UC Davis Identity Management Architecture Overview
Quick Links
Sponsor: Peter M. Siegel, Vice Provost for Information and Educational Technology
Status: An Identity Management Architecture Advisory Workgroup was established on October 2, 2007. The workgroup chair is Debbie Lauriano, Director, Application Development, IET. See the Identity Management Charge Letter (pdf) for more information.
BackgroundUC Davis has a wide range of IT systems providing services to students, faculty, staff and various campus affiliates. In the absence of an integrated identity management infrastructure, administration of these systems is de-centralized, data is often duplicated across multiple systems, and each system with personal identity data is subject to data security risks.
In May 2006, a workgroup was formed to guide the Burton Group, a research and advisory consulting service, as it prepared an identity management architecture and migration strategy for UC Davis. The workgroup report was released in November 2006 (http://security.ucdavis.edu/secureucd/id_mgmnt_report.pdf).
Key ComponentsThe 212-page workgroup report provides detailed recommendations and strategies. Based on the strategy set forth in the report, and in consultation with the campus community, Information and Educational Technology (IET) proposes to initiate a multi-phased project to establish an integrated identity management system for UC Davis. This system will facilitate access to critical institutional data while protecting restricted information from unauthorized access. These are key themes:
- Improved data integration -- A key goal of the recommended system would be to consolidate and/or synchronize information about people from Banner, PPS and other critical data resources.
- Account creation and management -- The recommended system would automate new account creation; enable access to systems and applications to be based on the person’s role, responsibilities and related attributes; and enable managers, supervisors or other designated person or group to approve, deny or modify privileges.
- Federated authentication -- The system would let individuals log on to a wide range of systems and applications using the same authentication credentials (e.g., login ID & password).
- Two-factor authentication -- The proposed system would add another layer of security to critical online applications and electronic resources.
- Business systems can tap into a single data source.
- The amount of data duplicated across multiple systems could be reduced.
- Security risks are lessened by reducing data duplication and adding a layer of security to applications and resources.
- Accounts can be centrally created and deleted.
- Access to systems and applications can be granted or denied based on the person’s role, responsibilities and related attributes when the account is created. Similarly, access to all systems and applications will be denied when the individual’s account is deleted.
- Manual data management processes are minimized.
- Access to resources may be granted to individuals from other campuses.
- The implementation of an identity management infrastructure represents a commitment of time and resources from IET and campus constituents over about 3–3½ years.
- Costs of hardware, software and external services are estimated at $2.6M. Estimated internal resource costs are approximately $0.5M. Funding to implement the identity management architecture has not yet been determined.
- Support for the development of an integrated identity management system for UC Davis
- Acknowledgement of the value of the campus benefits afforded by an integrated identity management system for UC Davis
- The Technology Infrastructure Forum reviewed the proposed identity management architecture and indicated that implementation of the architecture is the most important information technology project for UC Davis.
- Comments may be sent to Bob Ono at raono@ucdavis.edu.
See http://security.ucdavis.edu/id_mgmnt.cfm for more information.
Reference materials: