Error!

Spaces has been migrated to the cloud. Please go to https://ucla-confluence.atlassian.net to update your space/s.

IT Services has migrated the content of spaces.ais.ucla.edu to Atlassian Confluence Cloud. Please visit https://ucla-confluence.atlassian.net to update your space/s. Spaces.ais.ucla.edu is now in read-only mode.
UCTrust Workgroup
Child pages
  • Meeting Notes - 2011-08-25 Conference call

Versions Compared

Old Version 1

changes.mady.by.user Cheung, Celia

Saved on

compared with

New Version Current

changes.mady.by.user Cheung, Celia

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Meeting Notes - 2011-8-25 Conference call

Wiki Markup\[Agenda\|uctrustwg:Meeting Agenda - 2011-08-25 Conference Call\]

Attendees

(Partial list, please add/edit your names)

...

  • The ITLC meeting will be on Septebmer September 20th. At the moment, UC Berkeley and UC Davis have presented a more detailed plan and gap analysis. UC Berkeley has submitted a resource request totalling $166,000; it was put on hold pending a further review. There is no guaranteed go-ahead to do the work at UC Berkeley.
  • UC Davis has raised the topic to their management, but timing-wise they cannot visit this until at least October or NovemnberNovember. They are constrained with resources and budget.
  • A question is raised on when InCommon Silver will become a mandate for assurance? Dedra .  Dedra responds that as of the last time there was an update (which was during the Educause security conference), the answer was some time this Fall.
  • Dedra mentions that no SP's are requiring InCommon Silver at the moment, but that could change in the future, especially for NIH and NSF applications and possibly for student grant applications. The larger issue is that since we are all self certified to be in compliance with UC Trust Basic, we have to do an audit after 2 years. ITLC originally waived that requirement since we were going to InCommon Silver; however, if we go back to the ITLC in September and tell them that we do not have time to implement InCommon Silver right now, the ITLC may say that they will not waive the audit for UC Trust Basic any longer. As a result, any campus due for their UC Trust Basic audit will have to do sogo through with the process.
  • A question is asked if UC Trust is going to the ITLC to request funding and resources for InCommon Silver, or are we handling this at the campus level? Dedra  Dedra responds and says that each campus needs to make a resource plan and take that to each of our CIO's before the September ITLC meeting. At that point, we should know where we stand in terms of resources needed. As of last month, everyone said they were on schedule and were putting together their implementation plans. Dedra asks each campus if they are still on track to create the plans and take them to their CIO's before the September ITLC meeting. As a general consensus, it seemed like most campuses were a little behind, but were willing to try and make it by the September ITLC meeting.
  • A new suggestion comes up is brought forth by the workgroup saying that we do both audits (UC Trust Basic and InCommon Silver), with the intention of most likely failing the InCommon Silver audit.

coordinate audit process?
uc team approach for a faster time, but in the long run all the audit teams want experience

carl suggested cherry pick internal auditors and get them to volunteer
audit is a self assesment process and the auditors then review that process

is it feasible to hit these requirements as written?

something that's UC wide, how do we deal with this if we can't alone, hear what other people are doing.

dedra is wiiling to throw out some inquiries to others doign this as well, have a space where we have questions and soluntions for this.
there is an internal only area of wiki that is a starter for this

seems like a collaborative effort is good.
follow up w/ carl on collaboritve suggestion
talking points to ITLC for moving forward

schedule for doing audits for incommon silver even if we are going to fail
pass uc trust and fail the silver. going ahead with both audits
can we have a team that is familiar with both audits
we are going to ask auditors to use both sets of criteria? yes it would be a good idea

dedra heard that the incommon silver wasnt that more stringent but what is the real difference?

uctrust leadership

useful to have formal itlc/uc trust liason. that was sent to exec committee (the idea)
we talked about uc trust chair/co-chair - wait on this until we hear back from itlc on how to structure the subcommittees

system wide HR/Payroll

...

  • There was some discussion of how to coordinate the audit process; perhaps having a collaborative effort would be the most effective. The audit itself is a self assessment process, and then auditors review that process. It would be ideal if we could ask auditors to use both set of criteria (for UC Trust Basic and InCommon Silver) when going through this process. Dedra is willing to make some inquiries to other campuses who are going through this same process. It is suggested that we should have a place on the wiki where we can post questions and solutions in reference to the audit process. Dedra will also make some talking points to the ITLC for moving this effort forward.

UC Trust leadership

  • During the previous meeting, it was brought up that it would be useful to have a formal ITLC/UC Trust liason. The idea was brought to the executive committee, and we are waiting to hear back.
  • We have also talked about a UC Trust Chair and Co-Chair - the workgroup agreed to wait until we hear back from the ITLC before proceeding.

System wide HR/Payroll decision

  • The identity management licensing associated with this agreement is only for employees and via the on demand service. For those of us who have students, affiliates, alumni, etc. the licensing does NOT apply.

...

  • Local campuses would continue using their existing IAM system and intergrate this

...

