Identity and Access Management

PROGRAM PLAN
Created January 2014 | Revised June 2014
TABLE OF CONTENTS
1.0 Program Plan Objectives..........................................3

1.1 Document Purpose...................................................3

2.0 Program Overview.....................................................3

2.1 What is Identity and Access Management?............3

2.2 Why is Identity and Access Management

a Strategic Initiative?................................................3

2.3 What are the Tenets of a Successful

IAM Program?............................................................4

2.4 What is the Vision of the

IAM Program for Harvard?.......................................5

2.5 What External Factors Influence Our Success?.....6

2.6 What Organizational Structure is Required?..........7

2.7 Governance Structure..............................................7

3.0 Program Approach....................................................10

3.1 Program Implementation Framework.....................10

4.0 Program Implementation and Delivery...................12

4.1 Simplify the User Experience...................................12

4.2 Enable Research and Collaboration.........................20

4.3 Protect University Resources..................................24

4.4 Facilitate Technology Innovation.............................27

5.0 Program Communication.........................................30

6.0 Benefits to the University.........................................31

7.0 Appendices................................................................32

Appendix A: Glossary................................................32

Appendix B: IAM Program

Accomplishments to Date........................................33

Appendix C: IAM Program Timeline.........................33

 Identity and Access Management
PROGRAM PLAN

1.0 PROGRAM PLAN OBJECTIVE

1.1 Document Purpose

The purpose of this plan is to provide a comprehensive overview of all facets of the Identity and Access Management
(IAM) program within a three-year horizon.
This plan will provide executive-level overview of the IAM program inclusive of the program goals, program structure,
planning approach, and overall implementation roadmap.
The IAM program team will review this plan on a quarterly basis. The status of the projects described by this document will
be presented on a monthly basis, by means of an executive dashboard, to senior leadership and program stakeholders.

2.0 PROGRAM OVERVIEW

2.1 What is Identity and Access Management?

Identity and Access Management refers to a set of business processes and supporting technologies that enable the
creation, maintenance, and use of a digital identity. As such, the impact of Identity and Access Management to Harvard’s
user community, application portfolio, and information resources is extensive. The IAM program and its related
services are responsible for the management of faculty, administration, and student information; access to Harvard
applications and information; and the distribution of such information externally. For a list of terms that may be helpful in
understanding this program plan, please refer to Appendix A.

2.2 Why is Identity and Access Management a Strategic Initiative?

The first impression that any student, faculty member, researcher, or administrative staff member has of IT at Harvard
is formed from his or her initial experience at the login screen. Today, the implementation of identity and access
management at Harvard is maddeningly redundant and complex. The impact of such distributed complexity includes:
• Lost User Productivity: New users lose productivity and time as they wait for accounts to be created. Delays
in users’ ability to access resources often result when manual, paper-based workflows and approvals cannot be
streamlined or easily orchestrated. There can often be lengthy wait times for users to gain access to resources they
need, and have the right, to access.

Harvard University Information Technology | June 2014 3 of 33

 • Poor User Experience: Issuing and managing multiple user accounts and passwords to support access to different
applications and resources across the University results in user confusion and frustration.
• Limited Information Sharing Across Applications: Applications are unable to share information that should be
shared, such as contact information, files, and common data for calendars and other frequently used functions.
• Unnecessary Administrative Overhead: The high volume of calls to the IT help desk to address basic account or
application management functions, such as password management, creates an unnecessary burden on support staff.
• Reduced Security Stature: The inability to streamline the deprovisioning of users or manage user access privileges
to applications and resources exposes the University to the risk of unauthorized access and audit compliance issues

The reach of these problems and their associated impact is vast ­— such that, universally, all School IT leadership
has become united in their concern. Because IAM affects all of the University’s people, resources, and systems, the
reputation of Harvard University Information Technology is stigmatized as a direct result of the limitations of the current
IAM solution set.

2.3 What are the Tenets of a Successful IAM Program?

The IAM program originated from the need to eliminate perceived complexities surrounding identity. Above all, the
IAM program’s activities and deliverables will focus on achieving this fundamental objective. Additionally, the program
is designed to improve core competencies of the University, particularly in the realms of research and learning. The
founding IAM program guiding tenets are described below.

Tenet #1: Identity and Access Management Impacts

Everyone and Everything
If implemented correctly,
If implemented correctly, identity and access management should
identity and access
be simple and intuitive to an end user. Nevertheless, its importance
should not be underrated. IAM is a core technical service that management should be simple
exists to ensure that only verified people access online resources and intuitive to an end user.
and knowledge assets of the University via managed permissions. Nevertheless, its importance as
Without IAM, people at the University cannot easily access, provide
a core technical service should
access to, or share information.
not be underrated.
In an ideal state, IAM enables new applications and services to
be brought up quickly, provides necessary user information to
applications so that they can properly function, and allows users
to partake in new services with minimal effort. The identity stores
central to IAM hold critical information about the identities and attributes of the University’s internal and external
user communities. In addition to enabling account creation and application access decisions, these identity assets
can be data-mined by the University and leveraged to enable efforts that range from supporting business intelligence
initiatives, to mitigating information security risks, to streamlining alumni fundraising via continuous user identity
despite affiliation changes.

Tenet #2: Identity and Access Management Simplifies the User Experience
The Identity and Access Management program will reduce complexity for end users, application owners, and people
administrators. The IAM program will streamline identity and account creation for end users via eliminating paper-
based, manual processes. It will enable end users to have insight and control over their accounts through self-service
account management and placing the control of basic requests — such as username creation, password changes, and
access requests — into the hands of the user and off the shoulders of a help desk.
IAM services will allow users to select the credential of their choice for access needs, and will reduce the burden
of remembering credentials that span the systems they use to work, study, or collaborate. IAM efforts will enable
productivity by means of quick provisioning, granting user access to protected systems, resources, and physical
locations with little to no intervention by administrative staff.

4 of 33 Identity and Access Management Program Plan

Tenet #3: Identity and Access Management Enables Research and Collaboration
The Identity and Access Management program will facilitate collaboration. It will break down the barriers to access for
end users, opening the ability to share information and work safely together across School and institutional boundaries.
The IAM program will demand the implementation of standards and will leverage these standards to federate decision-
making with external systems.
Through the use of authentication standards set forth by InCommon, the IAM program will lay the groundwork to
carefully share identity information that enables access to resources that cannot currently be viewed via any other
means. It will provide the University with a competitive advantage over institutions that cannot offer the same level of
ease and expediency — enticing students and faculty to come to or stay at Harvard to study and perform research.

Tenet #4: Identity and Access Management Protects

University Resources
Good identity and access
Identity and access management is a vital information safeguard.
management practices help
It exists to protect sensitive data and information from the ever-
evolving landscape of security threats. Properly implemented, Harvard weather the storm of
IAM solutions help enable proactive security risk identification and disruptive innovation, including
mitigation, allowing the University to identify policy violations or
positioning the University to
remove inappropriate access privileges without having to waste time
and effort searching across disparate systems. IAM will allow the quickly and securely integrate
University to easily assert that proper controls and measures are in with or implement cloud
place, meeting audit and regulatory requirements.
platforms and services. IAM
Tenet #5: Identity and Access Management an important precursor to
Facilitates Technology Innovation successfully implementing new
Identity and access management increases the agility of application University initiatives.
development and deployment by eliminating the need for application
developers to reinvent and duplicate potentially vulnerable
authentication systems. IAM also removes the need for application
owners to manage such duplicate systems. IAM helps weather the storm of disruptive innovation, including positioning
the University to quickly and securely integrate with or implement cloud platforms and services.
IAM enables key technology initiatives, and is an important precursor to the successful implementation of new
University initiatives. The Student Information System, the next-generation Unified Communications System, and the
Learning Management Ecosystem at Harvard rely on sound IAM process re-engineering, design, and implementation
to extend improved services to the end-user community.

