Identity and Access Management Program

Identity and Access Management (IAM) is the security discipline that enables individuals to access the right resources at the right times for the right reasons. IAM addresses the mission-critical need to ensure appropriate access to resources across heterogeneous technology environments, and to meet increasingly rigorous compliance requirements. The goal of this program is to implement an IAM platform to address University of Utah, Healthcare, and clinics' needs to manage identity and access issues for internal and external users.


Program Goals & Objectives

  • Automate processes that enable positive identification and authorization for all business data and technology services access requests.
  • Integrate, consolidate, and simplify the IAM infrastructure into one architectural framework.
  • Enable students, faculty, community partners, and the public to access information securely.

Program Scope

Justification

The IAM program addresses multiple key business needs and ensures compliance with regulatory requirements. This program is critical for the following reasons:

  • Reduce complexity in the provisioning/de-provisioning process
  • Strict ownership of data
  • One person, one identity
  • Administrative review and restructuring
  • Confirmed assurance levels
  • Federation
  • Compliance with the following regulations:
    • Family Educational Rights and Privacy Act (FERPA)
    • Health Insurance Portability Act (HIPAA)
    • Payment Card Industry (PCI)
    • Data Security Standards (DSS)
    • InCommon
    • Government National Institute of Standards and Technology (NIST)
  • Risk reduction

Deliverables

The IAM program determines business requirements and defines a strategic roadmap that incorporates the following:

  • Identity lifecycle management – Includes management of identity creation, identity provisioning and de-provisioning, identity change processes, attribute maps, and authentication (e.g. password policies and synchronization) for risk-based critical applications not limited to end users but also for generic accounts and system/service accounts.
  • Role mining and role management – Adapt and deliver a framework for the management of groups of identities by roles, which are typically based on attributes or business rules.
  • Authentication – The process of verifying that a user (or system) is who they claim to be. This includes single sign-on, multi-factor authentication, Integrated Windows Authentication (IWA), password management, and identity proofing.
  • Federation – The utilization of trusted connections, which allow authorized users such as non-system affiliates to access University resources, delivering a single sign-on experience for cloud host applications, research collaboration, etc.
  • Authorization – The process of determining whether a user is permitted to access a particular resource. Includes role-based authorization, re-certification processes, and exception requests.
  • Access auditing and compliance control – Automated compliance processes for use in the review of current user access. Includes the ability to revoke access no longer required.
  • Identity business intelligence – The ability to provide real-time and historical reports regarding identity-related data and activities. The goal is to provide answers to critical questions about access, improve the ability to respond to auditing inquiries, provide information regarding identity regulatory compliance, answer daily security operation questions, and provide other information regarding identities associated with the University.

 High Level Milestones

  • FY15
    • Start of program (July 2014)
    • Established governance committee (November 2014)
    • Established IAM program goals and objectives (February 2015)
    • Current state analysis (April 2015)
  • FY16
    • IAM platform (August 2015)
    • User data type and lifecycle rule definition (October 2015)
    • Termination business process definition (February 2016)
    • Access reviews for high risk apps (April 2016)
  • FY17
    • Onboarding apps for access reviews (July 2016)
    • Transition from legacy systems (November 2016)
    • Operational support (February 2017)
    • Operationalize identity governance tool (May 2017)
  • FY18
    • Dashboard KPIs and data mining services (August 2017)
    • Monitoring and alert services (November 2017)
    • Program review (March 2018)

Governance

The IAM Program Steering Committee governs the program. View the list of committee members here.

The committee fulfills the following responsibilities:

  • Participate in program decision-making, including the review and approval of program changes
  • Review progress and provide guidance to aid the program team in achieving objectives

Out of Scope

The IAM program will not include the following:

  • Changing the format of the University ID Number (uNID)
  • Reconciliation of duplicate accounts

Program Sponsors

  • University Information Technology (UIT)
  • Information Technology Services (ITS)

Program Lead

Subhasish Mitra 
Associate Director - IAM, Information Security Office
801-213-3309

Steering Committee

View committee members


Documents & Resources

 

Last Updated: 8/16/16