May 2022 Update
Penn Community Re-Engineering Project
The Penn Community Re-Engineering Project includes a phased re-engineering of Penn’s core IAM infrastructure, replacing decades-old, custom-built identity management systems and processes with a standards-based, modern solution to strengthen Penn’s overall security posture and ability to comply with emerging global regulatory requirements.
Phase 1 Rollout Complete
Phase 1 rollout was completed in November 2021 and included the implementation of SailPoint Identity IQ as the underlying identity engine for Penn Community. The new solution runs on a Penn-dedicated infrastructure hosted by Amazon Web Services (AWS), providing a flexible architecture that can grow with the University. More details about this rollout are available on the Penn Community website.
Phase 2 Underway
In Phase 2 (2022-2023), we will leverage our new identity management system’s capabilities to improve the security and efficiency of University-wide identity and access management processes in phased functional releases. Goals include:
- Implementing future-state design for identity management
- Deploying infrastructure to support future access management capabilities
- Legacy Penn Community retirement (longer-term goal)
The IAM team continues to meet with IT Leads in the Schools and Centers to share design progress, collect feedback, and ensure alignment as we solidify our deliverables and plans.
Phase 2 Improvements
Phase 2 includes improvements in the following areas:
- User Experience
- Dramatic improvements for new PennKey creation and password resets
- Replacement of custom-built user registration and maintenance pages with vendor products
- Security
- Two-Step Verification overhaul – direct integration with Duo Services, retirement of custom Penn middleware/layers
- Tighter controls on registration
- Ability to rapidly adopt emerging authentication technologies to keep pace with evolving security challenges
- Improved UI and functionality for PennKey administrators
- Continued prototyping of “passwordless”/FIDO2-based authentication
- Efficiency
- Continued improvements in the delivery of cleaner identity data across Penn systems
- Lower effort for future enterprise software integrations
- For example, ISC was able to integrate with the Banner system in a matter of months for March's NGSS implementation; prior integrations of this type would have taken significantly more effort
- Adaptive rules and controls for entering and managing identity data
- Robust auditing and logging of all identity transactions
Other IAM News
- Two-Step for O365 – Two‑Step Verification with PennO365 will be required as of June 2022. Nearly all O365 users at Penn already use Two-Step to protect their O365 accounts, but there are still some who remain unenrolled. We strongly encourage IT groups on campus to work with users who are not already using Two-Step.
Questions & Feedback
ISC values your feedback. If you have questions, comments, or suggestions, please contact penn-iam@upenn.edu.
We look forward to sharing more progress with you soon!
The Penn IAM Team