Meeting Notes - 2011-8-25 Conference call

[Agenda|uctrustwg:Meeting Agenda - 2011-08-25 Conference Call]

Attendees

(Partial list, please add/edit your names)

InCommon Silver Implementation update

• The ITLC meeting will be on Septebmer 20th. At the moment, UC Berkeley and UC Davis have presented a more detailed plan and gap analysis. UC Berkeley has submitted a resource request totalling $166,000; it was put on hold pending a further review. There is no guaranteed go-ahead to do the work at UC Berkeley.

• UC Davis has raised the topic to their management, but timing-wise they cannot visit this until at least October or Novemnber. They are constrained with resources and budget.

• A question is raised on when InCommon Silver will become a mandate for assurance? Dedra responds that as of the last time there was an update (which was during the Educause security conference), the answer was some time this Fall.

• Dedra mentions that no SP's are requiring InCommon Silver at the moment, but that could change in the future, especially for NIH and NSF applications and possibly for student grant applications. The larger issue is that since we are all self certified to be in compliance with UC Trust Basic, we have to do an audit after 2 years. ITLC originally waived that requirement since we were going to InCommon Silver; however, if we go back to the ITLC in September and tell them that we do not have time to implement InCommon Silver right now, the ITLC may say that they will not waive the audit for UC Trust Basic any longer. As a result, any campus due for their UC Trust Basic audit will have to do so.

• A question is asked if UC Trust is going to the ITLC to request funding and resources for InCommon Silver, or are we handling this at the campus level? Dedra responds and says that each campus needs to make a resource plan and take that to each of our CIO's before the September ITLC meeting. At that point, we should know where we stand in terms of resources needed. As of last month, everyone said they were on schedule and were putting together their implementation plans. Dedra asks each campus if they are still on track to create the plans and take them to their CIO's before the September ITLC meeting. As a general consensus, it seemed like most campuses were a little behind, but were willing to try and make it by the September ITLC meeting.

• A new suggestion comes up that we do both audits (UC Trust Basic and InCommon Silver), with the intention of most likely failing the InCommon Silver audit.

coordinate audit process?
uc team approach for a faster time, but in the long run all the audit teams want experience

carl suggested cherry pick internal auditors and get them to volunteer
audit is a self assesment process and the auditors then review that process

is it feasible to hit these requirements as written?

something that's UC wide, how do we deal with this if we can't alone, hear what other people are doing.

dedra is wiiling to throw out some inquiries to others doign this as well, have a space where we have questions and soluntions for this.
there is an internal only area of wiki that is a starter for this

seems like a collaborative effort is good.
follow up w/ carl on collaboritve suggestion
talking points to ITLC for moving forward

schedule for doing audits for incommon silver even if we are going to fail
pass uc trust and fail the silver. going ahead with both audits
can we have a team that is familiar with both audits
we are going to ask auditors to use both sets of criteria? yes it would be a good idea

dedra heard that the incommon silver wasnt that more stringent but what is the real difference?

uctrust leadership

useful to have formal itlc/uc trust liason. that was sent to exec committee (the idea)
we talked about uc trust chair/co-chair - wait on this until we hear back from itlc on how to structure the subcommittees

system wide HR/Payroll

the identity management licensing assocaited w/ this agrreement is only for employees and via the on demand service. those of us who have students, affiliates, alumni, etc. the licensing does NOT apply. local campuses would continue using their existing IAM system and intergrate this withte hs sytem wide HR tool.

oracle - calls abotu pricing about sim renewal.

next gen AIM solutions

document usecases, approach a vendor or two with a fitgap analysis instead of formal RFI.
open source solution? loosely coupled community/open source solution
hampton: two weeks ago a group represting kuali uc trust penn state indiana, identify is there a possible solution given whatever is already out there. open source IAM soluitions existing today - look at as an entire package and identify what the remaining gaps are
gaps are significant. the three primary areas of functinoality: person registry and indentigy reconciliation, provisioing, acess management.

where are the gaps
between now and mid september there would be 3 dfunctiona work groups formed. grouper
the three groups work on a weekly basis gathering requirements, componenets within areas of functionality ened to enhanced or are entirely missing. will come back together in mid sept and share w/ the larger group.

a 4th group

organizational strucutre will be more clear after these meetings.

dedra: one of my hopes is that these groups need to get structure and organizational plans, she was hoping that as specific projects and use cases, we want to implement something and we dont have a comeericial product to use. we can contribue x amount of reousrce, what can this project offer, can i get something back (open source)

SIM - sun identiy manager

oracle discount
200,000 converting to license
done in the course of a year
its only for employees
oracle perpetual license

or you could hire a developer that could contribute back to this project
or do something simple that's tailored, put together something that populates the database, ldap, kerberos

stick w/ vendor solution and oracle product? lots of licensing and professional services OR
joint venture project we would contribute dollars to a developer

nothing will be known til mid sept (hampton) better sense of whats out there. pennstate has developed a person registry, that might be what the group decides to use as a starting point, code base to make more generic. maybe. given the current resources, might tak ea year, but contribution model where schools can have a venue for offering a resrouce or two to help accelerate schedule, then that would hlep.

have our next uc trust conf call end of september to have a fuller picture of what this effort might look like (dedra)

september 29th next uc trust meeting

this project (arlene) sounds like a kuali esqe project where people are throwing equity into this. less governance and overhead. differeing degrees resources from different schools as far as the groups that are participating in theis. how will you contribute, who assigns resources

dedra: fitgap instead of RFI. fitgap analysis of specific needs and how their product would meet them from oracle? instead of doing RFI not really an upgrade from SIM to oracle IM.

matt
vendor app that some campuses have rolled out w/o shib
he asks why its not a uc trust enabled app
ucnet id as identifier
user provisioning problem came up again
they only use shib so they have to use shib enabled
what is the official way for matt to bring this to the group and what we will accept from them as an SP or what we will try to push on them

eCompliance.

SP that want to provide a service to multiple UC schools. we have our own procedures, makes it hard for each SP to negotiate that with the whole uc system. arelene tries to come up w/ bundles of attributes for service providers
arlene: needed an efficient way to deal with sp's - don't have the time to deal with custom attributes. need a standard profile of attributes.

dedra: ioncreaing SP's that provide service to whole uc system, if they yhave to negotiate attribute release for every SP it is not efficient. if we prenegotiate packages based on what type of SP it was it would stream line the whole process.

can suggest this to ITLC too.

sp inventing stuff not cool going through the back channels
ucop has several more sp's

ucla has fabulous documentation to give to sp's to integrate to shib
eric's link shows sp's that provide service to all uc's
attribute release at multiple schools - guildelines for streamlining this - no resource yet. proposed bundle of attributes. send off to data proprietors

albert: docuemtn data release on campuses - document this. how does our process compare
other schools: procedure to get permission to release data - write this up
there are already writeups for this; will put this on the wiki, schools not on the document can add their own campuses - bruce will create page on wiki

dedra: is there a way we can prevent an sp from goign from one campuse to the next, are there certain attributes that require

blanket approval that makes it through the uc trust, vetting at uc trust level

data proprietor - give the agreement to them after blanket approval and has been vetted at uc trust level - create doc

dedra: handful of people to volunteer now before that documentation is even up on the wiki? a few people said ok.

workgroup only content - first child page

sd and davis are looking to roll it out with shibboleth. field safety plan, insurance plan relating to travelling.

EPTID

mary already taking resource request to itlc?