EIAM Program Highlights

June 2018

Thank you from the EIAM Program team!

The Enterprise Identity and Access Management Program began 18 months ago to improve how people obtain and use accounts to access U-M services. The program came to an official close this summer. Our ambitious scope included the entire U-M community—Ann Arbor, Dearborn, Flint, and Michigan Medicine. With team members from Information and Technology Services (ITS) and Health Information Technology & Services (HITS) working together, we sought to reduce pain points and to plan for improvements into the future.

"HITS and ITS together made significant strides in strengthening identity and access management governance and processes, while also expanding our understanding of long-term needs to support the entire university community," said Nimi Subramanian, program co-director and IS director at HITS.

Positive impact for today and into the future

  • 15,000+ students, faculty, and staff* joining U-M since October 2017 created their uniqnames using a modernized onboarding process with improved communications, fewer obstacles, and mobile-friendly web design. 23% used a smartphone or tablet to set up their account, a task which was previously recommended only for a computer. (*More specifically, staff and faculty joining the Ann Arbor, Dearborn, and Flint academic campuses; and students joining the Ann Arbor and Flint campuses.)
  • 1,600 students joining UM-Dearborn since October 2017 used a new Uniqname & Account Setup app, which gave Dearborn students the option to select their own uniqname for the first time.
  • 34,000+ Michigan Medicine employees now enjoy improvements in a number of areas including simpler, automated email communications to new hires that trigger setup of their accounts and passwords, streamlined onboarding processes that cut the number of calls to both ITS and HITS Service Desks, and an enhanced group management tool to manage distribution lists and access to shared network drives.
  • 4,600+ people use a social account (e.g., Facebook, Twitter, LinkedIn) each month to use resources provided by the Alumni Association or HathiTrust Digital Library. Five additional groups are interested in offering social login for a service soon.
  • 22,500+ people on average who reset their UMICH (Level-1) password by contacting the ITS Service Center each year now may reset their password on their own more easily with improved screens, more convenient help links, text message password reset codes, and UMID or birthdate instead of security questions. We are on track this year to see 10,000 fewer password reset requests to the ITS Service Center.
  • 1,700 people piloted a new prompt to review and update password recovery information after Weblogin—with the new feature rolling out to the entire U-M community over the coming year.
  • 20,000+ people in the College of Engineering (about 20,000 students, faculty, and staff), Shared Services Center (about 60 staff), and UM-Dearborn (about 10 staff) will soon have a small portion of their access managed automatically.

Listened today to impact tomorrow

The program team conducted more than 100 interviews with interested groups across the university to better understand current challenges and opportunities for improvement. The knowledge gained from listening to the community was invaluable in setting the right direction for efforts lasting beyond the program’s end date. These efforts include:

  • Recommendations to address concerns about uniqnames include creating email aliases to give people more flexibility, and making uniqnames easier to change when a life event occurs. Longer term recommendations include replacing uniqnames as the primary identifier in systems with a more flexible option.
  • Growing the use of the newly-acquired Identity Governance tool to provide role-based access to all campuses, including Michigan Medicine. Use of the tool requires groups to strategically define who should receive access to what and why, and will be slowly adopted over time.
  • A "bridge" between the directory systems for the academic campus and Michigan Medicine was designed to more easily share identity and group data in the future. The future technical solution will reliably and accurately pass information between the two directories.
  • Michigan Medicine explored a need for consistently clear and strict controls to help secure data. After establishing a model to analyze data security and conducting a pilot, the team made recommendations to establish and maintain an application database and implement regular internal monitoring and auditing.
  • Recommendations for appropriate steps to verify an individual’s identity before they access university resources based on risk associated with the access.

While the program is ending, our work to improve how people receive access to the resources they need to contribute to the university’s missions of research, education, patient care, and community engagement is not over.

"The recommendations and research resulting from the program will be useful to the Identity and Access Management teams in ITS and HITS for years to come. Our teams are looking forward to carrying forward the EIAM vision in ongoing support work and in future projects," said DePriest Dockins, program co-director and assistant director of ITS Identity and Access Management.

The Role and Access Management Project (RAMP) will continue in ITS as the Identity Governance Early Adoption project in FY19. Identity and Access Management teams in ITS and HITS will prioritize and implement recommendations from the EIAM program over time as future projects.

