Catalyst to Catalyst (Dec. 2022): Ideas and Insights from InCommon Catalysts
By Apryl Motley - Technical Writer & Communications Lead, Internet2 Trust and Identity/NET+ Service
As part of our ongoing commitment to providing you with additional opportunities to benefit from the insights and expertise of InCommon Catalysts, we introduced a quarterly Q&A column, Catalyst to Catalyst, that we feature in our e-newsletter InCommon News.
Think of Catalyst to Catalyst as a quarterly, virtual advice panel providing perspectives on key identity and access management (IAM) topics for the InCommon community. In this installment, catalysts address IAM pitfalls to avoid and strategies for staying on course with IAM projects. This is our last column for 2022.
What is one seemingly “far out” trend that you think it’s important for the research and education community to pay more attention to sooner rather than later?
The academic community is excellent at following trends and even creating new ones, thanks to many talented and committed individuals and their open collaboration. Sometimes, one can be overwhelmed by the sheer amount of ideas and emerging trends. Experts on the Evolveum team are committed to keeping up with all IAM news and even contributing to pushing the boundaries further. That’s why we are enthusiastic to work together with academia and participate in the evolution of the IAM field as well as helping with the adoption of the state-of-the-art.
One of the trends that we are focusing on now and that we plan to continue monitoring in the New Year is Identity Governance and Administration (IGA). IGA principles have existed for a long time, but they might seem highly advanced and too far to reach in practice. We don’t share this view. In our opinion, IGA is something that can be deployed very early in the IAM projects, and for sure, it should be kept in mind right from the design stage.
IGA will help to get the complicated technical world of IAM closer to common users. Thanks to it, they will understand all the possibilities they can do by themselves within identity management, like managing access rights, requesting roles, or approving such requests. This will empower them to progress in their duties by themselves, which will significantly speed up processes within the organization, especially when you compare it with sending request tickets to an IT department. Moreover, it will save the effort of IT professionals, which can, for sure, be utilized elsewhere more efficiently.
For this reason, Evolveum chose this trend as the one we are following more closely for the upcoming year. We will happily share our results with the community, including additional IGA-related features you can look forward to seeing in new versions of midPoint.
—Igor Farinic, CEO, Evolveum; email@example.com
Significant changes in higher education and IT may require that IAM professionals and service providers radically rethink IAM priorities, services, and architectures. The pressures on higher education are multifarious, but key business drivers fostering change include new academic models (e.g., distance, non-degree, and certificate programs), higher expectations from user populations, shrinking budgets, and market competitiveness. These demands are reflected in a growing trend among executives to prioritize IAM’s potential to improve user experience and support digital transformation over the traditional priorities of cybersecurity and compliance. But beyond this, new academic, business, and user demands require us to rethink IAM architecture and reverse typical approaches that prioritize or start with traditional sources of authoritative identity information, such as student information system (SIS) and HR (i.e., internal IAM) and instead prioritize external IAM or client IAM services.
Typical (i.e., internal) IAM architectures, including InCommon’s Trusted Access Platform architecture and our own MTC IAM architecture, assume that the most critical identity information resides in enterprise resource planning (ERP) before being consumed by IAM tools and processes to create credentials, manage access, and support authentication and authorization. Research organizations, R1 universities, and in fact, most higher education institutions have long recognized that this model doesn’t adequately address the needs of many external, affiliate, or guest identities. The common approach, which prioritizes aggregating and standardizing identity data in the “registry,” largely ignores how identity data actually flows as well as the onboarding experience of our user populations. Today, most prospective students encounter and are entered into institutional applications using a social credential or an external identifier (e.g., personal email address). This is also true of potential employees, parents, alumni, etc. Our users begin as (and will eventually return to being) external identities. Then why don’t our architectures, technology, and processes prioritize services that support external users and manage external identity lifecycles?
—Scott Weyandt, Vice President of Information Security, Moran Technology; firstname.lastname@example.org
It’s time for the next level of integration between IAM systems and enterprise software.
Over the past several years, thanks in large part to the InCommon community’s efforts, we’ve seen software vendors consistently increase their compatibility with university IAM systems. Part of this is in response to the community’s demands, and part of it is because of the consistency that the community has created among its own implementations with initiatives such as InCommon Baseline Expectations.
However, most of the integration with university IAM systems is at the level of authentication, a few fundamental attributes, and very basic authorization and access control. We predict a rise in software companies that heavily lean into attributes and groups so that identity services not are not just a means of accessing the application, but a way of providing a much richer set of permissions and experiences within the application itself.
If companies are willing to get really specialized, there’s power at this level of increased customization. The user would be able to leverage all kinds of applications and groups within the higher ed system to better control fine-grained permissions and policies in the software.
Of course, this requires a closer coupling and integration between the application and group attributes, which also emphasizes the need for more standards to help manage those attributing groups. This is relevant to both the R1 universities and smaller schools that may not have a dedicated IAM staff and need guidance on how to make it all work.
Ultimately, this trend of increased customization and specialization within software to support authorization should continue to grow for the benefit of the higher education community. It provides better security for institutions; it makes the software more efficient; and it allows for a richer, more robust application experience across campus for all.
—Scott Woods, CEO, West Arete; email@example.com
If there’s a question you would like for us to address in a future installment of Catalyst to Catalyst, contact InCommon Communications Lead Apryl Motley.