Who are you? The evolution of identity management at WashU

Submitted by Rob Schmidt, WashU IT Systems Engineer IV

 

What makes you, you?  Your “identity” can be many things.  Your social security number (can I say that anymore?), your work email address, your phone number, even your WashU employee ID.  As systems have proliferated over the past 30 years, each system would create its own unique identifier for a user.  Since we log in with that unique “user” name, to change information in a system, we have to have a password.  Next thing you know, you have a list of usernames and passwords for many, many systems.

Hence, the idea of identity management (IdM).  In 2008, a small group of IS&T staff (Jim Johnson, Jason Clevenger, Ken Trammel, and myself) went to an Educause conference, “Bridging Security and Identity Management”, to better understand how other universities were managing the challenge of a lot of usernames and passwords required to access university systems.  What we learned was that creating one identity to rule them all (spoiler: “WUSTL Key”) to access major university systems was a primary goal for many universities.

Prior to that conference, our university had already been working on identify-related projects.  In 2006, we started replacing SSNs with a different identifier in student systems.

In 2009, the employee ID was replaced with the WUSTL Key for the HRMS login.  With the implementation of WUSTL Key for HRMS, followed shortly thereafter by other major university systems, we now had a common authentication (AuthN) mechanism.  At that time, the product market for Identity and Access Management (IaM) products to manage the “entitlements” or “authorizations” (what you can do in a system) in one place had not yet matured.

Ten years later, these concepts have matured considerably.  Not only are universities implementing a common place to provide IdM, and system entitlements (IaM), but they are also providing Identity Governance and Administration (IGA).  With entitlements for major systems in one place, they can establish profiles across systems, associate risk levels with profiles, and more easily control and monitor the provisioning and deprovisioning of those entitlements.

But, there’s no magic bullet to achieve IGA.  You need a good base to provide these capabilities.  To begin this journey, we implemented the IdM 2.0 project.

Completed on April 21st of this year (over Easter Weekend), the IdM team completed the cutover to the Saviynt Security Manager solution.  It was the best kind of implementation.  Quiet on the surface, with people working together to ensure its success.

The WashU IT Identity Management team managed the IdM 2.0 implementation cutover on Easter weekend.  

We now have the Saviynt software integrated with our IdM processes for Active Directory, Office 365, Box, and Duo (WashU 2FA) and managing 279,584 identities and WUSTL Keys.

In addition, we’ve automated the provisioning & deprovisioning of 313 roles that grant access to Active Directory groups.  With this base, our Identity Management (IdM) team has transformed (it was a silent transformation 😉) into the Identity Governance and Administration (IGA) team.

The FY20 / FY21 goals for the IGA team include:

  • Real time API integration with WorkDay on new hires.
  • Modification of data integration points with other systems. Example: Overnight processes that ingest data from HRMS about employees and their job changes.

After that, we’ll begin the process of transferring management of each system’s authorization entitlements to Saviynt.  Stay tuned for more.