Initiatives

This collaborative book is for documenting the major iniatives that the industry and IMT is considering. These often are three letter accronyms that define an industry approach to a suite of opportunities, such as Enterprise Resource Planning (ERP), Identity Management (IdM), Enterprise Content Management (ECM), Customer Relationship Management (CRM) etc. The idea here is to to gather information and ideas as we develop a strategy to approach these areas of interest.

Enterprise Content Management

APU, like most organizations, can produce more data than can be turned into long-term knowledge. With so many means of producing ad-hoc unstructured data, whether it be Microsoft Office, Email or even web pages, it becomes apparent that a strategy is needed to store, search, retrieve, share, and archive content.

Welcome Enterprise Content Management (ECM)

The term ECM, does not represent just a product or a suite of products, nor simply a group of technologies. While ECM includes the aggregation of once disparate approaches to the information management (Document Management, Collaboration, Knowledge Management, Digital Asset Management, Web Content Management), the ECM concept represents more than simply the sum of their overlapping characteristics. It is the systematic re-thinking of the approach to the creation, management and distribution of all data stored outside of traditional integrated information systems (ERP, SIS etc.).

IMT's first quandry into a broader perspective of this area is covered in a whitepaper, Document Management - An APU Definition and Application. We are now revisiting this opportunity domain, please read on to ECM Defined.

Content Overload

According to InformationWeek, and any IT person with their eyes open... Companies are choking on information employees create

How are companies to bring the plethora of unstructured information under control?

What is unstructured data?

The problem comes from "unstructured" information, a catchall term for content that's not managed and stored by a business system such as a data warehouse or an enterprise-resource-planning system. It's the soft but critical content about business decisions, projects, ideas, research efforts, or procedures that can be stored in myriad places.

The inability to find critical content means it's sometimes duplicated instead of reused. That can drain productivity, delay product rollouts, and hurt customer relationships. Worse yet is the idea that while companies have invested heavily in hardware and software for creating content, they're benefiting from only a portion of it because they have no idea where much of the content is.

If it's stored in E-mail or on someone's laptop, then it's forgotten.

The problem ECM is attempting to solve is a fundamental concept of Management Information Systems, "Getting the right information to the right person at the right time." But as InformationWeek points out, when it comes to the exploding quantity of unstructured data employees create each day, many companies have realized that if the best they can hope for is to collect the right information and make it easy to search, at least they're that much closer to meeting their goals.

For more information on Enterprise Content Management, see the collaborative book on the ECM Initiative

ECM Defined

Introduction

Since ECM is a convergence of once separate technologies and disciplines of information management, it becomes difficult to nail down a definition. A working definition of ECM is however the first step in establishing an enterprise content management strategy, if we are to provide infrastructure to support services to that end.

ECM Definition

Enterprise Content Management (ECM) connotes a unified framework for managing, web-enabling and personalizing delivery of all disparate forms of content across the enterprise, regardless of their classical modes of creation, storage or presentation.

Enterprise connotes a scope that is comprehensive, representing and entire organization's needs for the targeted services. The focus is on "core" services, that is, services at the heart of operations, services that departments have in common, regardless of differences between departments. An "Enterprise" system is one designed to gain the maximum benefit that can be derived from the advantages and economies of scale - in this case, scaled to extend across the entire enterprise.

Content refers to any work-product that can be created, modified, stored or retrieved employing an organization's digital infrastructure. Content refers not merely to the content of web pages, but extends to include all manner of digital objects; documents, designs, templates, data structures, data values, graphics, audio and video files, curricular material, etc. These various types of content, while dissimilar in terms of means of production, targeted mode of output, original purpose, etc, nevertheless share characteristics that enable them to come under the control of a unifying mechanism. They can be digitally stored. They can be transported over a common network infrastructure. They can be described in ways that permit search and retrieval across boundaries of content-type, medium or department of origin.