2.4 What is the Vision of the IAM Program for Harvard?

Simply stated, the vision of the IAM program is the following:

Provide users, application owners, and IT administrative staff with secure, easy access
to applications; solutions that require fewer login credentials; the ability to collaborate
across and beyond Harvard; and improved security and auditing.

The IAM program will be implemented to fulfill this vision in accordance with the tenets defined above. Additionally,
heightened emphasis will be placed upon a secondary set of guiding principles for the program:
• Harvard Community needs will drive how technology supports the Identity and Access Management program
• Tactical project planning will remain aligned with program strategic objectives
• Solution design will allow for other Schools to use foundational services to communicate with IAM systems in a
consistent, federated fashion
• Communication and socialization of the program are critical to its success

Harvard University Information Technology | June 2014 5 of 33

 Strategic objectives, guiding principles, and key performance indicators intended to guide the IAM program in achieving
our vision are outlined below.

Strategic Objectives Guiding Principles Key Performance Indicators

1. Simplify the User Experience: • Harvard Community needs will • The number of help desk
To simplify and improve user access drive how technology supports the requests that relate to account
to applications and information Identity and Access Management management per month
inside and outside of the University program • The number of registered
2. Enable Research and • Tactical project planning will production applications that use
Collaboration: Simplify the ability remain aligned with program IAM systems per month
for faculty, staff, and students to strategic objectives • The number of user logins and
perform research and collaboration • Solution design will allow for access requests via the IAM
within the University and with other Schools to use foundational system per month
colleagues from other institutions services to communicate with IAM • The number of production
3. Protect University Resources: systems in a consistent, federated systems to which the IAM system
Improve the security stature of fashion provisions per month
the University using a standard • Communication and socialization
approach of the program are critical to its
4. Facilitate Technology success
Innovation: Establish a strong
foundation for IAM to enable
user access regardless of new or
disruptive technologies

Table 2.4.1: Strategic Objectives, Guiding Principles, and Key Performance Indicators

2.5 What External Factors Influence Our Success?

The definition of a critical success factor is an external area of influence that has significant impact upon program scope
and delivery. In order for the Identity and Access Management program to meet its goals, the following critical success
factors must be closely managed:

Strategic Objectives Guiding Principles

Executive Sponsorship Engage proactively with key stakeholders to maintain program support and
make key decisions

Resource Planning Recruit qualified staff according to project timelines

Budget Planning Retain and maintain ability to spend at budgeted funding levels over the
course of FY14 - FY17

School Partnership and Form strong relationships with, and understanding of, users within the
Participation School communities

Transition Planning Garner support for cloud infrastructure and ITSM transition processes

Table 2.5.1: Critical Success Factors for the IAM Program

6 of 33 Identity and Access Management Program Plan

2.6 What Organizational Structure is Required?

IAM Organizational Overview

Under the direction of the IAM Program Director, the IAM program is organized into four distinct teams: Strategy and
Planning, Product, Technical, and Architecture. A summary of each team, its associated management, and its overall
functional responsibilities are listed below.

Strategy and Planning Team (Erica Bradshaw)

The IAM Strategy and Planning Team is responsible for providing communication, strategic planning, and outreach
across Schools, HUIT, and the IAM program itself. Staff will be added to assist in the development of the focus areas
listed below:

• Program Plan Creation • Communications

• Community Planning and Outreach • IAM Human Resources
• Cloud Infrastructure Planning • IAM Finance

Product Team (Jane Hill)

The IAM Product Team provides functional and product support, including business process evaluation, service
definition, and the development of IAM as a series of supportable products. Staff will be added to assist in the
development of the focus areas listed below:

• Business Analysis • Solution Support Services

• Service Definition • Quality Assurance
• Product Management

Technical Team (Magnus Bjorkman)

The IAM Technical Team implements, tests, and releases the IAM solution set. Staff will be added to assist in the
development of the focus areas listed below:

• Project Planning • Identity Repositories

• Identity Management • Practice Management
• Access Management • Systems Integration

Architecture Team (Scott Bradner and Marlena Erdos)

The IAM Architecture Team provides subject-matter expertise, best practices and patterns for implementation,
technical problem resolution approaches, and strategic direction recommendations. Responsibilities include:

• IAM Policy Creation • University IAM Standards

• IAM Solution Architecture and Design

2.7 Governance Structure

The IAM program is split into three individual governing committees: the Executive Committee, the Lifecycle Advisory
Group, and the Technical Oversight Committee. The following is a description of the responsibilities and objectives for
each group.

Harvard University Information Technology | June 2014 7 of 33

 Executive Committee
The primary objective for the IAM program’s Executive Committee is to provide consistent, timely, and meaningful
oversight for the Identity and Access Management program. The Executive Committee will identify and champion
business process improvement, provide program oversight, and guide the strategy for implementation and rollout. The
committee will meet on a monthly basis.

Objectives Guiding Principles Standing Agenda

• Guide and approve suggested • Promote change and acknowledge • Approval of Prior Minutes
business process changes, and areas that need improvement • Co-Chairs’ Report
provide strategic direction for their across the University
• Program Report
introduction • Urge the crossing of silos where it
• Decisions
• Provide direction and approve will improve business processes
program policy • Policy
• Encourage broad communication
• Identify and assist in the resolution and support among stakeholders • Business Process
of obstacles to the program’s • Be transparent in our processes • Communications
strategic objectives and decisions • Areas for Assistance
• Provide direction for • Use criteria and metrics to • General Discussion Topics
communication initiatives to evaluate ideas and measure them
stakeholders against desired outcomes
• Determine prioritization of IAM • Accept uncertainty, ambiguity,
program projects and strategic and lack of absolutes when
approaches necessary
• Track the status of projects and
assist in the mitigation strategy for
identified risks
• Monitor ongoing impact, service
levels, and service improvements

Table 2.7.1: IAM Executive Committee

Identity Lifecycle Committee

The mission of the Identity Lifecycle Committee is to work toward improving the end-user experience at Harvard. This
will be accomplished by bringing the collective and varied expertise of a representative set of campus business process
owners to bear on topics related to the management of identity-related processes and services.

The primary objective of the group is to contribute meaningful recommendations on process improvement and service
offerings, as well as to serve as a catalyst for projects across the University that improve onboarding and the lifecycle of
user experience through better systems, processes, education, and raising awareness of process and policy.

The group will advise the product and practice management teams of the Identity and Access Management program,
including endorsing recommendations to the IAM Executive Committee. The committee will meet on a monthly basis.

8 of 33 Identity and Access Management Program Plan

 Objectives Guiding Principles Standing Agenda

• Participate in improving the end- • Commit to improving the user • Approval of Prior Minutes
user experience at Harvard experience • Chair’s Report
• Provide a catalyst for projects • Act in the interest of Harvard as a • Program Update
across the University that whole
• Requirements Discussion
measurably improve onboarding • Openly acknowledge problem areas
and other lifecycle processes • Working Group Updates
and promote change when needed
• Recommend IAM service • General Discussion Topics
• Work towards eliminating historical
enhancements and new offerings silos that may have previously
• Provide a forum for related policy hindered the improvement of
discussion processes and systems
• Provide input on IAM product • Encourage broad communication
strategy and offer direct support as a
• Serve as a sounding board for new stakeholder
ideas and approaches to providing • Operate with transparency in
identity and access management process and decision making
services • Use criteria and metrics to
• Help quantify the impact of evaluate ideas and measure them
proposed process changes and against desired outcomes
recommend implementation • Accept uncertainty, ambiguity,
approaches and the absence of absolutes
when necessary

Table 2.7.2: IAM Identity Lifecycle Committee

Technical Oversight Committee

The primary objective for the Technical Oversight Committee is to provide consistent, timely, and meaningful review
of proposals of architecture and standards for the IAM program. The committee will identify the need for technical
solutions, architecture, and standards. When those have been developed, they will provide feedback as well as
recommendation for adoption to the Executive Committee. It will meet on a monthly basis.

