Detailed Program Information

Registration Desk

Session Details

Breakfast

Session Details

Authorization Strategies Panel: Leading an Effort to Define Roles

Session Details

Speaker(s)

• Deborah M. Meder, Assistant Controller, The Pennsylvania State University
• Renee Shuey, Principal Lead of Identity and Access Management Initiative, The Pennsylvania State University
• Joel L. Weidner, Director, Info Systems, The Pennsylvania State University

Abstract

A step up from using groups, role-based access control enables privileges to be assigned to institutional roles assigned to individuals. Even though this is the brass ring of access control, leading an initiative to define the policy and process guiding this infrastructure is daunting. Questions arise, such as who should be represented in the roles system? You may find you have more than one organizational chart, so which one do you use? Who should decide the roles structure and make the policy decisions? For which resources will you be assigning privileges? And will you list all the roles and their access rights or have the supervisors/area managers assign rights given a set of boundaries? The outcome of the former could be a list of exceptions, and the outcome of the latter could be a pattern that leads to a set of defaults, clustering around the distinct roles. But there is no one way. This panel will explore this complex issue and provide a number of perspectives on how to plan for such an effort.

• View Session Resources

More Information

For more information, see:

http://connect.educause.edu/Library/Abstract/AuthorizationStrategiesPa/46296

Authorization Strategies Panel: Provisioning, Deprovisioning, and Related Methodologies

Session Details

Speaker(s)

• Charles F. Dunn, Information Security Officer, University at Buffalo
• Marc Huffstickler, Manager, NCS Enterprise Systems, McGill University

Abstract

Provisioning access is an IAM function, and deprovisioning that access is a security objective. How might these combined objectives be met with common process, and what sorts of access should be managed by it? Data, applications, networked services, and physical facilities all have particular provisioning and deprovisioning needs. Campus cards, for instance, mitigate risk only when the access information associated with them is current. When a card's rights get out of sync with its bearer's status, the card itself becomes a risk. Addressing this issue, given all the authorization and access points, can be a challenge unless they are tied into the enterprise identity management system.

• View Session Resources

More Information

For more information, see:

http://connect.educause.edu/Library/Abstract/AuthorizationStrategiesPa/46240

Break

Session Details

Appropriate Access: Privacy Requirements, Regulation, and Working with Auditors

Session Details

Speaker(s)

• Karl Heins, Chief Information Security Officer, University of California, Santa Barbara
• David H. Walker, Campus IT Architect, University of California, Davis

Abstract

Personal privacy is about protecting individuals and them control over their personal information. Institutional privacy is about protecting proprietary information. In either case, privacy requirements must reflect campus values and also meet the institution's legal and regulatory obligations. The requirements must be reflected in the identity management system: its flexibility, how it is used to support access to resources, and who makes the decisions about that access. IAM can provide for the externalization and consolidation of roles that can be used to determine permissions and access without that function being built into each resource. This session will discuss these topics from the auditor, identity management architect, and security staff perspectives and offer a case study on how one campus has addressed these issues.

• View Session Resources

More Information

For more information, see:

http://connect.educause.edu/Library/Abstract/AppropriateAccessPrivacyR/46241

Appropriate Access: Levels of Assurance

Session Details

Speaker(s)

• Stefan Wahe, IT Security Officer, University of Wisconsin-Madison
• David L. Wasley, Retired, University of California Office of the President

Abstract

A level of assurance (LoA) refers to the degree of certainty that (1) a resource owner has that a person's physical self has been adequately verified before credentials are issued by a registration authority, and (2) a user indeed owns the credentials they are subsequently presenting to access the resource. The requirements for the level of certainty at both ends of that set of transactions should be driven by a risk assessment based on the value of the resources being protected. This session will describe the concept of LoA, discuss its importance, outline its technical components, and discuss the proposition that roles of the identity management and security staff are critical for a successful implementation of LoA.