Management refers to the directed and purposeful employment of an organization's resources; the smooth and efficient handling of tasks related to the creation, transformation, storage, preservation and retrieval of the component elements that contribute to, and result from, an organization's efforts. The ECM approach is inherently robust, for it combines distributed storage with a centrally managed framework. The ECM approach is inherently scalable; a result of its innate capability to incorporate additional repositories (and new content types) into its organizational framework.

Purpose

ECM incorporates and implements the business rules that govern the processes needed to create, acquire, store, index, secure, search, export and transform digital assets. The key goal of an ECM system is to increase the integration and automation of processes that support Internet delivery.

Benefits

ECM joins the organization's digital assets together through the mechanism of a unifying descriptive framework. This is an "enabling" infrastructure, enabling work done in one part of the organization to benefit from similar relevant work performed in another part of the organization. It enables the discovery, description and enumeration of assets produced as a natural result of the university's educational mission; assets that have significant value to the organization itself as well as potential value to a broader market beyond the university.

Source

White paper, written by Michael J. Halm and Michael Pelikan, from Penn State entitled: "Enterprise Content Management Systems: Beyond Digital Asset Management and Web Content Management Systems". I would encourage anyone interested in this opportunity domain, especially for higher ed, to read this excellent paper.

Identity Management

Identity Management starts with the business valuation of viewing person information as a valuable resource. It therefore seeks to maintain person information in a secure, yet universally accessable person registry, so that permitted people and applications within and beyond the organization can make use of the data. Identity Management (IdM) includes the business processes, policies, and technologies necessary to leverage person information to enable the Virtual Enterprise.

IMT is greatly in need of a comprehensive Identity Management Initiative to address the complete Identity Life-cycle of our constituents. Knowing who are customers are, even as they change affiliations with the University over time, is essential to the success of our self-service initiatives. Furthermore proper management of groups as they are reflected by the business processes of the university, as well as the grouping of customers by activity, is critical to enabling collaboration and knowledge management. This is the problem with IdM, and other middleware efforts, they are the foundation on which so many other more visible initiatives depend, e-business, Enterprise Content Management (ECM), and distance education to name a few, but are hard to appreciate as adding business value independently of such projects. So perhaps APU should continue to make advances with IdM as attached to other projects which demand it, but perhaps a focused initiative will be required to address the business process change in how we manage our most critical data set, our people.

The Need For Identity Management

Identity Management (IdM) is a long standing initiative in many organizations. APU's own Transparency Project was our first leap into this space, attempting to aggregate user management on several servers and services by deploying LDAP and giving our users a single set of credentials for most services. Married with the project, were changes to the network, and the deployment of our first portal to integrate access and interfaces to most used services. Some of the more advanced parts of IdM, such as provisioning, the automatic creation of accounts and services across multiple systems from a single interface or transaction, were moderately achieved with simple scripts.

Since then, through drivers from other projects, further steps have been made into IdM. We were able to move to Kerberos for authentication, by adding our students into our Active Directory environment, and having LDAP pass through authentication to a single source. This was far superior to any earlier password synchronization efforts, the result being that the majority of systems on campus now only require our users to remember one user name and password.

Another facet of IdM is enabling users to securely reset their passwords via a self-service mechanism, to increase worker productivity and reduce the time lost and resources spent by conventional means of verifying identity over the phone. The recent [Password Reset Project] will soon enable self-service password resets, and we will yet again be one step further along the IdM path.

Participation by several of our IMT staff in the Internet2 Middleware Iniative, brought us to understand that we really had been ahead of the curve in addressing some of the major portions of IdM. Comparing our notes with these Higher Ed best practices, confirmed that we had accomplished much, but also confirmed that there was much more to do. Passwords and usernames are only the tip of the iceberg.

