Scribing Template --Friday, Oct 5, 2012 at 10am
Salon 5
TOPIC:
Identity-based Cloud Services
CONVENER: Michael Gettes, Steven Carmody
SCRIBE: Scott Cantor
# of ATTENDEES: 19
MAIN ISSUES DISCUSSED
Discussion ranging from where to source different IDM pieces, does this make sense, and what leverage would this give us?
Does the model of CAs apply? If we delegate specific value-added functions to the institution but outsource other functions like credential issuance?
Looking at how to do IDM, a small number of cloud-based solutions are out there. If we're outsourcing things like email, HR, payroll and calling those "Critical", why not IDM? Some executives aren't there yet in thinking of outsourcing this piece. But isn't that likely to change in the next 5 years?
For smaller schools, this isn't even a question. They have to outsource it. But is Internet2 or something like it a better home for that than other vendors? More understanding of the environment and targeted requirements, shared culture. Example is learning management vendors, and how "successful" that's been.
Is the value of an I2-like supplier just the culture/fit, or is it to influence governance rather than have a traditional vendor/supplier relationship. Sense is yes, that's attractive.
Data flows into and out of IDM would be critical for compliance issues. Our contracts and policies mature enough to cover this? Seems like they are.
At institutions with a history of not setting policies, how do people there view the issue and can you build a shared vision of doing something like this?
Our administrators didn't really have a handle on the IDM system as a whole. They understood HR and such better, so outsourcing it was more clear. As they get a better understanding of the system as a whole, they may be more comfortable with it.
Security compliance people may think we can do a better job of protecting key information than we can.
So, clearly, probably is going to happen, may take a while, but inevitable.
Is this a case of finding vended solutions, or crafting a service model we like and finding vendor(s) to operate it?
Identity in higher ed is harder, so we need to define that better and at the same time pursuing our own solution, work with vendors to better handle our needs. RFP approach, craft a model we want and find vendors willing to offer it. But we'd have to define that model.
CIFER is going beyond modeling to actual APIs to use to wire up components. Maybe Net+ can give us the leverage to get vendors to adopt them. Maybe we don't have any with Google or Oracle, but what about smaller scale?
Topic: How do we relate to IAAS vendors? Different governance models for different kinds of institutions? Small/large, public/private, etc. Are there schools that have done work on how to deploy and manage and support major outsourced services? Is IDM unique in that area or does it overlap other models?
Is the fallout from scandals going to drive a much deeper need to identify and track everybody that comes into our campuses? Is there a sense of increased risk of loss of control in the event of a "major problem with an identity" if we outsource?
Where's the market going? Are CRM-type systems involved? Do they ultimately manage identity from a different perspective? Can driving those systems towards other needs be fruitful? Or is CRM really an application built on identity? Maybe today they're different, but what about industry trends? Clearly the vendors think they can move into this space (e.g., Salesforce), so oughtn't we be prepared for that? Whether to rebut it or work with it?
Is vendor resistance to RFP terms we're used to getting shot down on like SSO integration a consequence of confusion about the overlap with the complexity of federation in general? Defining attributes, and so forth? Do vendors understand that asking for Shibboleth support doesn't always mean the same thing?
ACTIVITIES GOING FORWARD / NEXT STEPS
Working on RFP? Hard to imagine a large community coming together on a common RFP at this stage.
What if we focus on the big components and APIs?
Approach Internet2 with the possible demand for this service?
Make sure CIFER understands what's needed to foster an environment in which RFPs could be written?
Do we need a thought process/strategy about this that transcends CIFER, Net+, I2, etc? Have we lost the campus-level (internally focused?) requirements focus?