Edited by Apryl Motley, CAE - InCommon Communications Lead
As part of our ongoing commitment to providing you with additional opportunities to benefit from the insights and expertise of InCommon Catalysts, we are continuing their quarterly Q&A column, Catalyst to Catalyst, which we feature in our e-newsletter InCommon News.
Think of Catalyst to Catalyst as a quarterly, virtual advice panel providing perspectives on key identity and access management (IAM) topics for the InCommon community. In this installment, catalysts address data and metadata, evaluating IAM solutions, and IAM resources. This is our first column for 2023.
Q: How can data and metadata drive IAM strategy, implementation, or compliance?
A: Aspects of IAM solution integration require planning and design so that you make the most out of your investment. Identity management involves the dissemination of identity data from authoritative “upstream” systems to dependent “downstream” systems, such as from human resources (HR) to workstation/desktop management. It pays off to place an early emphasis on establishing where identity data originates, where it is needed for information processing purposes and decision making, and ultimately where it needs to reside. This identity data could be robust, involving multiple attributes, such as name and date of birth, or it could translate into something lean, such as the simple construction of a user account identifier.
For data to flow between business systems, an IAM solution brokers the exchange of identity data attributes. This brokerage relationship is configured as attribute mappings. A mapping could be straightforward, one-to-one, involving identical attribute labels and a verbatim match of data values. And often a mapping could be far more complex, involving composition of multiple attribute values into one value, computation of new values based on the input of other values, or perhaps transformations of structure or encoding-set.
It’s prudent to plan from where each identity attribute mapping will fetch its dependencies. For example, let’s assume the HR record eventually will contain each employee’s email address, which is computed by a different system like Microsoft Office 365. For its part, Office 365 needs to know a number of attributes that are authoritatively defined in HR. This sort of interdependency is common, and successful system integration occurs with thoughtful design over the flow of each data attribute. By designing for data flow and attribute mapping, you’ll find smoother sailing in your IAM integration projects.
—Jim Lookabaugh, Customer Solutions Engineer, Provision IAM; firstname.lastname@example.org
Q: How can data and metadata drive IAM strategy, implementation, or compliance?
A: Data and especially its quality is absolutely crucial for any IAM system. IAM can, to some extent, help to improve data quality, thanks primarily to the unified view of the data and its ability to detect inconsistencies. This is a well-known truth and is widely accepted. Metadata, on the other hand, is mostly uncharted territory. Researchers in academia are accustomed to working with metadata in their research, which helps them to work efficiently, thanks to their provenance and other types of metadata.
Our team at Evolveum applied the same principle to identity governance and administration (IGA) to expand the possibilities of processing identity data, in order to manage accounts and access efficiently within the whole infrastructure. This led to the midPrivacy project, which was driven by improving personal privacy within midPoint. The result of this project was a generalized framework for processing identity metadata within standard IGA processes.
In the modern interconnected world, we have to work with multiple sources of identity, resulting in partially overlapping data sets. Metadata helps us to trace provenance and store other valuable attributes about the original data. All this extra information can be used later to automate identity governance processes. Moreover, metadata is especially useful for various policies and compliance in general. Knowing the origin of the data, how it can be processed,its assurance, or the sensitivity level gives you options to fully automate processes that were nearly impossible to automate before.
Likewise, it gives you absolute certainty about compliance because the fully-automated and monitored process eliminates possible human errors. Metadata-related capabilities can be combined with other features like auditing and reporting, giving you even more options and visibility. In summary, considering identity metadata as part of your IAM strategy enables you to surpass the current industry standard in your implementation.
—Igor Farinic, CEO, Evolveum; email@example.com
Q: What’s a question everyone should ask themselves when evaluating an IAM solution/implementation, and why?
A: Here are some of the questions that Cirrus recommends, as we all asked these questions when we were in roles at higher ed institutions. Do the vendors understand the nuances of IAM needs specific to higher ed and research? Are they a trusted partner? How many similar solutions for our use case have they successfully implemented? Do they have reference customers with similar needs to your organization? Has there been any information about this vendor posted to community lists like the EDUCAUSE IAM list or the InCommon participants list?
Cirrus Identity has grown over time by earning the trust of our customers. We focus our cloud login solutions on challenges faced by higher ed and research. External users like applicants, parents, alumni, continuing ed students, research collaborators, suppliers, contractors, and retirees make identity management in higher ed and research much more complex. Many commercial solutions don’t adequately address these challenges or are cost prohibitive. Cirrus can help you consolidate your SSO, automate workflow, and provide seamless integrations that improve the user experience and reduce expenses.
—Dedra Chamberlin, CEO & Founder, Cirrus Identity; firstname.lastname@example.org
Q: What IAM resource do you find to be particularly valuable?
A: One of the most valuable advantages that an organization can invest in right now is well-curated group information data through technical resources like Grouper. An InCommon Trusted Access Platform software component, Grouper is strategically designed to streamline access within an organization. The magic of this software component lies within its ability to manage and delegate the deﬁnitions of groups and roles – not an otherwise easy feat for IT teams within higher ed.
Though many institutions wish they had better systems to work with, figuring out the right approach to group management is a worthy challenge, and the payoff is notable: operational efficiency, improved security, and compliance with policy – amongst other advantages. As we know, groups (vs. individuals) operate differently – they are not absolute. Most institutions have some form of group information available to them. However, what’s typically lacking is the quality of the group information, along with the appropriate level of integration with software applications. I believe there’s infinite room for improvement for the benefit of the organization.
Really good group definitions can also be tricky because the information represents knowledge throughout the institution, at all levels, about organization structure, affiliations, and authorizations. It’s incredibly vast in terms of what it represents, if managed appropriately, and if it’s well coordinated and supported with stakeholders throughout the university. But that vastness and depth is also what makes groups so valuable. And thanks to Baseline Expectations from the InCommon community, high trust and identity standards are expected of participants who utilize metadata through the InCommon Federation, but this also holds group management to a high standard as well.
The impact of high-quality group definitions is huge. If your institution can effectively govern rich, accurate, and accessible information through the groups you create, it enables an extreme level of efficiency and accuracy throughout the entire institution. With open-source Grouper, people can rely on their groups for valuable reporting and authorization, all while reducing a tremendous amount of duplicative work and mitigating the risk of inaccuracy. In turn, this creates a more synergistic and collaborative culture for everyone connecting in digital spaces across campus.
—Netta Caligari, Community Lead, West Arete; email@example.com
If there’s a question you would like for us to address in a future installment of Catalyst to Catalyst, contact InCommon Communications Lead Apryl Motley.