Identity and Access Management (IAM) Project

The Identity and Access Management (IAM) project is a multi-year initiative to replace and modernize Tufts’ IAM infrastructure. The main goals include:

  • Provide greater flexibility for administrative and business processes including security/access management and communications.
  • Reduce onboarding and account administration challenges.
  • Increase personal agency around identity data and updates.
  • Design a sustainable solution.

IAM Modernization Updates

(July 2024 Updates)

Discovery Work

We are currently evaluating and implementing solutions to replace outdated or nonexistent technologies for our provisioning, registry, and entitlement management processes.

  • Provisioning: Automating the process of creating, modifying, and deactivating user accounts and access rights.
  • Registry: Maintaining a centralized and accurate record of all identities within the organization.
  • Entitlement Management: Ensuring users have appropriate access to resources based on their roles and affiliations.

Grouper – implementation

This is an open-source solution built by and for higher education institutions. This tool allows us to pull data from many, disparate sources and create roles and groupings which we can assign access and privileges.

We are currently implementing Grouper into our production environment. This will serve as a central engine for providing access to services by creating groupings of individuals to provision discrete privileges.

COmanage

COmanage is another open-source solution built initially to manage federated research access (identities from many different institutions). It was many capabilities in terms of its ability to function as a registry. This would replace our existing Person Registry and potentially our provisioning engines – ATAMS and Populator.

We have been working on a proof-of-concept of COmanage this Spring and will be finishing that work mid-Summer. Some of the activities of the included creating plug-ins to provision to LDAP, Grouper, and Active Directory; consuming identity data from upstream systems SIS, HR, and FIS; creating and managing identity data; enrolling “guest” or sponsored affiliate accounts.

Cirrus

Cirrus Identity has a suite of products initially developed at Univ of California Berkeley. The solutions provide deal with making authentication a more seamless process for end-users: using external logins (Facebook, LinkedIn, Google) and providing a proxy for institutions who have multiple authentication services (CAS, Shibboleth, Entra, etc.).

One concept the IAM team is testing is the idea of identity management as the system of record of core identity data. Typically, all identities originate from either HR, FIS, or SIS. However, a person’s identity-data – first name, last name, preferred names, email – are not HR or SIS-specific; they’re related to the person not the persona. We are looking at ways for IAM to be the central storage of core identity data that is then decorated with HR-related or SIS-related information (manager, title, school, program).

We are looking to use Cirrus’ external login capabilities for people to create an initial identity record with the identity registry. Think job applicants or student applicants. If the person is hired or admitted, the identity data would be augmented with the appropriate data from HR, SIS, etc.

midPoint

midPoint is a commercial product offered for free to higher education. Unicon offers a hosted version of the product. midPoint serves as a registry and provisioning engine.

We have signed the agreements for midPoint and are looking to start a POC later this summer.

Sailpoint

SailPoint is leading identity governance platform that helps organizations manage user access to systems and data, ensuring compliance and security through automated identity lifecycle management and access controls. It provides features like access certification, policy enforcement, and role management to streamline and secure identity governance processes.

We have engaged in numerous conversations and demos with SailPoint, culminating in a facilitator-led exploration of their offering, during which we examined use cases and scenarios that we provided

Architectural Work

In addition to the pilots and proofs-of-concept, the team has engaged in multiple architectural discussions to design a future state for authentication, provisioning and entitlement management. Key recommendations from those sessions included:

  • Divesting certain services from LDAP (eList, Directory).
  • Migrating our existing LDAP to new, supported infrastructure.
  • Utilizing a central provisioning engine instead of daisy-chaining provisioning activities.
  • Exploring the use of Microsoft CAS hubs to streamline federated authentication management.
  • Considering identity as a system of record rather than merely a consumer of identity data.
  • Conducting a thorough assessment of entitlement management opportunities from all areas of the university.

(Last Updated April 2023)

What are we doing? 

The Identity and Access Management (IAM) project will replace the existing IAM systems for access and appropriately integrate the physical access control systems as an extension of identity. This will include both a new technical platform based on industry best practices and a set of capabilities that can be leveraged to work together with common security services, principles, and methods to enable a comprehensively more secure environment.  The new platform should facilitate a coordinated approach to overall access (building and applications) and simplify, yet enhance, the processes for identity creation and account provisioning, resulting in improved administration efficiencies, access control and risk management, and end-user productivity and experience. 

Why are we doing it now?

The current IAM environment at Tufts lacks the capabilities needed to support the timely provisioning of accounts to new users and the ability to grant access at a more granular level so that users receive only what they need.  The current IAM systems are regularly bypassed because they do not adequately support temporal access for short-term visitors and research collaborators, summer program attendees, as well as new program offerings from University College.  Because the system encompasses many fragmented, manual processes that are cumbersome and constraining, it requires an inordinate amount of staff time that both heightens the potential for mistakes and makes it difficult to provide efficient and timely service.  This environment also precludes us from meeting security requirements for granular access assignment and revocation, as well as disabling and deprovisioning accounts. Similarly, the current identity management system for physical/building access is manual, not integrated with enterprise systems, and requires significant human intervention for regular operation.

Taking agile approach, we anticipate making incremental improvements over the next couple of years.

What is the impact on Tufts and the community? 

While most of the improvements will be “behind the scenes,” some of the customer-facing impacts will be:

  • Better responsiveness to requests for integrations and reporting.
  • Greater visibility for hiring managers into new hire onboarding progress.
  • Improved onboarding experience for incoming employees and students.