Vision of the Identity and Access Management Program for Harvard?Simply stated, the vision of the IAM Program is to:“Provide secure access to applications that is easy for the user, application owner, and IT administrative staffwith solutions that require fewer login credentials, enable collaboration across Harvard and beyond, andimprove security and auditing.”The IAM Program will be implemented to meet the vision in accordance to the previously defined tenets. Additionally, there willbe heightened emphasis placed upon an additional set of guiding principles for the program. These include: Harvard Community needs will drive how the technology supports the Identity and Access ProgramTactical project planning will remain aligned with the Program strategic objectivesSolution design will allow for other Schools to use the foundational services to communicate with the IAM system in aconsistent, federated fashionCommunication and socialization of the program are critical to its successIAM Program PlanJanuary 28, 2014Page 7 of 43
IAM Program PlanEffective Date: January 28, 2014IAM Program VisionProvide secure access to applications that is easy for the user, application owner, and IT administrative staff with solutionsthat require fewer login credentials, enable collaboration across Harvard and beyond, and improve security and auditing.Strategic ObjectivesGuiding Principles1. Simplify the User Experience“To simplify and improve useraccess to applications andinformation inside and outside ofthe University.”2. Enable Research and Collaboration Harvard Community needs will drive the technology supporting the Identityand Access Management ProgramThe number of help deskrequests that relate to accountmanagement per month. Tactical project planning will remainaligned with the Program strategicobjectivesThe number of registeredproduction applications that usethe IAM system per month. Solution design should allow for other Schools to use the foundational tocommunicate with the IAM system ina consistent, federated fashion Communication and socialization ofthe program are critical to its success “Simplify the ability for faculty,staff, and students to performresearch and collaboration withinthe University and withcolleagues from otherinstitutions.”3. Protect University Resources“Improve the security stature ofthe University with a standardapproach.”4. Facilitate Technology Innovation Key Performance Indicators The number of user logins andaccess requests through the IAMsystem per month.The number of productionsystems that the IAM systemprovisions to per month.“Establish a strong foundation forIAM to enable user accessregardless of new and/ordisruptive technologies.“Table 2.4.1 – IAM Program Vision tableIAM Program PlanJanuary 28, 2014Page 8 of 43
IAM Program PlanEffective Date: January 28, 20142.5 What External Factors Influence the Success of the Identity and Access ManagementProgram?The definition of a critical success factor is an external area of influence that has significant impact upon program scope anddelivery. In order for the Identity and Access Management to meet the program goals, the following critical success factors mustbe closely managedCritical Success FactorDescriptionExecutive SponsorshipEngage proactively with key stakeholders to maintain program support and make keydecisions.Resource PlanningRecruit qualified staff according to project timelines.Budget PlanningRetain and maintain ability to spend at budgeted funding levels over the course of FY14 FY17.School Partnership andParticipationForm strong relationships with and understanding of the users within the School community.Transition PlanningGarner support for Cloud Infrastructure and ITSM Transition Processes.Table 2.5.1 – Critical Success Factors for the IAM Program2.6 What Organizational Structure is required to Support the Program?IAM Organizational OverviewUnder the direction of the IAM Program Director, the IAM Program is organized into four distinct teams: Strategy and Planning,Product, Technical, and Architecture. A summary of the each team, associated management and overall functionalresponsibilities are listed below:Strategy and Planning Team - (E. Bradshaw)The IAM Strategy and Planning team is responsible for providing communication, strategic planning, outreach across Schools,HUIT, and the IAM Program itself. Staff will be added to assist in the development of the focus areas listed below: Program Plan CreationCommunity Planning and OutreachCloud Infrastructure PlanningCommunicationsIAM Human ResourcesIAM FinanceIAM Program PlanJanuary 28, 2014Page 9 of 43