Thank you for your interest and participation in the program!

May 2018

Access Standards Alignment Project

Nearly three years ago, Michigan Medicine’s Executive Vice President for Medical Affairs (EVPMA) and Medical School Dean, Dr. Marschall S. Runge, endorsed a comprehensive program to implement solutions to increase IT security throughout Michigan Medicine. Encryption of the devices, networks, email, and data we use is a major accomplishment in this initiative to mitigate security risks.

More recently, the efforts of several of the projects under the umbrella of the EIAM Program have identified additional opportunities to improve security and reduce vulnerabilities, specifically regarding identity and access management. While the program has been a major collaborative effort coordinating needs of all U-M campuses, the Access Standards Alignment Project (ASAP) has focused more on the special needs of Michigan Medicine.

In particular, ASAP’s task was to compare current authentication, authorization, and access standards with those identified as best practices by the National Institute of Standards and Technology (NIST). The ASAP team selected a pilot system to demonstrate security gaps. After review, the ASAP team will be making important recommendations to more effectively secure and monitor access to sensitive data within Michigan Medicine.

April 2018

Simplifying password resets

Many of the university's online resources start at the same place: Weblogin. Most of the time, it only takes a moment to sign in to the familiar screen with a uniqname and UMICH (Level-1) password. The Account Lifecycle Optimization (ALO) project took an analytical look at a problem experienced by tens of thousands of people every year—the forgotten password.

The ITS Service Center received over 23,000 calls last year from people seeking assistance with resetting a password. Many of those people weren’t aware they could reset their password on their own, or hadn’t provided an alternate email to receive a password reset code. Others couldn’t remember their answers to security questions.

The ALO team recently made the following changes to make it easier for people to regain access to their account quickly and securely:

  • Discontinued security questions for identity verification
  • Began collecting account recovery information when someone creates their uniqname and UMICH password through Uniqname and Account Setup
  • Added an option to an administrative tool used by the ITS Service Center so that they may add account recovery information on behalf of callers
  • Added a link ("Forgot password?") to reset a password on the Weblogin screen
  • Added an option to receive password reset codes by text message

After only a short time in production, self-service account recovery has more than doubled while calls to the ITS Service Center have declined. The team isn’t stopping there. Later this month, the team will be testing a prompt in Weblogin to provide or update account recovery information (a non-UMICH email or phone number that can receive text messages) once a year.

For now, however, you can visit UMICH Account Management to set your account recovery information so you are prepared if you forget your password and need to reset it in the future. See Resetting a Forgotten UMICH (Level-1) Password for steps to reset a password, including options for those with Michigan Medicine (Level-2) passwords.

March 2018

Recommendations for Identity Verification Practices

The University of Michigan welcomes thousands of new students, faculty, and staff members each year. Verifying each new person is who they claim to be is one of the many important steps in the process of onboarding individuals into the university community. An individual’s identity—who you are at the university—is key to accessing university resources.

Over the past year, the Identity Assurance initiative interviewed 15 campus and 10 Michigan Medicine units to better understand current identity proofing methods, technologies, policies, and processes used when onboarding new students, faculty, staff, and sponsored affiliates.

A patchwork of policies and procedures guide the university in verifying an individual’s identity. The resulting gaps in security, compliance, documentation, and responsibility could leave the university vulnerable to cyberattacks, fraud, or legal sanctions.

The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, provides guidelines for digital identity proofing requirements. NIST defines three Identity Assurance Levels (IALs) for organizations to use when assessing appropriate confidence level.

Based on the guidelines provided by NIST and common practices at U-M, the team recommends the following:

  • A higher Identity Assurance Level should be used when higher risk is associated with the access a person receives.
  • Use the type of access, and the risk of that access, that an individual has to sensitive data, systems, or physical locations to determine identity assurance requirements.
  • Technology and services, such as biometrics or third-party proofing services, should be introduced only when necessary to support verifying identities at higher IALs.
  • Michigan Medicine is proposing a process change to raise the IAL level for all Michigan Medicine account holders to IAL2.