Objectives Guiding Principles Standing Agenda

• Guide and approve • Promote change and acknowledge • Approval of Prior Minutes
recommendations to the IAM areas that need improvement to • Chair’s Report
Executive Committee for improve the University
• Architecture
architectures and standards • Urge the crossing of silos where it
• Standards
• Identify the need for technical will improve business processes
solutions, architectures, and • Working Group Updates
• Encourage broad communication
standards and support among stakeholders • Proposal Review and
• Recommend a set of resources Recommendations to Approve
• Be transparent in our processes
outside the IAM program and decisions • General Discussion Topics
Team to be involved in drafting
• Use criteria and metrics to
architectures and standards
evaluate ideas and measure them
• Coordinate around technical against desired outcomes
change management to ensure
• Accept uncertainty, ambiguity,
that change will be included in
and the lack of absolutes when
local planning
necessary

Table 2.7.3: IAM Technical Oversight Committee

Harvard University Information Technology | June 2014 9 of 33

 3.0 PROGRAM APPROACH

3.1 Program Implementation Framework

“Top-Down” Planning
In order for the IAM program to successfully meet its objectives, the team will follow a “top-down” delivery approach. This
program plan will serve as the governing document, and all activities will be planned and managed in accordance with it. All
releases will tie back to program strategic objectives, and each objective will be measurable. The development and delivery
of IAM functionality will be iterative, following Agile processes, and based on evolving user requirements and stories. The
scope of releases will be adjusted based upon changes in requirements and the evolving status of critical success factors.

Project Tracks
The IAM program will be broken down into 11 project tracks and tracked on a per-project basis. A project manager will be
assigned to each track and will be responsible for both developing a project plan to govern work activities and reporting
weekly status. The 11 projects are identified and summarized below.

Project Description

SailPoint Introduce improved user processes for account management. Replace an outdated
solution with a new, feature-rich solution that can be expanded for local use by interested
Schools across the University.

Federation Enable Harvard users, users at Harvard-affiliated institutions, and non-Harvard users
to collaborate and easily gain access to applications and resources both internal and
external to the University.

Directory Services Reduce the number of systems of record for user information while also expanding the
data model and user attributes stored within the central IAM identity repository. This will
allow for quick, consistent, and appropriate access across LDAP and Active Directory (AD)
as well as web authentication protocols.

App Portal Enable the Harvard application owner community to learn about and easily integrate
applications and software services with central IAM services.

One-Way Federation A series of authentication releases and School onboarding efforts to provide Harvard
users with the flexibility to access applications using the credential of their choice.

Identity and Access Deliver visibility into IAM program metrics, new-user certification processes, and audit
Governance reporting. The project will evolve to encompass business intelligence and identity
analytics to support risk management and strategic decision making.

Authentication Provide users with a simplified login experience, as well as enhanced security for
Enhancements sensitive data and applications.

Authorization Provide application owners and administrators with the ability to manage user access
Enhancements rights via groups, as well as the ability to manage authorization rules for access to an
application or software service.

External Directories Securely expose user identity information inside and outside of the University.

Expanded Provisioning Enable identity creation, authentication, and account provisioning for non-person objects.

Cloud Migrations Provide cloud reference architecture for Harvard application deployments, including
migrating IAM services from on-premise hosting to Amazon Web Services.
Table 3.1.1: Project Tracks

10 of 33 Identity and Access Management Program Plan

Pilot Implementations
One of the core beliefs of the IAM program is to experiment and continuously refine our solutions based on lessons
learned. A key manner in which the program will demonstrate this commitment to responsible experimentation is
through controlled pilots both within the team and with willing participants. Quickly developing and testing functionality
with real users and applications is a way to improve our solutions prior to production deployment.
These pilots demonstrate the value of our services early in the delivery lifecycle and mitigate the risk of failing to meet
user requirements.
The table below represents pilot implementations that are currently under consideration by the IAM program. Many of
the pilots will require significant participation with interested Schools.

Proposed Pilot Description Proposed Date

One-Way Federation Collaborate with Harvard Business School to enable Anytime

one-way federation with the HBS authentication system

Local Provisioning Assist Harvard Medical School with SailPoint onboarding: October 2014
• Pilot functionality in IAM stage environment

Local Provisioning Assist Harvard Kennedy School with onboarding to December 2014
SailPoint:
• Pilot functionality in IAM stage environment

Inter-School Collaboration Explore cross-registration between Tufts Fletcher July 2015

School and MIT with Harvard Kennedy School through
InCommon federation

Self-Registered Guests Explore cross-registration mechanisms with Harvard July 2015

Graduate Schools:
• Implement a new model for handling prospective
and registered students from other schools
• Merge XID functionality into SailPoint

Group Management Explore use of a group management system for access July 2015
to IAM’s own administrative applications (such as
SailPoint or App Portal)

Social Identities for Wireless Allow use of social media identities (such as Facebook) August 2015
Access for access to the Harvard wireless network

Multifactor Authentication Explore the use of multifactor authentication with December 2015
University Health Services

Research Computing Explore opportunities to replace homegrown identity December 2015

Collaboration systems with IAM services

Bring Your Own Identity Explore the use of social identities for authentication December 2016
with the Harvard School of Education and School of
Public Health for their Executive Education Program

Identity and Access Work with the Harvard Security Office to use identity December 2016
Governance analytics for risk assessment
Table 3.1.2: Proposed Pilots

Harvard University Information Technology | June 2014 11 of 33

 4.0 PROGRAM IMPLEMENTATION AND DELIVERY

As previously mentioned, the IAM program will implement deliverables in accordance with four strategic objectives:
• Simplify the User Experience
• Enable Research and Collaboration
• Protect University Resources
• Facilitate Technology Innovation

For each objective, the benefits of IAM improvements are identified and categorized by the following three user types:
• End Users: A term used to generalize and reference multiple user types, such as Harvard users (i.e. staff, students,
or faculty), sponsored guests, Harvard application users, or users external to the University (such as faculty from
other institutions).
• Application Owners: Individuals responsible for deciding the business needs of their applications with respect
to IAM. These members work with the IAM group to determine how best to integrate their applications with IAM
services in order to meet business needs, as well as directing the configuration of their applications.
• People Administrators: Individuals who assign roles, group memberships, and/or other attributes to a user.

To date, the IAM program team has had a series of successful implementations that have delivered proven value to the
Harvard Community. For a list of IAM program accomplishments, please refer to Appendix B.
The following sections identify the program’s remaining deliverables. These are organized by strategic objective and
aligned to both the user benefit and the program projects. For a visual representation of the IAM program timeline,
please refer to Appendix C.

4.1 Simplify the User Experience

Strategic Objective Reference

To simplify and improve user access to applications and information inside and
outside of the University.

Overview
The most significant stakeholder group affected by the IAM program is the user community. Since this community
includes faculty, researchers, administrative staff, students, contractors, guests, and affiliates, updates to a wide array
of applications and infrastructure components are required to improve the Harvard user experience.

12 of 33 Identity and Access Management Program Plan

Key Benefits: End Users
The following table summarizes the key benefits of IAM program deliverables for end users across the University with
regard to simplifying user experience.