IAM Program PlanEffective Date: January 28, 2014Product Team – (J. Hill)The IAM Product team provides functional and product support, including business process evaluation, service definition, andthe development of IAM as a series of supportable products. Staff will be added to assist in the development of the focus areaslisted below: Business AnalysisService DefinitionProduct ManagementSolution Support ServicesQuality AssuranceTechnical Team - (M. Bjorkman)The IAM Technical Team implements, tests, and releases the IAM solution set. Staff will be added to assist in the developmentof the focus areas listed below: Project PlanningIdentity ManagementAccess ManagementIdentity RepositoriesPractice ManagementSystems IntegrationArchitecture Team - (S. Bradner, M. Erdos)The IAM Architecture Team provides subject matter expertise, best practices and patterns for implementation, technical problemresolution approaches, and strategic direction recommendations. Responsibilities include: IAM Policy CreationIAM Solution Architecture and DesignUniversity IAM StandardsIAM Program PlanJanuary 28, 2014Page 10 of 43
IAM Program PlanEffective Date: January 28, 20142.7 What is the Governance Structure for the Identity and Access Management Program?The IAM Program is split into three individual governing committees: the IAM Executive Committee, Lifecycle Advisory Group,and Technical Oversight Committee. The following is a description of the responsibilities and objectives for each group:IAM Executive CommitteeIAM Executive CommitteeThe primary objective for the IAM Program Executive Committee is to provide consistent, timely and meaningful oversight for theIdentity and Access Management Program. The IAM Program Executive Committee will identify and champion business processimprovement, provide program oversight, and guide the strategy for the implementation and roll out. The Committee will meet ona monthly basis.Objectives Guide and approve suggestedbusiness process changes andprovide strategic direction for theirintroductionProvide direction and approveprogram policyIdentify and assist in the resolutionof obstacles to the program strategicobjectivesProvide direction forcommunications to stakeholdersDetermine prioritization of IAMProgram projects and strategicapproachesTrack status of projects and assist inthe mitigation strategy for identifiedrisksMonitor ongoing impact, servicelevels, and service improvementsGuiding Principles Promote change and acknowledgeareas that need improvement acrossthe UniversityUrge the crossing of silos where itwould improve business processesEncourage broad communication andsupport among stakeholdersBe transparent in our processes anddecisionsUse criteria and metrics to evaluateideas and measure them againstdesired outcomesAccept uncertainty, ambiguity, andlack of absolutes when necessaryStanding Agenda Approval of Prior MinutesCo-Chairs ReportProgram ReportDecisions Policy Business Process CommunicationsAreas for AssistanceGeneral Discussion TopicsTable 2.7.1 – IAM Executive Committee tableIAM Program PlanJanuary 28, 2014Page 11 of 43
IAM Program PlanEffective Date: January 28, 2014IAM Identity Lifecycle CommitteeIAM Identity Lifecycle CommitteeThe mission of the IAM Identity Lifecycle Committee is to work towards improving the end-user experience at Harvard. This will beaccomplished by bringing the collective and varied expertise of a representative set of campus business process owners to bear ontopics related to the management of identity related processes and services.The primary objective of the group is to contribute meaningful recommendations on process improvement and service offerings,and to serve as a catalyst for projects across the University that will improve onboarding and the lifecycle of user experiencethrough better systems, processes, education and raising awareness of process and policy.The group will advise the product and practice management team of the Identity and Access Management Program, includingendorsing recommendations to the IAM Executive Committee. The Committee will meet on a monthly basis.Objectives Guiding Principles Participate in improving the end-userexperience at HarvardProvide a catalyst for projects across theUniversity that will measurably improveonboarding and other lifecycle processesRecommend IAM service enhancements andnew offeringsProvide forum for related policy discussionProvide input on the IAM product strategyServe as a sounding board for new ideas andapproaches to providing identity and accessmanagement servicesAssist with quantifying the impact of proposedprocess changes and recommendingimplementation approach Commit to improving the userexperienceAct in the interest of Harvardas a wholeOpenly acknowledge problemareas and promote changewhen neededWork towards eliminating thehistorical silos that may havepreviously hindered theimprovement of processes andsystemsEncourage broadcommunication and offer directsupport as a stakeholderOperate with transparencyaround process and decisionmakingUse criteria and metrics toevaluate ideas and measurethem against desired outcomesAccept uncertainty, ambiguity,and absence of absoluteswhen necessaryStanding Agenda Approval of Prior MinutesChairs ReportProgram UpdateRequirements DiscussionWorking Group UpdatesGeneral Discussion TopicsTable 2.7.2 – IAM Identity Lifecycle Committee tableIAM Program PlanJanuary 28, 2014Page 12 of 43
