cloud id management of north carolina department of public instruction (sec102) | aws re:invent 2013
DESCRIPTION
(Presented by Identity Automation) Identity Automation has worked with the North Carolina Department of Public Instruction since April 2013 to provide a cloud-based identity management service for all employees, students, parents and guests of the State’s K12 organizations. In this session, Identity Automation will discuss how the service was used to synchronize identities with target systems, provide federation services as well as end-user self-service and to delegate administration functionality.TRANSCRIPT
![Page 1: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/1.jpg)
Cloud Identity Management for
North Carolina Department of Public Instruction
Troy Moreland – Founder & CTO, Identity Automation
Samuel Carter - Systems Architect, Friday Institute
November 14, 2013
![Page 2: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/2.jpg)
Who should attend this session?
• Anyone interested in Identity Management as a
Service
• Managers/Architects responsible for Identity
Management for their organization
• Software companies interested in taking their
products to the cloud with AWS
• Cool people!
![Page 3: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/3.jpg)
Background
![Page 4: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/4.jpg)
Who is Identity Automation?
• We are a software company specializing in
identity, data and access management
• We have commercial and public sector
customers but our specialty is education
• Our products manage over 3.6 million user
accounts across US and Canada
• The average customer size is 20k identities
![Page 5: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/5.jpg)
Identity Automation Product Overview
• ARMS – Access Request Management System – Self-service and delegation tool
• DSS – Data Synchronization System – Identity, data and configuration management tool
• FIMS – Federated Identity Management System – SAML Identity Provider
• FMS – Folder Management System – Identity-driven storage management for Windows
![Page 6: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/6.jpg)
Logical Solution Overview
![Page 7: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/7.jpg)
Current Implementations
• Traditional Methodology – On-premises installation
– Turnkey services
– Multiple support options
• Customer Responsibilities – Provide hardware (physical or virtual)
– Hire/train staff
– Ongoing maintenance
![Page 8: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/8.jpg)
Requirements
![Page 9: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/9.jpg)
What is the NCEdCloud?
• NCEdCloud is the initiative responsible for
providing cloud based services to all school
districts (LEAs) and charter schools within the
state of North Carolina
• NCEdCloud IAM is the name for the Identity and
Access Management service provided by
Identity Automation
![Page 10: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/10.jpg)
What were the goals of NCEdCloud IAM?
• Provide school district employees, students, parents and guests with a single login to all NCDPI sponsored systems as well as other cloud systems that are utilized by numerous districts (including charter schools)
• Provide self service capabilities to all end users and delegation capabilities to all district administrators
![Page 11: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/11.jpg)
What does NCEdCloud IAM actually do?
• Using data from authoritative systems, it creates identities (accounts) for all users and keeps them up-to-date. Single identity supports multiple affiliations
• Synchronizes identities to target systems
• Provides Identity Provider (IdP) for SAML-based authentication and assertion
• Provides interface for self service and delegation of identities
• Provides real-time metrics regarding availability, performance and usage
![Page 12: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/12.jpg)
How many users are we talking about?
• 250,000 Faculty/Staff
• 1,500,000 Students
• ~3,000,000 Guardians
• ? Guests
Planning for up to 10 million active users…
![Page 13: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/13.jpg)
How type of systems are being integrated?
• Student Information Systems
• HRMS
• Cloud email
• Directory Services
• Content Services
• Library Management Systems
• Cloud Web Content Filter
• Cloud Support System
We are adding 10 new systems per year!
![Page 14: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/14.jpg)
What were some of the other constraints?
• NCDPI didn’t want to host the solution
• NCDPI didn’t want to hire new employees
• NCDPI wanted to pay all-inclusive, annual subscription
• NCDPI required elastic architecture to meet growth
• NCDPI required highly available solution
• NCDPI required delegation for their Cloud Help Desk
![Page 15: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/15.jpg)
Evaluation
![Page 16: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/16.jpg)
What will we do for infrastructure?
• We already have the software we need but nowhere to run it.
• To buy, host and maintain the required hardware was estimated to cost us more than the full 3-year budget allotted for this service
• It was estimated to take us 10 – 12 months to complete install and configure an infrastructure to meet the needs of this service
• In the end, we are a software company, not a hardware company
![Page 17: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/17.jpg)
Can we get assurance of data security?
• Personally Identifiable Information (PII) MUST be stored within the US – Certified by AWS
• Only US citizens may access data – Certified by AWS
• Infrastructure vendor must be SOC 2 “certified” – AWS maintains this plus many others (aws.amzon.com/compliance)
• In short, showing NCDPI we were working with AWS gave them the “warm fuzzy” required to move forward. We could have never done this on our own in time.
![Page 18: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/18.jpg)
So why the AWS cloud specifically?
• Industry Leader – Gartner Group Magic Quadrant
https://aws.amazon.com/resources/analyst-reports/
• More Service Offerings – No other vendor compared with regards to the number of services
offered by AWS. This was compelling for what we need now and what we can do in the future
• Out-of-the-Box Integration – Our products speak the “web services” language. For AWS, web
services *is* the product, not something that gets added after the fact
![Page 19: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/19.jpg)
Solution
![Page 20: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/20.jpg)
![Page 21: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/21.jpg)
What AWS services are utilized?
• Amazon Route 53
• Amazon VPC
• AWS IAM
• Amazon RDS
• Amazon SES
• Amazon SNS
• Amazon CloudWatch
• Amazon EC2 – Windows 2012
– Amazon Linux
• Elastic Load Balancing
• Amazon S3
• Amazon CloudFront
![Page 22: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/22.jpg)
Typical End User Session
![Page 23: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/23.jpg)
What is unique from AWS perspective?
• Auto-scaling via API
• Provisioning to IAM
![Page 24: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/24.jpg)
What are future plans?
• Implement Chaos Monkey
• More automated monitoring – i.e., kill or restart
application when not responding
• Create AWS adapter for DSS
![Page 25: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/25.jpg)
Results
![Page 26: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/26.jpg)
Did AWS save us money?
• We didn’t hire anyone to specifically maintain infrastructure
• We didn’t acquire physical hosting space (minimum of three)
• We didn’t buy any hardware
• We didn’t implement new service with ISP
• We didn’t have to manage/coordinate the build-out of new facilities
![Page 27: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/27.jpg)
Did AWS save us time?
• We estimate that the build-out would have taken us 10-12 months. Development environment was built in a day.
• Test environment took about 2 weeks to complete (due to learning by trial-and-error).
• Production environment was ready to go in 5 days!! – Utilizing three Availability Zones
– Multi-AZ Amazon RDS instance
– HA Windows (AD) instances
– HA elastic Amazon EC2 instances of our appliances (across all AZs)
– Four sets of Elastic Load Balancing instances (across all AZs)
![Page 28: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/28.jpg)
Did AWS add any other value?
• Built-in compatibility with our products – We automate management of IAM users and groups
– We automate auto-scaling of our application instances based on custom triggers
– We pull information from AWS and place it into our reporting solution for centralized dashboards
• Enterprise Support – Enables us to meet the our SLA requirements with the State
– Constantly helping validate our infrastructure design
– Dedicated team has kept us from having to hire more staff
![Page 29: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/29.jpg)
Demonstration
![Page 30: Cloud ID Management of North Carolina Department of Public Instruction (SEC102) | AWS re:Invent 2013](https://reader033.vdocuments.site/reader033/viewer/2022060115/55758c5dd8b42ae7708b4b34/html5/thumbnails/30.jpg)
Please give us your feedback on this
presentation
As a thank you, we will select prize
winners daily for completed surveys!
SEC102