Key Benefit Description

1. Simplify Account Management I. Users will have a single application in SailPoint for requesting and receiving
access to an increasing number of target systems and applications over time.
II. Users will be able to change their passwords on multiple key target
systems (such as PIN, Exchange, and Google Apps) with a single operation
via SailPoint.

2. Allow Choice of Credentials I. Users will be able to have a single preferred login name and password
for access to an increasing number of applications, both internal and
external to the University (such as PeopleSoft — an internal system — and
HathiTrust, an external one).
II. Users will have a say in their login names, including the option of using a
social login.

3. Reduce Number of User Logins I. Users will have fewer instances of being asked to log in each time when
accessing multiple applications.
II. Users at participating Schools will be able to use the same login for
their desktop, web-based IAM services, and an increasing number of
applications and systems.

4. Expand Access to Resources I. Users will be able to see at a glance, via a SailPoint resource catalog, the
applications to which they have access and the applications for which they
can request access.
II. Users will be able to find contact and calendar information (such as free/
busy details) for users across all participating Harvard Schools.
III. Users will have access to an increasing number of external resources via
InCommon and IAM relationships with external communities.
IV. Users will be able to access PIN-authenticated central applications
using local school credentials instead of HUID.

5. Increase Self Service I. Users will be able to make account management updates and request
access to resources directly through SailPoint rather than by a request to
the help desk.

6. Simplify Role Transitions I. Users who have transitioned from one role (such as contractor) to
another (such as employee) within a School will keep their key accounts
(such as PIN and Exchange) and access to resources without the need for
a complex migration process.
II. Users who transition from one School to another will have a smoother
transition process.
Table 4.1.1: Simplify the User Experience — Key Benefits for End Users

Harvard University Information Technology | June 2014 13 of 33

 Key Benefits: Application Owners
The following table summarizes the key benefits to application owners of IAM program deliverables, simplifying the user
experience for IAM services across the University.

Key Benefit Description

1. Simplify Application Setup I. Application Owners will use an online portal to will lead them through
integrating their application with IAM Services. This integration covers:
A. Guidance on which IAM Services best fit their needs
B. Simplified application registration and management with IAM
C. Code libraries that reduce development costs and time
D. Guidance on application configuration
II. IAM will provide “turnkey” environments for testing the application with
IAM Services.
III. IAM will provide reference implementations to aid speed of
development and deployment.
IV. IAM will support the evolving set of standard industry protocols related
to user authentication and access, thus simplifying integration of third
party applications and cloud services with IAM.

2. Simplify Application I. An Application Owner can easily use an enhanced IAM authorization
Administration service to manage coarse-grained access control to their application.
II. An application will be able to access an enhanced set of attributes about
a user for each access control decision:
A. “Higher level” attributes that better fit typical access use cases will allow
for simpler access rules
B. Group membership info, as attribute, also promote simpler access rules
C. A consistent core set of identifiers and attributes will be available for
each and every user no matter what the user’s role, again enabling simpler
access rules for many applications
D. Easier access to identifiers and attributes, with less development work.
III. An Application Owner can easily manage groups that can be used for
controlling access to the application.
Table 4.1.2: Simplify the User Experience — Key Benefits for Application Owners

14 of 33 Identity and Access Management Program Plan

Key Benefits: People Administrators
The following table summarizes the key benefits of IAM program deliverables for administrators of identities with regard
to simplifying the user experience for IAM services across Harvard.

Key Benefit Description

1. Simplify Account Management I. Provide a simplified means of sponsoring an external person into a role at
Harvard:
a. A single, consistent, online process for creation of the sponsored
identity and role
II. Simplify the management of sponsored persons (such as types of non-
employee, non-student users, or contractors):
a. Sponsors will be able to see in SailPoint the list of people they have
sponsored — including each person’s role(s) and start/end dates for
these role(s) — as well as extend access online
b. Sponsors will be able to manage each sponsored person’s access to
systems and applications through SailPoint
III. Provide an enhanced online means of discovering if a “new” user
actually has an existing identity at the University. This results in fewer
duplicate identities and accounts, as well as allowing end users to keep
their existing credentials.
IV. Enable bulk requests for account creation.

2. Reduce Number of User I. Enable person administrators to use a single tool to do more of the work
Management Toolsets required to give users needed access. This tool will also allow person
administrators insight into which users have access to which resources.

3. Simplify administration of I. Provide a group service that can be used for both mailing lists and access
groups of users control.
II. Allow for a given change to affect a set of users rather than forcing
separate operations and multiple administrative updates for each user.

Table 4.1.3: Simplify the User Experience — Key Benefits for People Administrators

Harvard University Information Technology | June 2014 15 of 33

 Deliverables
The following set of tables identify the key deliverables for the IAM program, organized by project.

SailPoint: Deliverables
Users
Deliverable Description Benefit Delivery
Impacted

Waveset Support the transition of student users Expand Access FAS, GSD, March 2014
Update to the @g Google domain, including to Resources HDS,
FERPA status to support implementation GSE, SPH,
of online directories. Central

Readiness Implement an internal, provisioning Simplify Account No user April 2014

readiness release to transition from Management impact
original outdated solution to SailPoint:
• Implement connectors for
provisioning
• Expand data model

Foundation Implement the first production release Simplify Account FAS, GSD, July 2014
of SailPoint: Management HDS,
• Implement self-service for account GSE, SPH,
claiming and password management Central
• Begin migration of provisioning to
new platform
• Update the IAM Service Definition

HUIT Expansion Expand SailPoint functionality: Simplify Account FAS, GSD, October 2014
• Complete migration of provisioning Management HDS,
Reduce GSE, SPH,
• Implement self-service creation
Number of User Central
of sponsored accounts to replace
paper-based requests Management
• Update the IAM Service Definition Toolsets

Decommission Decommission Oracle Waveset Solution: Simplify Account No user November 2014
Waveset • Milestone representing a “like Management impact
for like” replacement of Waveset
functionality in SailPoint

Role Transition Expand user populations within SailPoint: Simplify Role External January 2015
• Introduce capability for better sign- Transitions community
on experience for externally cross- Harvard
registered students Community
• Introduce new POI user types

Expand Onboard SEAS, HKS, and HMS to central Simplify Account SEAS, HKS, January 2015
Provisioning account management and provisioning Management HMS
Targets solution:
• User account management
• Sponsored account creation
• Provisioning from central solution to
local systems and data stores
Table 4.1.4: Simplify the User Experience — SailPoint Deliverables

16 of 33 Identity and Access Management Program Plan

Directory Services: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

UUID Provide programmatic interfaces to Simplify Account Harvard July 2014

Enhancement Schools to allow Schools, applications, Management Community
or organizations to find user UUIDs using Simplify
a variety of criteria. Application
Administration

AD Prepare the University and the FAS Simplify Account FAS October 2014
Consolidation Active Directory (AD) domains for Management
Preparation consolidation: Simplify
• Application remediation Application
• Desktop changes Administration
• User name collision remediation Expand Access
to Resources

Consolidated Consolidate the HU and AUTH LDAPs Simplify Harvard February 2015
LDAP to simplify the process for application Application Community
owners to make authentication and Administration
authorization decisions:
• Enable cloud applications to query
IAM services for attributes

LDAP Expand attributes to provide clearer Simplify Harvard July 2015

Functional role and affiliation information, and Application Community
Enhancement incorporate standard attributes to Administration
support participation in internal and
external federations.

