There were two break out sessions at the CIC Identity Conference.

The first was a breakout By Peer Groups. In this break out, Registrars sat together, CIOs sat together, etc. I was in the IT Idenity Management peer group. There were strong themes that came up during this discussion. Interestingly, the strongest themes were around:

• Governance – how do you establish it on campus, how do you get buy in, who should be on the governance board,
• Communication – the need for a common vocabulary for communicating with campus about Identity Management.
• CAF Credential Assessment Framework PDF – Especially as a tool to find gaps in the infrastructure and as a communication tool with campus. If the campus want’s to use FASTLANE and NIH Grants and other applications, we will have to fill these gaps that are identified in the CAF Process.
• Mapping of Levels of Assurance to Risk Assessments for various applications. Development of a Framework to map LOAs to Risk Levels for Applications.

It is interesting that the Technologists didn’t list a bunch of technologies. There concerns were mostly around communication, governance and policy.

We then had a break-out by University. Each University would then gather and discuss what they had learned, their concerns, their thoughts on what their next steps should be. From the University of Wisconsin – Madison break-out, I had the following list (which aligns with the list that we presented but isn’t exactly the same):

1. Doing a CAF analysis and obtaining level 1 of LOA
2. Building a business case for Identity Management for campus. (Note: I believe that the CAF process can feed into the business case)
3. Tracking the Federal eAuthentication, CAF, Federal Identifier and other initiatives. We need to keep up with the Federal initiatives and changes and to communicate those changes with campus
4. Build out of Identity Management infrastructure (specifically our PASE initiative which manages Groups and Entitlements).

Report out from all of the Universities:

Common threads were:

• Establishing Governance, building a common vocabulary and Funding and Prioritization and Staffing.
• Going through some version of the CAF process (maybe not bringing in the OMB but working through the analysis internally).
• Dealing with “Privilege Bloat” – users accumulating access as they move around campus and change jobs
• Federating with Federal Government especially around Research.
• Separating Authentication from Authorization.
• Education of the population – how to protect their own data and the institutional data.
• How to serve affiliated populations – like distance ed, research collaborators, etc
• 2-factor Authentication came up at U-Minn.
• Look at joining inCommon which will push people to document what they do.

Next Steps

1. Each University submit their summary / prioritized list so that they can be published as a group
2. The Universities that are going through the CAF process would like to gather to compare notes
3. Work together and join InCommon so we can federate with each other and to show vendors that we think this is important
4. Sharing notes on Governance – especially those who are building new governance structures – what are you trying, how is it going, documentation that might be sharable and adaptable
5. Should there be a regular CIC Identity Management Meeting? Take this up via email and the CIC CIOs planning group
6. Generate common requirements for software that we could use with vendors. Note: there are two flavors of this: (1) What the software should do now and (2) what the vendors should be working towards. The second is where the CIC might want to focus