When the Identity Assurance project concluded in March, U-M was among the first higher education institutions to conduct a universitywide analysis of identity proofing practices using NIST’s most recent guidelines, Digital Identity Guidelines (June 2017).

February 2018

Designing a service for role and access management

Currently, access to U-M and Michigan Medicine resources are managed on a service-by-service basis, making it difficult and time consuming for managers to make sure the right people have access to the right resources at the right time and for the right reason. The Role and Access Management Project (RAMP) is building a solution to enable U-M units to strategically and proactively manage access to university resources.

After working with academic, clinical, and administrative partners to conduct a thorough request for proposal, the cross-campus team selected a vendor, Micro Focus, for their Identity Governance (IG) software. A contract was signed in January to use the software for the new role-based access service for all U-M campuses, including Michigan Medicine.

The new service will:

  • Streamline access to services or systems based on business roles and functions
  • Automate some manual processes for requesting access so individuals can perform jobs sooner
  • Improve processes for assigning, managing, analyzing, and reporting on access
  • Increase security for resources by removing access efficiently when an employee leaves a department or the university

After learning from and working with the vendor to design the service to meet university needs, Information and Technology Services (ITS) and Health Information Technology and Services (HITS) staff will integrate the tool with select systems currently used at U-M.

While working together to build a common framework, the two organizations will tailor their implementation approach to their key audiences.

Michigan Medicine partners with MiChart and other service providers
During the current phase of the project, Michigan Medicine is developing their framework to standardize, enhance, organize, and simplify access. MiChart and other service providers are partners during this effort. The framework will be used to test and validate the tool’s ability to streamline and automate access assignments and reduce manual effort while increasing accurate control.

ITS and campus partners to begin early adopter phase in May
The campus early adopter units were selected to demonstrate key features of the tool. The RAMP team will continue to fine-tune the tool to meet specific university needs by working closely with unit business and IT leadership.

  • College of Engineering will automate off-hours building access based on business role by integrating with C-Cure, the current building access system. Building security will be improved by automatically revoking access when someone no longer requires it.
  • Shared Service Center Procurement will automate M-Pathways Financials & Physical Resources access and permissions for 13 working titles. Meaningful and descriptive business roles for procurement-specific access will be automatically assigned during onboarding, temporarily for shorter assignments, and removed for offboarding or job changes.
  • UM-Dearborn will automate access for faculty and staff to six common applications by integrating with Active Directory, a structure used to provision many U-M resources. Creating business roles and a single authoritative source for access will making provisinging more efficient, enable auditing, and potentially eliminate a shadow system.

The ITS RAMP team will create a foundation for growing and supporting the service for campus in production at the end of the early adopter phase, which is currently scheduled for December 2018.

January 2018

Introducing Social Login for Guest Access

As the EIAM program completes its first full year, the Social Login project team introduced a new service to expand account creation options for university guests. The need to extend U-M resource access to people without uniqnames has been growing consistently. At the start of the project, using a Friend account was the only way to achieve this and we had over 1 million Friend accounts in existence.

Social Login at U-M allows U-M affiliates such as prospective students, parents, donors, patients, and external researchers and faculty to use a social account they already have (such as Facebook, LinkedIn, or others) to log in to certain U-M services—instead of using a uniqname and UMICH password or a Friend account.

The service can simplify account creation for many groups of people without uniqnames—from prospective students applying to U-M to high school students attending a summer camp. When social login is available as an option, individuals use a familiar login, rather than creating yet another login credential to remember.

Two university units implemented social login during a successful service pilot. Read the Michigan IT News article to learn how the Alumni Association and the HathiTrust Digital Library are using social login to lower the barrier for using services, while personalizing the experience for their key audiences.

EIAM Program: Year in Review

Social login is just one of many technology and administrative process improvements that the EIAM Program accomplished during its first year. Below is a partial list of some of the benefits delivered to U-M campuses.