AD Migration Move resources from FAS AD to Simplify Account FAS September

University AD in conjunction with Unified Management 2016
Communications and Desktop teams: Simplify
• Move devices and computers, Application
including field visit Administration
• Move applications Expand Access
• Move accounts to Resources

Decommission Decommission FAS AD environment. Simplify Account FAS September

FAS AD Management 2016
Simplify
Application
Administration
Table 4.1.5: Simplify the User Experience — Delivery Services Deliverables

Harvard University Information Technology | June 2014 17 of 33

 App Portal: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

Application Implement a new Application Portal to Simplify Harvard July 2014

Registration streamline application integration with Application Community
IAM services. Setup
Reduce
Complexity of
IAM Integration

IAM Reference Expand the App Portal to include Simplify Harvard February 2015
Implementation reference implementations inclusive of Application Community
pre-developed code. Setup

Developer Update the App Portal to provide Simplify Harvard July 2015
Sandbox “turnkey” environments for testing Application Community
Release applications with IAM services. Setup
Reduce Security
Development
Burden
Table 4.1.6: Simplify the User Experience — App Portal Deliverables

Authentication Enhancements: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

Decommission Decommission the PIN3 application Simplify GSE, FAS, April 2015
PIN3 and migrate all current PIN3 Application Central
user communities to the central Administration
authentication solution.

CAS Bridge Enhance the Central Authentication Simplify Harvard April 2015
System (CAS) to support additional Application Community
protocols: Setup
• Allow participation from federated Expand Access
organizations to Resources

PIN UI Improve the PIN application user Allow Choice of Harvard July 2015
Improvements interface to be in line with Harvard UI Credentials Community
guidelines: Reduce Number
• Implement improved user of User Logins
functionality in a federated
environment, including “Remember
Me” functionality for users.

Table 4.1.7: Simplify the User Experience — Authentication Enhancements Deliverables

18 of 33 Identity and Access Management Program Plan

Authorization Enhancements: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

SIS Data Model Release IAM services for SIS Simplify SIS November 2014
Release implementation: Application
• Expand central identity store to Administration
include new user types Expand Access
to Resources

SIS Wave 2 Perform application and data changes in Simplify SIS March 2015
concert with a wider release of the SIS Application
initiative. Administration
Expand Access
to Resources

Table 4.1.8: Simplify the User Experience — Authorization Enhancements Deliverables

External Directories: Deliverables

Deliverable Description Benefit Users Delivery

Impacted

Connections Replace the IBM Connections product Meet License Harvard May 2014
Update with a homegrown product. Requirement Community

Expose LDAP Expose enhanced LDAP directory data Simplify Harvard September
Directory Data through alternative protocols to fit the Application Community 2015
needs of applications, such as attributes Administration
through SAML, AD, and CAS.

Connections Provide improved search capabilities Expand Access Harvard June 2016
User Interface and a new interface for application to Resources Community
Improvements owners to use in development efforts.

Yellow Pages Create a new web application providing Expand Access Harvard June 2017
Improvements an enhanced internal directory for to Resources Community
department information. Increase Self-
Service

Table 4.1.9: Simplify the User Experience — External Directories Deliverables

Expanded Provisioning: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

Dionysus Release updated Dionysus application for Simplify Account FAS, GSD, May 2014
Update management of devices in University AD: Setup HDS,
• Updates to modern platform and GSE, SPH,
functional enhancements Central,
HKS, SEASE
• Simplify architecture
• Migrate to the cloud

Table 4.1.10: Simplify the User Experience — Expanding Provisioning Deliverables

Harvard University Information Technology | June 2014 19 of 33

 4.2 Enable Research and Collaboration

Strategic Objective Reference

Simplify the ability for faculty, staff, and students to perform research and collaboration
within the University and with colleagues from other institutions.

Overview
Harvard is a premier research institution — as such, making it simple to work within, across, and outside School
boundaries is fundamental to the mission of the University and essential to facilitating productivity for users who rely on
IAM services. IAM services will support inter-faculty initiatives for research and collaboration.

Key Benefits: End Users

The following table summarizes the key benefits of the IAM program for end users who participate in research and
collaboration across the University:

Key Benefit Description

1. Increase Self-Service I. Provide online, automated functionality for self-service creation of

sponsored guests.

2. Improve Collaboration Across I. Allow the use of local School credentials for access to data and
School and Institutional Boundaries applications across the University.
II. Allow the use of local School credentials for access to data and
applications at outside institutions.
III. Allow for external users to transition to a Harvard affiliation from other
higher education institutions without disrupting previous access privileges.

3. Expand Access to Resources I. Enable access to an expanded set of applications and resources available
through Harvard’s participation in InCommon (such as HathiTrust).
II. Provide the capability for users to share access to physical resources,
such as computing clusters or lab equipment, for teaching and research.
III. Provide the capability for users to access collaboration resources such
as email, online forums, and secure file transfer.

Table 4.2.1: Enable Research and Collaboration — Key Benefits for End Users

Key Benefits: People Administrators

The following table summarizes the key benefits of the IAM program for people administrators with regard to enabling
research and collaboration across the University.

Key Benefit Description

1. Reduce Manual Processes for I. Shift the manual creation of sponsored guests from administrators of
Guest Sponsorship identities to the end users initiating the request.
II. Allow sponsors to manage external users’ identity and access.

2. Simplify User Access I. Simplify the ability to revoke and request access for users.
Management

Table 4.2.2: Enable Research and Collaboration — Key Benefits for People Administrators

20 of 33 Identity and Access Management Program Plan

Key Benefits: Application Owners
The following table summarizes key research and collaboration benefits of the IAM program for application owners.

Key Benefit Description

1. Reduce Local Administrative I. Enable user provisioning to local applications for easier management of
Overhead access privileges for research resources.
II. Introduce ability to leverage groups to synchronize access and mailing
lists between applications.
III. Reduce the need to manage point-to-point relationships with other
application owners in order to implement access to protected resources.

2. Improve Security of Information I. Leverage emerging identity assurance attributes for increased
confidence in user identity.

3. Reduce Complexity of IAM I. Reduce the complexity of application integration with third-party
Integration providers by using standard InCommon identifiers and attributes.

4. Expand Access to Resources I. Facilitate the integration with a spectrum of research and collaboration
applications through membership in InCommon.

5. Incorporate Discoverability I. Incorporate researcher identifiers into directory services to enable global
tracking of authorship of published resources (such as ORCID).
Table 4.2.3: Enable Research and Collaboration — Key Benefits for Application Owners

Deliverables
The following set of tables identifies the key deliverables for the IAM program, organized by project.

SailPoint: Deliverables
Users
Deliverable Description Benefit Delivery
Impacted

Foundation Enable the HUIT help desk to use the Reduce Manual FAS, GSD, July 2014
new sponsored guest capabilities with Processes HDS,
existing Schools. for Guest GSE, SPH,
Sponsorship Central

HUIT Expansion Enable people administrators for FAS- and Reduce Manual FAS, GSD, October 2014
HUIT-supported Schools by expanding Processes HDS,
SailPoint IIQ functionality for sponsored for Guest GSE, SPH,
guest workflow from existing users: Sponsorship Central
• Self-service creation of sponsored
accounts replaces paper-based
• Batch processing for sponsored
accounts for the HUIT Help Desk
• Updated service definition

Onboard New Expand SailPoint functionality for Reduce Manual SEAS, HKS, January 2015
Schools sponsored guest workflow (such as new Processes HMS
people administrators): for Guest
• Sponsored account creation Sponsorship

FIM Replace the current FIM provisioning Reduce Local FAS, GSD, May 2016
Replacement process with Microsoft O365 with Administrative HDS,
for 0365 SailPoint provisioning. Overhead GSE, SPH,
• Deliver shared contacts and Simplify Central,
calendaring User Access SEAS, HKS
Management
Table 4.2.4: Enable Research and Collaboration — SailPoint Deliverables