• View Session Resources

More Information

For more information, see:

http://connect.educause.edu/Library/Abstract/AppropriateAccessLevelsof/46242

Lunch

Session Details

Protecting Data: Managing Risk of Exposure through Abatement

Session Details

Speaker(s)

• Robert J. Block, IT Security Analyst, University of Rochester
• Kimberly Ritze, Director, Security & Policy, University of Rochester
• Peter Spier, Security Project Manager/TEKsystems Consultant, University of Rochester

Abstract

How can you control access to social security numbers, personal identifiable information, and payment card industry data? Setting up a few architectural principles, solutions, and related policies and processes can go a long way towards ensuring appropriate distribution and use of these data. This session will provide examples in the administrative and teaching/learning areas of the institution, and explore related issues in the research area.

• View Session Resources

More Information

For more information, see:

http://connect.educause.edu/Library/Abstract/ProtectingDataManagingRis/46316

Protecting Networked Assets: Logical- and Physical-based Access Control

Session Details

Speaker(s)

• Steve Hanna, Distinguished Engineer, Juniper Networks, Inc.
• Christopher Misra, Information Security Officer, University of Massachusetts Amherst

Abstract

How can IAM be helpful in managing network intrusion and access? A researcher wants to show a national grid-enabled resource to her class, but can’t access it because she’s in a classroom and, by policy, unable to get through the firewall. She then clicks on her research icon, authenticates and, because of her researcher status, accesses the research van that is enabled to use the appropriate ports. Can coupling network capabilities and IAM replace the use of IP addresses as the criterion for access with identity, roles, and related attributes? Focusing in on wireless access specifically, can IAM can help correlate identity to an endpoint device by combining network registration and personal identification? This session will explore these questions and how one can identify the person behind the device or address.

• View Session Resources

More Information

For more information, see:

http://connect.educause.edu/Library/Abstract/ProtectingNetworkedAssets/46243

Break

Session Details

Web Applications: Get a Grip on Privacy

Session Details

Speaker(s)

• Michael A. Corn, Chief Privacy and Security Officer, University of Illinois at Urbana-Champaign

Abstract

Many institutions have developed a privacy approach for their legacy and business systems. For third-party hosted applications, institutions may have a contract in place that specifies privacy requirements. What we don’t have a grip on are the web-based collaborative applications, such as wikis and blogs, where we neither have a comprehensive policy nor a contract to govern privacy or data use. What are the privacy pitfalls and requirements for each of these three categories? This session will explore case studies of various models in place across higher education.

• View Session Resources

More Information

For more information, see:

http://connect.educause.edu/Library/Abstract/WebApplicationsGetaGripon/46244

Web Applications: Development Approaches

Session Details

Speaker(s)

• Aaron Godert, Manager, Enterprise Integration, Cornell University

Abstract

IAM and security must be on the same page regarding web application development to facilitate proper access. What coding practices and assessment practices should web developers use? What tools are out there to help (OWASP)? Do we need cross-site scripting and pup code review to ensure proper leveraging of enterprise IAM or should web applications manage their own IAM/account data? This session will discuss strategies for how to include security and access requirements in the development process and code.

• View Session Resources

More Information

For more information, see:

http://connect.educause.edu/Library/Abstract/WebApplicationsDevelopmen/46245

Break

Session Details

Security and IAM Panel: IT's Better When We Work Together

Session Details

Speaker(s)

• Charles F. Dunn, Information Security Officer, University at Buffalo
• Jens Haeusser, Director, Strategy, The University of British Columbia
• Christopher Misra, Information Security Officer, University of Massachusetts Amherst
• Session moderator: Mark S. Bruhn, AVP, Indiana University System

Abstract

Security staff want to keep the bad guys out and IAM folks want to let the good guys in. A hair is being split, to be sure, but it exposes a number of issues rooted in organizational politics and reporting structures. This panel session will explore how a number of institutions have encouraged their security and IAM staff to work together to achieve shared institutional goals.

• View Session Resources

More Information

For more information, see:

http://connect.educause.edu/Library/Abstract/SecurityandIAMPanelITsBet/46293