IMT is greatly in need of a comprehensive Identity Management Initiative to address the complete Identity Life-cycle of our constituents. Knowing who are customers are, even as they change affiliations with the University over time, is essential to the success of our self-service initiatives. Furthermore proper management of groups as they are reflected by the business processes of the university, as well as the grouping of customers by activity, is critical to enabling collaboration and knowledge management. This is the problem with IdM, and other middleware efforts, they are the foundation on which so many other more visible initiatives depend, e-business, Enterprise Content Management (ECM), and distance education, but are overwhelming in size and hard to emphasize as adding business value independently of them. So perhaps APU should continue to make advances with IdM as attached to other projects which demand it, but my theory is that a focused initiative will be required to address the business process change in how we manage our most critical data set, our people.

IdM - Technological Implementation of Policy

Identity and Access Management: Technological Implementation of Policy (PDF), provides another great overview of the identity management opportunity. One of the things I appreciated the most about this paper is the clarity of the business case based on "other than IT" perspectives. Besides the amazingly effective Ann West, nsf middleware and nmi-edit outreach coordinator, the article was written by Jeff von Munkwits-Smith, the University Registrar at the University of Connecticut.

A functional definition - Identity and Access Management:

Integrates all the pertinent information about people from multiple authoritative source systems, reconciles the accounts, and joins identities together under one campus unique identity.
Processes and transforms information about people including their affiliations with the institution, resource access etc. and pushes out and stores the information where it can be of use to applications.
Acts as a focus for implementation of policy concerning visibility and privacy of identity information and entitlement policies across the systems.

Some more take-away notes and highlights below...

Components

Who are you? (Identification)
How do we know? (Authentication)
What services and transactions are available to you? (Authorization)
Is the information about you secure? (Privacy)

Drivers - internal and external

Reduced overheard of service management
Increased security
Simplified netowork and online service access
Contractual requirements
Legal preasures
Business and ethical stewardship

Stewardship - who needs to be involved

The stewardship of the identity management system should be combined management of IT (for the service), data stewards (for the data), and the policy stewards. Additional players including the risk managers and auditors, online service providers and resources managers, application champions, and system users.

Effective Conclusion

In general, we are all trying to accomplish similar things, such as transitioning to self-managed services for faculty, staff, students, parents, alumni and any constituent the institution wants to maintain a relationship with. In fact, we want contact with more people, earlier in their affiliation with us, wherever they are, and for life. Beyond that, we want these services to work and we want a degree of trust that only those we want to access them do so. Beyond that, we hear rumors of government-sponsored electronic services that are reliant on our campus ability to vouch that a student or faculty member is who they say they are. All this can't be done cost effectively or reliably without an identity management system.

Approaching Identity Management

The latest Information Week (March 15, 2004), has a significant article on The Need For Identity Management. The article inspired me to start documenting APU's need for further pursuing an Identity Management (IdM) strategy. However, the article in Information Week had some intersting points of dicussion.

The promise of Identity Management is to improve security, boost worker productivity, cut costs, and reduce the "integration friction" usually connected with giving employees, business partners, customers, and suppliers access to internal systems. The process starts internally, but the long-term objective is clear: Build a series of interconnected systems so an employee logged on to his company's intranet can access a business partner's systems and have those systems automatically trust the employee's digital credentials. The way to do this is through standards. This perspective of cross organizational authorization is called Federated Identity Management. Dan Blum, of the Burton Group has a good definition for federation, "standards and agreements that make identity and entitlements portable across autonomous domains".

The article mentions SAML, Security Assertion Markup Language, an XML-based framework for exchanging security information, and the Liberty Alliance, a consortium of more than 150 companies developing an open ID-management standard which makes use of SAML. The article fails to mention the great efforts within the Internet2 on a second standard based on SAML called Shibboleth. Universities have already achieved success with online library resource vendors implementing a shared security model to allow access to restricted resources in a federated model.

American Express VP, Barret says Multiple logons just drive employees crazy, and certainly this is a universal complaint. One that APU has attempted to address by consolidating accounts on the most used services using directories. Also important is the security of passwords, Canadian Pacific Railroad Manager of IS, Val King, emphasizes the importance of conducting password-cracking tests often.