Harvard University Information Technology | June 2014 21 of 33

 Federation: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

InCommon Provide a means to federate with other Expand Access Harvard December 2013
Deployment external entities in a standardized to Resources Community (complete)
manner using InCommon. Improve External
Expose IAM user attributes to Collaboration Communities
other higher-education InCommon across School
communities. and Institutional
Boundaries

idP Expand the baseline idP with additional Expand Access Harvard November 2014
Functionality functionality needed by service to Resources Community
Expansion providers and other institutions: Improve External
• Additional user attributes Collaboration Communities
• Technical profiles and standard across School
attribute sets and Institutional
Boundaries

Automation of Improve the App Portal to allow self- Expand Access Harvard July 2015
Internal Partner service registration for internal partner to Resources Community
Configuration services: Simplified
• Certificates Application
• Metadata Setup
• InCommon federation registration

Automation Improve the App Portal to allow self- Expand Access Harvard January 2016
of External service registration for the sponsor of an to Resources Community
Partner external partner: Simplified External
Configuration • Certificates Application Communities
• Metadata Setup

Federation for Federate with the hospitals. Expand Access Hospitals June 2016
Hospitals Implement OWF or work with hospitals to Resources HMS
setting up their own IdP.

Enhanced idP Improve user privacy choices over the Expand Access Harvard June 2016
Functionality release of PII to external entities: to Resources Community
for Privacy • Targeted ID
• Attribute release policies
Table 4.2.5: Enable Research and Collaboration — Federation Deliverables

22 of 33 Identity and Access Management Program Plan

Directory Services: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

LDAP Attribute Implement Researcher ID (e.g., ORCID) Incorporate Harvard June 2016
Expansion and other attributes into the central Discoverability Community
identity repository in order to support Improve Library
the library. Security of
Information
Expanded
Access to
Resources

Table 4.2.6: Enable Research and Collaboration — Directory Services Deliverables

One-Way Federation: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

eCommons ID Implement one-way federation to Expand Access HMS, FAS, January 2014
enable users to authenticate using their to Resources Central (complete)
eCommons account or Central/FAS
account.

OWF Release of updates to the base code to Expand Access Harvard February 2015
Onboarding allow for other Schools and departments to Resources Community
to use one-way federation to integrate
their School base identities with the
central administrative applications
served by PIN.

Table 4.2.7: Enable Research and Collaboration — One-Way Federation Deliverables

Authentication Enhancements: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

Multifactor Implement multifactor authentication for Reduce Risk Harvard January 2016
Authentication sensitive research equipment and data. of Identity Community
and Account
Compromise

Bring Your Own Allow external users to use their own Enable Choice of Executive January 2017
Identity existing identity (LinkedIn, Google, Identity Education
etc.) to access appropriate University External
resources. Communities

Table 4.2.8: Enable Research and Collaboration — Authentication Enhancements Deliverables

Harvard University Information Technology | June 2014 23 of 33

 Authorization Enhancements: Deliverables
Users
Deliverable Description Benefit Delivery
Impacted

Group Implement the ability to create user Reduce Local Harvard July 2015
Management groups for access and authorization Administrative Community
decisions for collaboration and research: Overhead
• Grouper implementation Simplified
Application
Administration

Table 4.2.9: Enable Research and Collaboration — Authorization Enhancements Deliverables

Expanded Provisioning: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

FIM Support Provide interim support for MS FIM Simplified No user November 2015
provisioning to O365. Application impact
Administration

Table 4.2.10: Enable Research and Collaboration — Expanded Provisioning Deliverables

4.3 Protect University Resources

Strategic Objective Reference

Improve the security stature of the University using a standard approach.

Overview
In order to ensure compliance with federal and state regulations as well as University policies, it is imperative that the
University has an effective, streamlined approach to managing access to user information and protected resources.
Through the implementation of central IAM services, the University will have the ability to centrally manage user access,
deprovision user access in a more efficient manner, and perform a continuous review of entitlements without having to
perform extensive application analyses.

Key Benefits: End Users

The following table summarizes the key IAM program security benefits for end users:

Key Benefit Description

1. Reduce Risk of Identity and I. Implement multifactor authentication to provide additional

Account Compromise authentication assurance.

2. Limit Unauthorized Access to I. Introduce alerting of unusual access patterns and other security events
User’s Data in order to limit unauthorized access to a user’s data.

3. Improve Privacy I. Ensure the privacy of sensitive identity information.

Table 4.3.1: Protect University Resources — Key Benefits for End Users

24 of 33 Identity and Access Management Program Plan

Key Benefits: Application Owners
The following table summarizes key IAM program security benefits for application owners:

Key Benefit Description

1. Reduce Security I. Provide lower application development environments (such as sandboxes)

Development Burden with IAM services that do not contain personally identifiable information.
II. Provide application owners with standard authentication libraries to
reduce the likelihood of errors resulting from duplicate development efforts.

2. Improve Visibility into I. Provide access reports and key performance metrics for IAM services.
Application Access II. Provide guidance and libraries for access audit and logging messages.
III. Introduce the capability to track user activities within applications.

3. Improve Security Posture of IAM I. Replace end-of-life infrastructure that is no longer vendor-supported and
Services hence cannot receive security updates.
II. Implement InCommon security best practices for identity management.
Table 4.3.2: Protect University Resources — Key Benefits for Application Owners

Key Benefits: People Administrators

The following table summarizes key IAM program security benefits for people administrators:

Key Benefit Description

1. Quickly Revoke User Access I. Remove end-user access across resources in a streamlined fashion.
II. Reduce administrative touchpoints needed to remove user access.
Table 4.3.3: Protect University Resources — Key Benefits for People Administrators

Deliverables
The following tables identify the key deliverables for the IAM program, organized by project.

SailPoint: Deliverables
Users
Deliverable Description Benefit Delivery
Impacted

HUIT Expansion Provide the ability for people Reduce Risk Harvard October 2014
administrators to quickly revoke user of Identity Community
access for user populations provisioned and Account
by SailPoint. Compromise
Quickly Revoke
User Access
Table 4.3.4: Protect University Resources — SailPoint Deliverables

Federation: Deliverables
Users
Deliverable Description Benefit Delivery
Impacted

InCommon Prepare for bronze InCommon certification: Improve Security Harvard January 2015
Bronze Self- • Self-certification Posture of IAM Community
Certification Services
Preparation • Improve internal IAM processes

Table 4.3.5: Protect University Resources — Federation Deliverables

Harvard University Information Technology | June 2014 25 of 33

 Directory Services: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

LDAP Updates Update the end of support software and Improve Harvard March 2014
infrastructure for HU LDAP and AUTH Reliability of IAM Community
LDAP: Services
• Stabilize outdated environment
• Reduce security vulnerabilities

LDAP Security Apply security best practices in line with Improve Security Harvard July 2015
Update InCommon and industry. Posture of IAM Community
Services
Table 4.3.6: Protect University Resources — Directory Services Deliverables

Identity and Access Governance: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

Refine Privacy Assess and update IAM services to align Improve Privacy Harvard September
Protocols with the final Barron Committee report Community 2014
on privacy:
• Publish the aligning IAM privacy
policy and associated IAM privacy
procedures for access to sensitive
identity information.

