By Apryl Motley, CAE – InCommon Communications Lead
There was no shortage of discussion about various aspects of trust and identity during the 2023 Internet2 Community Exchange (CommEX 23) held in Atlanta, May 8– 12, 2023. Identity and access management (IAM) community members in attendance took full advantage of the opportunity to ask questions, share strategies, and gain insights. Here are four that caught our attention.
1. “Never waste a good crisis,” observed Mandi Witkovsky, director of identity & access management at Purdue University, as she recounted her institution’s identity modernization story. Witkovsky was joined by Justin Commons, Purdue’s manager of identity engineering, in a discussion moderated by Charise Arrowood, executive director of business development at InCommon Catalyst Unicon, as they walked attendees through their identity modernization timeline (pictured below).
Confronted with the multiple challenges of a decades old environment, loss of institutional knowledge, multiple IT reorganizations, and a changing workforce, gaining “street cred” with stakeholders and getting buy-in from leadership were key to a successful IAM modernization. (Download the slides from their session, “IAM Modernization, Hear About Success.”)
2. Build trust. “How can federation members trust each other?” Mike Tartarkovsky, CIO of the National Institute of Allergy and Infectious Diseases at the National Institutes of Health (NIH), posed this question to attendees in light of the ongoing war in cyberspace and the growing threat to research and development as malicious actors seek to disrupt and steal valuable research data.
According to Tartarkovsky, the research and education community’s participation in cybersecurity incident response exercises is key to building trust and protecting valuable research: “Science needs better credentials. Your researchers and students need more robust credentials to use tools at the NIH and at other research organizations. However, credentials aren’t enough. You need to participate in the incident response exercises.” (Learn more about plans for InCommon’s Second Annual Cybersecurity Exercise.)
Tartarkovksy’s co-presenter Jeff Erickson, director of Identity and Access Management Services at NIH, echoed his call for better credentials and provided an update about ongoing efforts to encourage use of federated credentials. For example, In 2021, the electronic Research Administration (eRA) system became the first NIH system to require MFA (with no/low identity assurance) and the first to accept federated MFA or Login.gov.
Today, due in large part to a joint effort led by InCommon and NIH, 350 institutions have implemented MFA using the REFEDS MFA profile for access to eRA. However, Erickson cautioned that there’s still more work to be done. “Encourage federated credential use in your community,” he said. “Don’t wait. Lead now.”
To learn more, check out the slides from “CIO Perspectives on Federated Cybersecurity for NIH Research: A Panel Discussion.”
3. Focus on the future. CommEX 23 provided a welcome opportunity for kicking off the InCommon Steering Committee’s strategic planning project (InCommon Futures2), which will establish a shared strategic direction for the community and Internet2’s Trust and Identity Division for the next five years.
“The time is right to do the next InCommon Futures Report,” Kevin Morooney, Internet2’s vice president of trust and identity and NET+ Programs, told attendees. During his presentation, Morooney offered additional context for the timing of the project, noting the myriad ways the landscape for identity and access management in research and higher education has changed since the last report in 2009.
Morooney’s co-presenter, Marc Wallman, current chair of the InCommon Steering Committee and vice president, Information Technology Division, North Dakota State University, shared his perspective on how he hopes InCommon Futures2 will benefit the community. “Some of what I want for the community is greater participation in InCommon Federation (institutions and vendors), greater uptake of Internet2 Trust and Identity tools, and a lower bar for install and operations of Internet2 Trust and Identity tools,” Wallman said. He also encouraged “participation at some level in the Futures2 process.” (Stay tuned for more information about how you can get involved!)
Want to know more about InCommon Futures2? It was also the topic for our May IAM Online webinar; watch the recording.
4. Plan, prioritize, and play to your strengths. A small group of past participants in InCommon’s Collaboration Success Program were on hand at CommEX to serve as panelists for the “Which Solution? Addressing HE Use Cases” panel moderated by CSP Community Liaison Laura Paglione. CSP alumni from the University of Maryland Baltimore County (UMBC), Northwestern University, and University of Illinois Urbana-Champaign offered their take on scoping and prioritizing IAM projects.
“Better project management and governance are key to scoping and starting on the right foot,” according to UI’s Keith Wessel. “Don’t jump to conclusions and try to make a product fit because it’s a known product.”
“Don’t let perfect be the enemy of the good,” added Wessel’s UI colleague, Beth Vanichtheeranont. “Scoping down to get something started is OK. In addition, advocate for the time to determine the problem and what you want to do about it.”
“Every identity team has strengths and weaknesses,” offered UMBC’s Paul Riddle. “Play to your strengths when evaluating products and services.”
Northwestern’s Phil Tracy concurs. “Make sure you understand where the funding will come from and who you can
hire,” he said. “Know thyself.”
Interested in more content from the 2023 Internet2 Community Exchange? Visit the event website.