Anjanesh Babu has led the development and implementation of a unified identity and access management (IAM) strategy within the University of Oxford’s Gardens and Museums (GLAM). He says the research and development has occasionally been painful, but the results are worth it – especially so when the technology is invisible to users.
With multiple digital projects in flight and a cloud-only approach, looking after identity and access management requirements across a hybrid platform is far from straightforward.
We want all our users to gain frictionless access to secure resources hosted on various platforms. The users may be accessing diverse applications like infrastructure access tooling, password managers, digital collections management systems (CMS) or digital asset management systems (AMS). These services straddle all locations – from being on-premise, to cloud-hosted, to vendor-managed software as a service (SaaS).
This creates a big challenge, especially as the university’s staff can be using public networks. We must be able to allow people to assume digital identities easily and have a reliable mechanism to manage the user journey. So, I started looking into ways to develop a centralised identity and access management infrastructure within GLAM, drawing on the university’s main user directory as the single source of truth but creating our own layer that would effectively proxy requests across from the web app to the university’s Azure tenancy while applying conditional logic when required.
For the last four years we’ve been on a journey to implement our own strategy and we’ve learned something with every step. For example:
You need to allocate budget and time to innovation and test-bedding potential solutions
Now is a good time to be starting out. COVID-19 has disrupted so much, but it has created opportunities for anyone working on an identity and access management strategy.
With people learning and carrying out research in their own homes it is more important than ever for education organisations to recognise and grant access to individuals around the world. These issues are high on senior management agendas and more resources may be available to develop identity and access management processes.
Development budgets may stretch further than you think. When we started our journey, we conducted pilots with several public cloud-based platforms, including our eventual choice, AWS. All the platforms were happy to provide some funding as we worked out which was the best fit for us. It’s worth reaching out to your cloud service provider’s account manager for onboarding and pre-sales advice.
You should always know where to find the ‘undo’ button
From the start we wanted multifactor authentication (MFA) for extra security, and initially in 2018 we procured Duo, which worked seamlessly as a drop-in MFA service with eduroam and other authentication sources at the time. However, we are led by central university strategy and the university had adopted Microsoft 365. This was a major turning point for us because every 365 user gets an Azure identity and I realised this offers us an effective way to manage identity securely within GLAM, so we experimented with our own tenancy.
The university centrally manages the core directory and the main Azure/Office 365 tenancy, and we can easily invite staff into our divisional Azure active directory for our own authentication services. Using this system, identity management between GLAM and the rest of the University of Oxford is seamless, secure and our Azure Active Directory runs at far lower cost than an on-premise equivalent.
I settled on a standards-based SAML approach to support login across various applications. The first successful solution integration using this approach was integrating our AWS Console login with Azure Active Directory – this was completed in June 2019 and the outcome would set the scene for the rest of our journey.
It’s always worth keeping an eye on emerging solutions and talking to existing and potential new suppliers, here and overseas. Select platforms that meet your needs, make sure you’re not overly reliant on a particular supplier or platform, and make sure you can pivot easily if you find something that suits your needs better.
Simple logic makes identity management more efficient
As important as identity checks are, it’s always smart to focus your efforts where the risk is greatest. Our system applies logic to decide if we can simply trust a person’s accredited ID or we should explore a bit deeper. For example, a recognised user ID being presented from a verified IP address (eg the VPN range) in the UK during a normal working day may not pose much risk, while others may need several additional checks to be carried out.
Identity and access management processes must be sustainable
Most organisations have their own particular issues. For example, at GLAM we have difficulties around consistency – our users’ identities don’t follow a single format. We deal with this by using email addresses at the application level, meaning they are one step removed from the actual user directory so we can transform the outgoing attribute to suit the application on the fly.
Sustainability also extends to skills – we provide context-specific technical walkthroughs in addition to the standard Azure training. It will be an ongoing requirement to keep existing staff up to date and to get new joiners up to speed so our access management continues to work well.
Our implementation has gone really well, even though it has sometimes been tricky. Could we have done it faster? With hindsight – probably. But every step has taught us something and underlined how valuable it is to take careful, reversible steps and develop a firm handle on fundamental technologies like active directory, even if everything is being handled securely in the cloud. This allows you to stay in control.
Don’t miss Anjanesh's session on shaping an identity and access management strategy on day one of Networkshop49. Networkshop49 is an online event running from 27–29 April 2021 and is free for Jisc member organisations.