Business Introduce business intelligence Limit Unauthorized Harvard January 2017

Intelligence capabilities and analytics to support Access to User Community
Toolset strategic decision-making and Data
identification of areas of risk: Improve
• Pilot the use of SailPoint dashboards Visibility into
and out-of-the-box reports Application
• Evaluate strategic benefits Access

Automated Introduce more governance processes Limit Unauthorized Harvard June 2017
Alerting and using SailPoint tools: Access to User Community
Monitoring • Implement audit reporting to identify Data
risky patterns of excessive access Improve
Situational
awareness
Table 4.3.7: Protect University Resources — Identity and Access Governance Deliverables

Authentication Enhancements: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

Identity Implement multiple levels of identity Reduce Risk Harvard September

Proofing assurance safeguards for sensitive of Identity Community 2015
applications. and Account
Compromise
Table 4.3.8: Protect University Resources — Authentication Enhancements Deliverables

26 of 33 Identity and Access Management Program Plan

Authorization Enhancements: Deliverables
Users
Deliverable Description Benefit Delivery
Impacted

Group Implement group management to Simplify Harvard July 2015

Management improve access control administration: Application Community
• IAM managed groups (authoritative) Administration
• “Build-your-own” groups Reduce Local
(application-level) Administrative
Overhead
Quickly Revoke
User Access
Simplify
Administration of
Groups of Users

Adaptive Identity risky patterns of access, and Limit Harvard June 2017
Access alert and/or remediate with minimal Unauthorized Community
human intervention: Access to User
• Select toolset Data
• Implement pilot
Table 4.3.9: Protect University Resources — Authorization Enhancements Deliverables

4.4 Facilitate Technology Innovation

Strategic Objective Reference

Establish a strong foundation for IAM to enable user access regardless of new and/or
disruptive technologies.

Overview
The IAM program actively participates in leading-edge technology development by participating in higher education and
industry standards bodies. Further, the IAM program launches pilots and adopts emerging technologies, such as cloud
computing, to create guidance and establish best practices for the University to use for enterprise-wide implementations.
By keeping apprised of emerging standards and systems, the IAM program offers an expanding array of services to
application owners, developers, and administrators. This positions the University to be a leader in technology innovation.

Key Benefits: End Users

The following table summarizes the key technology innovation benefits of the IAM program for end users:

Key Benefit Description

1. Improve Reliability of I. Leverage Amazon Web Services for hosting IAM services in order to
IAM Services increase the agility of service enhancements and improve the uptime of
application authentication services.

2. Expand Integration with Desktop I. Streamline user login experience to workstations and desktop applications.

3. Enable Choice of Identity I. Allow users to use social media identity to access Harvard resources.
II. Implement SocialSAML and OpenID Connect for authentication.

Table 4.4.1: Facilitate Technology Innovation — Key Benefits for End Users

Harvard University Information Technology | June 2014 27 of 33

 Key Benefits: Application Owners
The following table summarizes the key technology innovation benefits of the IAM program for application owners:

Key Benefit Description

1. Reduce Development Costs I. Reduce the costs associated with infrastructure deployment by taking
advantage of cloud offerings and economies of scale.

2. Provide Best Practices I. Provide guidance, best practices, and lessons learned for future Harvard
implementers of cloud application hosting at Amazon Web Services.

3. Reduce Administrative Overhead I. Mobile app owners will be able to integrate with Harvard credentials using
and Development Time CAS/PIN.

4. Improve Security of Machine-to- I. Verify that an initiating machine is who it asserts it is.
Machine Communications II. Provide identities to non-standard users, such as user communities or
resources (such as microscopes).

5. Improve Situational Awareness I. Perform automated alerting and take action without human intervention.
Table 4.4.2: Facilitate Technology Innovation — Key Benefits for Application Owners

Key Benefits: People Administrators

The following table summarizes the key technology innovation benefits of the IAM program for people administrators:

Key Benefit Description

1. Improve Reliability of I. Leverage Amazon Web Services for hosting IAM services in order to
IAM Services increase the agility of service enhancements and improve the uptime of
application authentication services.

2. Expand Integration with Desktop I. Reduce the number of credentials to manage and reduce configuration
errors by integrating the desktop login with the overall IAM solution.
Table 4.4.3: Facilitate Technology Innovation — Key Benefits for People Administrators

Deliverables
The following tables identify the key deliverables for the IAM program, organized by project:

Authentication Enhancements: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

Desktop and Provide authentication services for Enable Choice of Harvard June 2017
Mobile Native desktops and mobile applications, Identity Community
Apps including OAuth. Expand Desktop
Integration
Table 4.4.4: Facilitate Technology Innovation — Authentication Enhancements Deliverables

Expanded Provisioning: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

Authenticable Provide provisioning support for Improve Security Harvard January 2017
Credentials for academic research devices to have of Machine- Community
Machines authenticable identities in order to access to-Machine
other devices and data repositories. Communications
Table 4.4.5: Facilitate Technology Innovation — Expanded Provisioning Deliverables

28 of 33 Identity and Access Management Program Plan

Cloud Migration: Deliverables

Users
Deliverable Description Benefit Delivery
Impacted

Cloud Document providing an overview of the Provide Best Harvard May 2014
Architecture IAM AWS cloud architecture. Practices Community (completed)
Reference Model

Connections Migrating the Connections application to Reduced Harvard July 2014

the AWS cloud environment. Development Community
Costs
Improved Reliability
of IAM Services

Phonebook and Migrating the phonebook and public- Reduced Harvard October 2014
Public LDAP facing LDAP systems to the AWS cloud Development Community
environment. Costs
Improved Reliability
of IAM Services

HU LDAP and Migrating the HU LDAP and AUTH LDAP Reduced Harvard January 2015
Auth LDAP systems to the AWS cloud environment. Development Community
Costs
Improved Reliability
of IAM Services

Authentication Migrating the CAS, PIN, and IdP Reduced Harvard July 2015
applications to the AWS cloud Development Community
environment. Costs
Improved Reliability
of IAM Services

MIDAS and Migrating MIDAS and IDDB to the AWS Reduced Harvard October 2015
IDDB cloud environment. Development Community
Costs
Improved Reliability
of IAM Services

IDGen Migrating the IDGen application to the Reduced Harvard October 2015
AWS cloud environment. Development Community
Costs
Improved Reliability
of IAM Services

Self-Service Migrating self-service and other web Reduced Harvard January 2016
service applications to the AWS cloud Development Community
environment. Costs
Improved Reliability
of IAM Services

SailPoint Migrating the SailPoint application Reduced Harvard October 2016

environment to the AWS cloud Development Community
environment. Costs
Improved Reliability
of IAM Services

Table 4.4.6: Facilitate Technology Innovation — Cloud Migration Deliverables

Harvard University Information Technology | June 2014 29 of 33

 5.0 PROGRAM COMMUNICATION

The IAM program will provide regular, targeted communication about status and progress throughout its duration. A
detailed communications plan will be developed by the IAM strategy and planning team with an in-depth overview and
approach for internal and external communications. The table below summarizes key communications in the plan:

Type of Communication Frequency Mechanism Initiated By Recipient

Executive Status Dashboard Monthly Executive Committee Program Director Executive

meeting Team

ITCRB Project Status Report Monthly SharePoint distribution Program Director ITCRB team

External-Facing Website Monthly Blog postings, plan updates IAM Team Public

User Requirements Dashboard Monthly Lifecycle Committee meeting Community Lifecycle

School/community Manager Committee
outreach meetings

Program-Level KPI Reporting Monthly Executive Committee Program Director Executive

meeting Committee

School-Level KPI Reporting Monthly School outreach meetings Community Schools

Manager

IAM Metrics Dashboard Daily Application IAM Team IAM Team

Table 5.0.1: IAM Program Communications

Training
Minimizing disruption to the end user by means of clear communication and coordinated training is vital to the success
of the program. As each release is prepared for production deployment, there will be an equal focus on communicating
release features, user impact, and new support requirements. The following table summarizes training activities:

Training Activity Description Date

Online Training Develop videos and/or online training modules to introduce new IAM Beginning
Modules products and processes to community and target end-user populations Spring 2014
• Project general publicity video
• Onboarding best practices and special topics
• Sponsored and service account setup by service desk
• Overview of account management for all users
• Self-service sponsored account requests
• Dionysus user guide

Seminars for Internal Present “town halls” for communities of interest across the University to Beginning
Audiences review delivery timelines and the impact of new processes and features. Spring 2014
• FAS department administrators
• CADM department administrators
• School IAM teams
• HR professionals
• SIS professionals
Table 5.0.2: IAM Training

30 of 33 Identity and Access Management Program Plan

 6.0 BENEFITS TO THE UNIVERSITY

Implementing an effective end-to-end IAM strategy, as envisioned in this document, will provide a solid foundation for
supporting and fostering innovation and collaboration across the entirety of the Harvard Community. The benefits of
implementing this project plan include:

• Increased User Productivity: Creating a shared understanding of identity management across the University
will foster innovation and collaboration. Automatic provisioning of user access upon or before hire or registration
will reduce onboarding delays. Further standardization of processes and increased education and awareness will
enhance efficiency and return valuable time to staff so that they can focus on supporting the core teaching and
research mission.

