A new plan for identity and access management
By Emily Rushton
The University of Utah employs a lot of people – people who need access to hospital, campus, and research systems – but ensuring that employees have the correct access assigned to them is easier said than done.
That’s why Subhasish Mitra, senior program manager for the Information Security Office (ISO), is working hard to clarify that process. He’s leading the U’s Identity and Access Management (IAM) program, which will focus on the life cycle management of students, faculty, and staff at the University – including authentication, authorization, and privileged access across various University systems. It’s as complicated as it sounds.
“There is a whole lot of complexity in how we identify you,” said Mitra. “It’s all about knowing who gets what kind of access.”
Ideally, an abstract of a person’s data is pulled, and based on his or her relationship to the U, identity attributes and access will be added – things like UMail accounts, ability to register for classes, privileges to access certain hospital or research systems, and so on. And if a person’s relationship to the U is terminated at any point, it should be easy to quickly identify what access needs to be removed, and do so in a timely manner.
To implement a better, more robust IAM program, Mitra and his team have identified key issues to address in its current state. For example, basic account provisioning is executed by a system that is 10 years old. The system that the hospital uses is nearly as outdated.
“From a maturity standpoint, we do certain things really well, and we do certain things badly,” said Mitra.
Some of the long-term goals of the new IAM program will include: providing a common set of processes and tools that will facilitate end-to-end life cycle management of user access; creating termination checklists; enabling ISO to conduct formal, periodic user access reviews; centralizing the repositories of identity data to a single location; and defining the access roles of students, faculty, and staff.
“The goals are very straightforward,” said Mitra. “All the relationships that get formed with the institution – whether campus, hospital, or health sciences – should have streamlined, on-time access to the system. And if they depart, their access should be removed in a timely manner.”
The program is still in the early development phase, but with Mitra’s 10 years of IAM experience and support from both the hospital and campus, he’s confident that the program can succeed.
“Collaboration and execution of leadership commitment is key,” he said.