I was glad that the article pointed out the value of provisioning in saving time and money in the time it takes for new hire to gain access to services, or transition between roles. Provisioning includes applications to automate the creation of employee electronic identities and grantthem access to apps and network services.

Nextel acknowledges that they didn't attempt to sell IdM as an end to itself, but rather attached it to their PeopleSoft human resource improvement project, which created an opportunity to also work on identity management.

Even more important, however, than the attaching IdM to an iniative, is the acknowledgement that it is more of a business challenge than a technical dillema.

The technical challenges may take time, but they aren't that hard; it's the business and management decisions that take time and require planning. In some cases, it's easy to figure out which manager should grant an employee access to a specific application. But who's in charge of managing that access or turning it off when an employee takes a leave of absence or is out on a long medical leave? If it isn't clear who's in charge of granting access, "you get into a lot more work and tough decisions," Deffet says. "That includes building a consensus for the best approach that works for everybody in the process."

This confirms the falicy of thinking that a single vendor can provide you with an application called "Identity Management 1.0" thatwill solve all of your problems.

Most provisioning, access-control, and identity-management applications don't support a wide enough variety of applications, databases, and operating systems, says Gene Fredriksen, VP for information security at Raymond James & Associates. The financial-services firm is evaluating identity-management vendors. "So far, it doesn't seem like any single vendor can do everything or provide everything you need," he says.

Then there's that question of trust. As GM learned with its test, it probably won't be technical issues that keep identity-management systems from making the leap from handling internal applications and employees to managing access for nonemployees working for business partners or suppliers. It's likely to take many businesses much longer to work out the legal and security issues involved in letting outsiders gain single-sign-on access.

Its a lofty goal, but one that is critical to pursue.

Identity Management Architecture

The following Identity Management Model, by Tom Barton, generally shows how identity information should be extracted from source systems (ERP etc.), transformed by metadirectory processes, and loaded into directories for use by consumer systems. This flow can generally be seen from left to right. The magic happens in the often misunderstood Enterprise Directory Services, which is not a single product or LDAP directory, but rather a set of tools which handle the flow of information. Metadirectory processes often provision information services based on unique business rules which define elements of authentication and authorization, and are the primary place where identity resolution occurs between disparate systems.

It is generally promoted to use a relational database to maintain a person registry completely independent from any ERP or vendor application. This "middle database" of sorts, allows the organization to main complete lifecycle control, through custom business process, of one of its most important assets, the identity of its constituents. Most applications with user directories or databases are in constant flux, with accounts being added and deleted based on current state. The person registry allows for a permanent location enabling seemless lifecycle management regardless of software and infrastructure changes.

This architecture, is explained in more detail in the Core Middleware Overview Presentation.

Identity Management Roadmap

Identity Management Architecture

Enterprise Directory Implementation Roadmap

IMT Strategic Priorities

CIO John Reynolds has put forth the following strategic priorities for IMT. They are in no particular order, but everything IMT does in the forseeable future should be aligned with these priorities. This includes efforts around [Initiatives], projects, and architecture.

Organizational Efficiency
Graduate and Adult Learner Support System
Virtual Accessibility
Knowledge Management
Transformational Self-Service

From a broad architectural perspective a theme arises, Agility. Organizational efficiency can only be achieved with an Agile Enterprise Architecture, where work seamlessly flows between organizational units; modular design masking complexity and enabling change. Whether a grad student, or a university partner, virtual accessibility and self-service are critical to enabling distributed access to a living organization that works as one. The self-service enterprise is one which is able to provide personalized service to the individual, hiding the complexities of organizational process to present a single friendly face to the customer. And yet with knowledge management, not loosing the value that each constituent: student, faculty, staff, alumni and parents personally bring to APU as transformational scholarship through Christ leaves its legacy.