April 2021 Update
Internal IAM Project
The Internal IAM project includes a re-engineering of Penn’s core IAM infrastructure, replacing decades-old, custom-built identity management systems and processes with a standards-based, modern solution to strengthen Penn’s overall security posture and ability to comply with emerging global regulatory requirements. The new IAM solution will be implemented in phases. Recent progress includes:
- The team is nearing completion of the Design Phase of the project (through May 2021), which includes the following workstreams:
- Identity Works (implementation partner) review of current state, requirements, and system documentation
- Technical design for SailPoint (vendor)
- Technical architecture for infrastructure (servers and storage)
- Schedule and resource planning (Fiscal Year 2022)
- Follow-up sessions to gather remaining information on source and downstream system connectivity, data schema, and provisioning were completed.
- The team is currently working on the Implementation Plan for Phase 1 rollout targeted to begin in June 2021.
Phased implementation of the new IAM system is targeted to begin in June 2021 and will carry into Fiscal Year 2022. The goals are to replace the current IAM infrastructure (Penn Community) with minimal disruption to existing services and to put in place the foundation for future improvements. Penn Community will remain available in parallel with the new IAM system to provide ample time to migrate all current Penn Community clients. Following are details about the implementation phases:
- Implementation Phase 1 will include the following:
- SailPoint populated with source/historical data
- PennIDs created by SailPoint
- Penn Community becomes a consumer of SailPoint, remains in place during migration of consumers; no “big bang” transition
- Implementation Phase 2 (1-2 years) will include the following:
- New PennKey claiming and password reset processes
- All consumers of Penn Community data migrated to new infrastructure – planned system-by-system migration; no “big-bang” transition
Related IAM Work
- Two-Step Verification & SMS/Voice Codes – There is a recently publicized vulnerability within the telecom industry that allows attackers to pay a small fee to redirect victims’ SMS text messages to their own devices. Because of this, and other pre-existing risks related to SMS/Voice, SMS/Voice is no longer recommended to deliver Penn Two-Step codes. We recommend moving PennKey Two-Step users to Duo Push or to using codes generated by the Duo Authenticator app, both of which are not affected by this vulnerability. If you have questions, please contact email@example.com.
- Two-Step for O365 – Enrollment passed 15,000 (76% of total) for PennO365 with Two‑Step Verification during Q3 of Fiscal Year 2021. With the synchronization of PennKey and O365 passwords, it is more important than ever for users to enable Two-Step for O365 to ensure consistent protection of their privacy across University systems. We strongly encourage IT groups on campus to recommend use of Two-Step with O365 for users who are not already enrolled. Several Schools and Centers are using ISC’s Two‑Step for O365 enrollment tools to smooth their migration path. Administrators interested in using the toolkit for their users should contact firstname.lastname@example.org.
- The IAM Policy Working Group – This group continues its work to establish the University’s first comprehensive set of Identity and Access Management policies, including policy statements, best and acceptable practices, and technical standards documents. Three identity proofing working groups have been formed to analyze processes for in-person, remote, and self-service password resets including standards and practices, validation process, and training.
Questions & Feedback
ISC values your feedback. If you have questions, comments, or suggestions, please contact email@example.com.
We look forward to sharing more progress with you soon!
The Penn IAM Team