ITAC / CISC / MicroNet Meeting

Hello,

I want to thank Patricia and Tessa, the co-chairs of ITAC, for hosting
the joint meeting of ITAC, CISC, and MicroNet to discuss security
infrastructure. It was great to see such a lively discussion; thanks to
all of the members of the UCB technical community for the constructive
debate around single sign-on and identity management.

Based on the feedback from the meeting, here is my understanding of
where we should go next:

CalNet Directory Services / LDAP Infrastructure.

Seems like things are going well and that we have fixed the major
problems that we initially had with synchronizing core systems like
PeopleSoft with LDAP. It looks like we still have the occasional
problem with Ids in the old CalNet not being properly synchronized with
the new CalNet infrastructure. We need to watch for these. We only
know of a couple of occurrences, but this does not mean that we don't
have a larger problem. If you see problems, let Rob and Lucas know.
There is more information about how to get support here:
https://calnet.berkeley.edu/developers/

CalNet Authentication

I did not hear any objections to our moving from the MIT KDC to the KDC
in AD. Michael Sinatra had an interesting comment about physical
security. What happens if someone steals one of the Active Directory
machines that is providing KDC service? We need to do further
investigation to make sure that userids and passphrases are properly
encrypted.

Identity Management and Single Sign-On

This was a spirited and very helpful discussion. It seemed that the
largest number of folks that expressed a preference felt that we should
try to implement the portion of Sun's Access Manager that provides
single sign-on and discontinue our efforts to implement CAS. This is a
tough decision, but this type of discussion is exactly what we need
when, as a technical community, we are making infrastructure decisions
that will affect the entire campus. My tendency was to support both CAS
and Sun's AM, but our discussion correctly reached the conclusion that
this just drives up our overall costs. Unfortunately, the budget game
is zero sum. It is important for us to work together to reduce the
number of systems that perform overlapping functions, as supporting
systems that duplicate services just reduces the amount of funding that
is available for other projects. I appreciate the guidance.

Here is what I propose we do next:

1) Discontinue our CAS development efforts

There is no reason to turn off the test CAS server that we have
installed, but we will not do any more development on the CAS
infrastructure. Since CAS is unlikely to be a supported part of the
campus infrastructure, I would not recommend that anyone develop
applications that depend on this as an infrastructure service.

2) Implement the single sign-on portion of Sun's Access Manager

Karl will work with Lucas and Rob to implement single sign-on in one
work month. To keep things moving, I propose that we implement this as
a single point of failure and add redundancy one to two months after we
get it working. We will not be working on full identity management at
this stage, only single sign-on.

3) Make a final decision as soon as is possible

All of us make technical decisions based on available information at the
time of the decision. One key thing that we are missing is experience
with integrating an application with single the single sign-on. Karl,
JR, and Randy will work on modifying one of the applications that we had
planned to release with CAS to work with the Sun solution. They will
provide feedback on how this goes to the security-infrastructure list.
I propose that we make Access Manager single sign-on available to
everyone who is interested in evaluating the technical ease or
difficulty of implementing this capability. We need to test our
decision as soon as possible so that we can change direction if we did
not make the right choice.

4) Do as much as we can to start testing identity management

Bill Allison has offered to work with Infrastructure Applications to
test a simple application that uses identity management. As soon as we
have single sign-on available, I think we should start testing
integration with identity management. If our approach is wrong, then we
need to know before we invest a couple of years in working on the larger
problem of identity management across the campus. To keep the effort
manageable, we should focus on an application that does not require
real-time synchronization with source campus systems like PeopleSoft.
This integration testing is open to anyone who would like to get
experience with the proposed identity management system, but we will
need to keep the number of test cases small as this is likely to be more
complicated to work with than single sign-on.

If you are interested in tracking the progress of single sign-on and
identity management, I encourage you to subscribe to the mailing list
that I have setup: security-infrastructure_at_lists.berkeley.edu. To keep
duplicate emails down, I will post follow-up information only to this
mailing list.

Michael

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Wed Nov 08 2006 - 10:23:23 PST