Managing electronic identities online--securely sorting names, privileges, and access rights--is a chronic challenge in information technology, especially as more services become electronic, systems grow more complex, and the need for privacy and security intensifies.
The default response is for each service to manage its own identities, but that's inefficient, breeds redundancy, and requires people who use many services to juggle many passwords. The better method, at large places like UC Davis where countless roles overlap, is to create an identity management system.
At UC Davis, work to install and use that system has begun. The Identity and Access Management (IAM) project, a joint undertaking of the UC Davis Health System and the main campus, has opened its Web site at iam.ucdavis.edu. The project promises to:
- improve online security
- simplify network and online service access
- enable granular authorization levels to applications, which lets users be assigned automatically to the proper level of access
- improve audit capabilities of users--in other words, auditors will be better able to tell how people are using the system
- improve privacy protections.
The co-chairs of the IAM project steering committee are Gary Jellis, manager of network operations for the Health System, and Robert Ono, IT security coordinator for UC Davis. Gaston De Ferrari of Information and Educational Technology is the project manager. Accomplishing the total project is likely to take five years, with improvements starting as soon as 2010.
Between them, the Davis campus and the Health System hav e more than 400 applications, plus more than 50 "authentication repositories" that store identity information about people who use a system. IAM could deliver significant savings in work and money--valuable qualities anytime, and especially useful during bad budget years.
How it works
IAM is not the same as single sign-on, where users only have to sign in once to gain access to several services. Identity management systems are more comprehensive; they create one place to store identification data, plus a standard process for recognizing and sorting identities, among other features. They can work with or without single sign-on.
Single sign-on is an important feature, however, and the Health System will install an "enterprise single sign-on" (ESSO) process for the many systems it uses, integrated with the IAM project. At the Health System, the average physician has 15 to 30 passwords, and the average staff has member six to nine, so adopting a single sign-on should save users significant time. (The main campus already has a single sign-on system available for Web applications.)
With identity management, Ono said in an interview with the IT Times campus tech newsletter in fall 2008, "We're looking to help consolidate information about individuals' electronic identities--who they are, where they work, what roles and responsibilities they have."
"Identity management systems can help gather and place that information in one location," he said. "Applications can then query the central identity management system and determine what the individual, or account holder, can do within the constraints of that application."
At present, several systems manage identity information. "That adds security challenges, because it cr eates more identity-related systems to protect from unauthorized access," Ono said. But IAM would centralize that task, so people could work more easily across the campus network. A case study involving campus Transportation and Parking Services shows how the process works, before and after an IAM service is installed.
The change would also reduce the need to reconcile conflicting information manually--as happens, for instance, when people misspell names during data entry.
MyTravel will be the first
In phase 1, the IAM project group will integrate MyTravel, the travel and entertainment expense reporting system used by both UC Davis and the Health System, into the IAM service. Next to be integrated is Epic, the software used by the Health System to manage patient information. All this should be complete by spring 2010.
The Health System will install ESSO because rapid growth has caused a proliferation of new systems that are not designed to work over the Web, each with its own password database. The Sacramento campus awarded a purchase contract in early July.
The IAM group has begun to meet with various technical groups on the Davis campus, and will eventually schedule monthly meetings when individual departments can give the group feedback and information on specific departmental needs.
The IAM project builds on previous work to create an identity management architecture and migration strategy for UC Davis. More information about IAM will be posted in a report created for the 200-45 review process, which will be made available on the Administrative Computing Policy page. Please send questions or comments to De Ferrari at firstname.lastname@example.org.