IAM Program PlanEffective Date: January 28, 2014IAM Technical Oversight CommitteeIAM Technical Oversight CommitteeThe primary objective for the IAM Technical Oversight Committee is to provide consistent, timely and meaningful review ofproposals of architecture and standards for the Identity and Access Management Program. The IAM Technical OversightCommittee will identify the need for technical solutions, architecture, and standards. When those have been developed, providefeedback as well as recommendation for adoption to the IAM Executive Committee. The Committee will meet on a monthly basis.Objectives Guide and approverecommendations to the IAMExecutive Committee forarchitectures and standardsIdentify the need for technicalsolutions, architectures andstandardsRecommend the set of resourcesoutside the IAM Program Team tobe involved in drafting architecturesand standardsCoordinate around technical changemanagement to ensure change willbe included in local planningGuiding Principles Promote change and acknowledgeareas that need improvement toimprove the UniversityUrge the crossing of silos where itwould improve business processesEncourage broad communication andsupport among stakeholdersBe transparent in our processes anddecisionsUse criteria and metrics to evaluateideas and measure them againstdesired outcomesAccept uncertainty, ambiguity, andlack of absolutes when necessaryStanding Agenda Approval of Prior MinutesChairs ReportArchitectureStandardsWorking Group UpdatesProposal Review andRecommendations to ApproveGeneral Discussion TopicsTable 2.7.3 – IAM Technical Oversight Committee table3.0 Program Approach3.1 Program Implementation Framework“Top-Down” PlanningIn order for the IAM Program to successfully meet its objectives, the team will follow a “top-down” approach to delivery. TheProgram Plan will serve as the governing document for the team and all activities will be planned and managed in accordance toit. All releases within the team will tie back to the IAM Program’s strategic objectives and each strategic objective will bemeasurable. The development and delivery of IAM functionality will be iterative in nature, following Agile processes, and bebased on evolving user requirements and stories. The scope of releases will be adjusted based upon changing requirementsand the evolving status of critical success factors.Project TracksThe IAM Program will be broken down into eleven project tracks and tracked on a per project basis. A project manager will beassigned to each project track and will be responsible for developing a project plan to govern the work activities and reportweekly status. The eleven projects are identified and summarized below:IAM Program PlanJanuary 28, 2014Page 13 of 43
IAM Program PlanEffective Date: January 28, 2014ProjectProject DescriptionSailPointThe SailPoint Project introduces improved user processes for account management. The teamwill replace an outdated solution with a new, feature rich, solution that can be expanded forlocal use by interested Schools across the University.FederationThe Federation Project enables Harvard users, users at Harvard affiliated institutions and nonHarvard users to collaborate and easily gain access to applications and resources, internal andexternal to the University.Directory ServicesThe Directory Services Project reduces the number of systems of record for user information,while expanding the data model and user attributes stored within the central IAM identityrepository. This will allow quick, consistent and appropriate access across LDAP, ActiveDirectory (AD) and as well as web authentication protocols.App PortalThe App Portal Project enables the Harvard Application Owner community to learn about andeasily integrate applications and software services with central IAM Services.One Way FederationThe One Way Federation Project consists of a series of authentication releases and Schoolonboarding efforts that provide Harvard user with the flexibility to access applications with acredential of their choice.Identity and AccessGovernanceThe Identity and Access Governance Project will deliver visibility into the IAM Program metrics,new user certification processes and audit reporting. It will evolve to encompass businessintelligence and identity analytics to support risk management and strategic decision-making.AuthenticationEnhancementsThe Authentication Enhancements Project provides users with a simplified login experience aswell as enhanced security options for sensitive data and applications.AuthorizationEnhancementsThe Authorization Enhancements Project provides application owners and administrators withthe ability to manage users via groups for access as well as the ability to manage authorizationrules for access to an application or software service.External DirectoriesThe External Directories Project securely exposes user identity information inside and outsideof the University.Expanded ProvisioningThe Expanded Provisioning Project enables identity creation, authentication, and accountprovisioning for non-person objects.Cloud MigrationsThe Cloud Migration Project provides the University with cloud reference architecture forHarvard application deployments and includes the migration of IAM Services from on premisehosting to Amazon Web Services.Table 3.1.1 – Project Tracks tableIAM Program PlanJanuary 28, 2014Page 14 of 43
IAM Program PlanEffective Date: January 28, 2014Pilot ImplementationsOne of the core beliefs of the IAM Program is to experiment and continuously refine our solutions based on lessons learned. Akey way that the IAM Program will demonstrate this commitment to responsible experimentation is through controlled pilots,within the team and with willing participants. Quickly developing functionality and testing the functionality with real users andapplications is a way to improve our solutions prior to production deployment. These pilots demonstrate the value of ourservices early in the delivery lifecycle, and mitigate the risk of failing to meet our user requirements.The table below represents the pilot implementations that are currently under consideration by the IAM Program. Many of thepilots will require significant participation with interested Schools:Proposed PilotsOne Way FederationDescriptionCollaborate with Harvard Business School to enable one-way federationwith the Harvard Business School authentication system.Local ProvisioningAssist Harvard Medical School with onboarding to SailPoint: Pilot
Jan 28, 2014 · This plan will provide executive level overview of the IAM Program inclusive of the program goals, program structure, planning . presented to Senior Leadership and Program Stakeholders by means of an Executive Dashboard on a monthly basis.! 2.0 Program Overview ! . Identity and Access Management should be
6 Financial Services Need Cloud IAM Recap: Key Considerations for Cloud IAM 7 Essentials for the Journey 1 Hybrid IAM. As cloud adoption expands the attack surface and increases the impact of breaches, finserv organizations can securely move IAM to the cloud using a hybrid deployment that includes both on-premises and cloud IAM. 2 High .
Each IAM user has their own identity credentials (password and access keys) and uses cloud resources based on assigned permissions. If an IAM user forgets their password, the user can reset the password by referring to Relationship Between an Account and Its IAM Users An account and its IAM users share a parent-child relationship.
As required, every IAM domain can be integrated with SAML and/or SCIM providers. Follow the steps below to set up SCIM integration with an IAM domain. First, create OAuth client in an IAM domain. Okta uses the OAuth client to invoke SCIM APIs. 1. Login to the Oracle Cloud Infrastructure console (https://cloud.oracle.com) using an
New Relic Integrations for AWS requires IAM cross-account access (delegated using an IAM role and associated managed policy). The IAM role permission permit the New Relic AWS account to retrieve telemetry data from your AWS account. For details on the IAM Role and Policy that supports New Relic Integrations, see here.
Self-Serve Password Change, Reset & Account Unlock User Guide . Version March 2020 Page 1 of 9 . Screen shot data are fictitious. Also, AHS IAM is updated regularly for performance and usability. If you notice differences between AHS IAM and the screen shots shown, trust AHS IAM. We may not have updated this guide at the same time.
Title: OCI IAM Identity Domains: What customers need to know Author: Oracle Corporation Subject: Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) service offers Oracle Cloud customers a rich, enterprise-class set of identity and access management (IAM) features for use with OCI, Oracle Cloud applications, and third-party appli cations.
Life science graduate education at Harvard is comprised of 14 Ph.D. programs of study across four Harvard faculties—Harvard Faculty of Arts and Sciences, Harvard T. H. Chan School of Public Health, Harvard Medical School, and Harvard School of Dental Medicine. These 14 programs make up the Harvard Integrated Life Sciences (HILS).
python is an excellent choice as a first programming language without sacri- ficing the power and advanced capabilities that users will eventually need. Although pictures of snakes often appear on python books and websites,