  • with the system wide HR tool.

oracle - calls abotu pricing about sim renewal.

next gen AIM solutions

document usecases, approach a vendor or two with a fitgap analysis instead of formal RFI.
open source solution? loosely coupled community/open source solution
hampton: two weeks ago a group represting kuali uc trust penn state indiana, identify is there a possible solution given whatever is already out there. open source IAM soluitions existing today - look at as an entire package and identify what the remaining gaps are
gaps are significant. the three primary areas of functinoality: person registry and indentigy reconciliation, provisioing, acess management.

where are the gaps
between now and mid september there would be 3 dfunctiona work groups formed. grouper
the three groups work on a weekly basis gathering requirements, componenets within areas of functionality ened to enhanced or are entirely missing. will come back together in mid sept and share w/ the larger group.

a 4th group

organizational strucutre will be more clear after these meetings.

dedra: one of my hopes is that these groups need to get structure and organizational plans, she was hoping that as specific projects and use cases, we want to implement something and we dont have a comeericial product to use. we can contribue x amount of reousrce, what can this project offer, can i get something back (open source)

SIM - sun identiy manager

oracle discount
200,000 converting to license
done in the course of a year
its only for employees
oracle perpetual license

...

Next generation IAM solutions

  • Joint Venture update from Hampton: two weeks ago, he met with different groups in Chicago to determine what open source IAM solutions exist today, and to identify what remaining gaps there are. There are three primary areas of functionality - person registry including identity reconciliation, provisioning, and access management. Between now and mid-September, there will be three workgroups formed based on those primary areas of functionality, and they will be working on a weekly basis gathering requirements and looking at componenents within these areas to see what needs to be enhanced and what pieces are missing entirely. The groups will come together in mid-September and share their findings with the larger group.
  • There was discussion on using a vendor solution and Oracle products - but it would cost a lot to convert to a license, and it would require support and professional services. Alternately, we could hire a developer that could contribute back to

...

  • the Joint Venture project.
  • We will have a better idea of what's out there in mid-September. Penn State

stick w/ vendor solution and oracle product? lots of licensing and professional services OR
joint venture project we would contribute dollars to a developer

...

  • has developed a person registry

...

  • ; Hampton mentions that it might be what the group decides to use as a starting point, and then use that code base to make it more generic

...

  • to the different campuses. It may take a year, but if we had a contribution model where schools

...

  • could have a venue for offering a

...

  • resource or two to help accelerate the schedule, then that would

...

have our next uc trust conf call end of september to have a fuller picture of what this effort might look like (dedra)

september 29th next uc trust meeting

this project (arlene) sounds like a kuali esqe project where people are throwing equity into this. less governance and overhead. differeing degrees resources from different schools as far as the groups that are participating in theis. how will you contribute, who assigns resources

dedra: fitgap instead of RFI. fitgap analysis of specific needs and how their product would meet them from oracle? instead of doing RFI not really an upgrade from SIM to oracle IM.

...

  • be a great help.
  • Dedra mentions that UC Berkeley will request a fitgap analysis instead of a formal RFI from their meeting with Oracle so that they can get an analysis of their specific needs and see how Oracle would meet those needs.

eCompliance

  • eCompliance is a vendor application that some campuses have rolled out without Shib. Since UCSD uses only Shib, they have no choice but to roll it out with Shib enabled. Matt asks what the official way is to bring this to the group and find out what we will accept from them as an SP

...

  • .
  • In terms of dealing with SP's that want to provide a service to multiple UC schools

...

  • , there is a suggestion from the workgroup that we create bundles of attributes for SP's; if we pre-negotiate packages based on what type of SP it

...

  • is, it would

...

  • streamline the whole process.

...

  • It would not be efficient to have to negotiate attribute release for every single SP.
  • Dedra notes that while we do have documentation to show SP's that provide services to all UC campuses, and also documentation on SP integration with Shib, we do not have documents to give guidelines on attribute release at multiple schools.  
  • There is existing documentation on how each campus handles data release. This will be posted on the UC Trust wiki page.

Next UC Trust meeting

  • The next meeting is proposed to be moved to September 29th, 2011.

can suggest this to ITLC too.

sp inventing stuff not cool going through the back channels
ucop has several more sp's

ucla has fabulous documentation to give to sp's to integrate to shib
eric's link shows sp's that provide service to all uc's
attribute release at multiple schools - guildelines for streamlining this - no resource yet. proposed bundle of attributes. send off to data proprietors

albert: docuemtn data release on campuses - document this. how does our process compare
other schools: procedure to get permission to release data - write this up
there are already writeups for this; will put this on the wiki, schools not on the document can add their own campuses - bruce will create page on wiki

dedra: is there a way we can prevent an sp from goign from one campuse to the next, are there certain attributes that require

blanket approval that makes it through the uc trust, vetting at uc trust level

data proprietor - give the agreement to them after blanket approval and has been vetted at uc trust level - create doc

dedra: handful of people to volunteer now before that documentation is even up on the wiki? a few people said ok.

workgroup only content - first child page

sd and davis are looking to roll it out with shibboleth. field safety plan, insurance plan relating to travelling.

EPTID

...