• Enhanced User Experience: Well-defined, University-supported

processes will eliminate confusion over what is needed in
order to grant access to protected resources, thereby greatly
The challenges that the IAM
increasing user satisfaction. Concerted efforts to increase program seeks to address are
awareness of IAM services and best practices will result in a myriad and experienced by
more knowledgeable user base and more realistic expectations
users every day across and
of IAM systems. Access to a more fully populated service catalog
will ensure the wider use of all available resources. beyond the University. The
benefits to Harvard include
• Information Sharing Across Applications: Identities and
tools and processes that
attributes stored within IAM systems will enable functionality
such as shared calendars, common data, and integrated fulfill the needs of end users,
contact lists among Schools and applications. The University’s application owners, and people
participation in key international identity management bodies,
administrators, while also
such as InCommon, will ensure that Harvard stays positioned for
improving interoperability within and outside of the University.
reducing costs and building a
foundation for future innovation
• Reduced Administrative Overhead: Greatly enhanced
and expansion.
provisioning to an increasing number of systems reduces
application-owner and people administration overhead.
Federation services eliminate the need for local identities for
external users, thus simplifying application administration. By expanding the IAM program to encompass more
Schools, we will further reduce the number of identity and access stores. IAM program support of cloud-based
software-as-a-service offerings also reduces the cost to provide services to the Harvard Community.

• Increased Security Stature: The ability to quickly provision and deprovision access to resources, in addition to
enhanced identity assurance through features such as multifactor authentication, will improve our security posture.
The ability for the University to use IAM business intelligence and identity analytics will allow for improved risk
management and strategic decision making.

As described throughout this document, the challenges that the IAM program seeks to address are myriad and
experienced by users every day across and beyond the University. The benefits to Harvard of the successful execution
of this plan will result in tools and processes that fulfill the needs of end users, application owners, and people
administrators, while also reducing costs and building a foundation for future innovation and expansion.

Harvard University Information Technology | June 2014 31 of 33

 7.0 APPENDICES

Appendix A: Glossary
Where appropriate, the following terms have been adapted from Wikipedia and the Gartner IT Glossary.
Access management The processes associated with a user’s login across a realm of applications or information
repositories. It is important to note that IAM services will authorize user access to protected resources, but will delegate
the authorization decisions to the applications themselves.
Application owner The members responsible for deciding the business needs of a given application with respect to
IAM. These members work with the IAM program team to determine how best to integrate their applications with IAM
services in order to meet business needs, as well as directing the configuration of their applications.
Authentication The process of validating that people or entities are who they say they are. Authentication is commonly
referred to as “logging in.”
Authorization The process of determining if a user has the right to access a service or perform an action.
Central Authentication Service (CAS) A “single sign-on” protocol for the web, as well as an authentication engine
implementation.
Credential An Item — such as a username/password combination — used by a person or entity to prove him/her/
itself to a system.
Directory service The software system that stores, organizes, and provides access to information in a directory for
entities such as people, groups, devices, resources, etc.
Federation Also known as federated identity management, this is a technical implementation that enables identity
information to be developed and shared among several entities and across trust domains.
Identity and access governance Identity and access governance tools establish a lifecycle process that allows
business owners of identities to have comprehensive governance of identities and access requests. It allows
organizations to identify access risks and make sure access meets organization policies.
Identity management The processes and solutions that provide for the creation and management of user information.
Identity provider (idP) A system that validates the identity of a user in a federated system. The service provider (or SP;
see below) uses the idP to get the identity of the current user.
Identity stores Underlying information associated with users and stored across a variety of technologies, including
databases, LDAP, Active Directory, text files, etc.
InCommon Operated by Internet2, InCommon provides a secure and privacy-preserving trust fabric for U.S. research
and higher education institutions and their partners. InCommon operates an identity management federation and a
related assurance program, and offers certificate and multifactor authentication services.
People administrator A person who assigns roles, group memberships, and/or other attributes to a user.
Service provider (SP) A system that provides a generic service to the user in a federated system. To users, a service
provider is the same thing as the application they are trying to use.
Sponsored guest A user that currently does not have a standard affiliation with the University, but requires access to
University information and resources. As the name implies, sponsored guest access must be requested by a University
staff or faculty member with the appropriate authorization.
User A term used to generalize and reference multiple user types, such as Harvard users (i.e. staff, students, or
faculty), sponsored guests, Harvard application users, and users external to the University (such as faculty from other
institutions). Where the distinction is pertinent to the context of the section, the user type will be referenced explicitly.
User provisioning A set of technology that creates, modifies, disables, and deletes user accounts and their profiles
across IT infrastructure and business applications.

32 of 33 Identity and Access Management Program Plan

Appendix B: IAM Program Accomplishments to Date
IAM program teams and work activities were consolidated in October 2013. A single program was launched to focus on
meeting both the IAM needs of HUIT as well as the needs of the University as a whole. The following list categorizes the
activities that are complete to date.

Program Improvements
• Consolidated and centralized University IAM program.
• Adopted the Agile Software Development Methodology to account for iterative requirement definition and test-
driven development practices.
• Focused on integrated IAM planning and strategy development, including the finalization of a revised project and
operational budget.

Simplify the User Experience

• Selected and purchased a new identity creation toolset that will lead to an improved onboarding experience for
all users.
• Implemented a new Central Authentication Service for faster, more flexible deployment of applications across
the University.
• Implemented one-way federation with Harvard Medical School as proof of concept that users may select the
credentials of their choice in order to access services.
• Implemented provisioning improvements to set the foundation for expanding cloud services, supporting Active
Directory consolidation, and migrating email.
• Integrated a new ID card application into IAM that enables the University to handle large-scale replacement of
expired cards.

Enable Research and Collaboration

• Joined the InCommon Federation and enabled authorized Harvard users to access protected resources at
HathiTrust.
• Enabled access to a planning tool that Harvard researchers can use to assist in compliance of funding requirements
specific to grants (such as grants from the NSF, NIH, and Gordon and Betty Moore Foundation).

Protect University Resources

• Proposed a new password policy to the HUIT Security Organization to standardize password strength and expiration
requirements for the University.
• Drafted a cloud security architecture with the HUIT Security Organization to provide Level 4 security assurance for
application deployments within Amazon Web Services.
• Refreshed the AUTH LDAP software and infrastructure to current, supported versions.

Facilitate Technology Change

• Created a conceptual architecture for IAM services to be deployed within Amazon’s offsite hosting facilities.

Appendix C: IAM Program Timeline

Please see attached for the most recently updated version of the program timeline.

Harvard University Information Technology | June 2014 33 of 33