  • Revised onboarding emails used to welcome new staff, students, and faculty now provide clearer instructions to set up accounts and passwords needed to access U-M and protected Michigan Medicine resources. At new employee orientation the week after the streamlined emails were implemented, the rate of requests for account assistance from new hires to the HITS Service Desk dropped drastically from 93% to 7%, enabling employee verification and account setup to be completed by start date.
  • Simplified uniqname and account setup improved the first impression for all new students, faculty, or staff members have with their U-M account. The process no longer requires postal mail for UM-Dearborn students to receive accounts, and is completely mobile friendly, a feature already used to set up nearly 25% of accounts since September 2017. The new setup process allows units to welcome new people with fewer account-related setbacks, and provide timely access to U-M resources and services. The ITS Service Center is equipped with better support tools to assist with account setup. Additionally, better service monitoring and reporting capabilities mean we can better identify areas to improve in the future.
  • Recommended uniqname improvements provide guidance for immediate steps and lay a foundation for long-term change. One of the changes the joint ITS and HITS project team recommends is to allow individuals to use email aliases instead of their uniqname as their preferred email. Email aliases will give individuals more options for avoiding unattractive uniqnames without requiring significant effort and resources.
  • Selected a product to improve the ease and timeliness for obtaining access to administrative and clinical systems and resources, while also enhancing security with reporting and audit capabilities. The team, working with academic, clinical, and administrative partners, identified needs and selected a vendor to provide a solution to all U-M campuses, including Michigan Medicine. Pilot candidates are selected to demonstrate the key features of the product in 2018.
  • Established and sought guidance from the EIAM Steering committee, the Michigan Medicine IAM Steering Committee, and project-specific advisory groups. In particular, the cross-functional group for the Account Lifecycle Optimization project provided valuable feedback on product design and recommendations for best implementing changes.

December 2017

Improving Uniqnames Now and in the Future

The university’s current uniqname ecosystem has served U-M for more than a quarter of a century, but it needs to be updated to address these challenges:

  • The eight-character limit combined with the large number of uniqnames already taken makes it difficult for people to include parts of their name in their uniqname.
  • Changing uniqnames due to a life event, such as marriage, divorce, or gender re-identification, is a manual and time-consuming process.
  • We are running out of uniqnames. As of 2017, there are more than 650,000 active and 180,000 inactive uniqnames.

With input from partners on all campuses, including Michigan Medicine, the Uniqname Re-evaluation & Recommendation project team gained a comprehensive understanding of the current uses, challenges, and applications of the uniqname system. This month, they provide a recommendation for changes and improvements based on the assessment, including a long-term recommendation.

Of several improvements identified, the joint ITS and HITS project team ultimately recommends pursuing two improvements:

Email Alias: Allows individuals the option to use an alternate address as their preferred email. Email alias alleviates the challenge of “unattractive” uniqnames without significant effort and resources.

Simplification of Uniqname Change: These improvements focus on streamlining processes used to support uniqname changes, including automating notifications and creating a change history feature.

The team also recommends evolving the project in a second phase not only to implement the improvements, but also to develop a long-term solution to replace uniqnames with a next generation unique identifier. These foundational improvements begin the journey to implementing a sustainable, unique identifier university-wide over the next 3-5 years.

See the full Uniqname Summary and Preliminary Recommendations report.

October 2017

EIAM Program Coming to Michigan IT Symposium November 21, “When the Cloud Fit and When it Didn’t: An EIAM Journey”

We invite you to join the Social Login and Role and Access Management project teams for a special panel discussion at the upcoming 2017 Michigan IT Symposium on “When the Cloud Fit and When it Didn’t: An EIAM Journey.” Hear how technical leads, business analysts, project managers, and other representatives from Information and Technology Services and Health Information Technology & Services embarked on a journey from requirements gathering and research, to the RFP process and selection of vendors—cloud or not.

As they discovered, sometimes the cloud fits and sometimes it doesn’t! You’ll hear their approach to evaluating cloud Software as a Service (SaaS) and on premise options for IAM solutions on the academic campuses and at Michigan Medicine.

Attendees will walk away with an EIAM Program perspective on:

  • Vendor evaluation methods for Cloud SaaS options
  • RFP Questions specific to Cloud SaaS
  • Special considerations for academic, research, and patient care use
  • Making the decision: when “The Cloud” fits—and when it doesn’t

Join us and your U-M colleagues to discuss the real-life challenges, opportunities, and limitations that exist in selecting SaaS cloud vendors for U-M. Learn more about this and other sessions at the 2017 Michigan IT Symposium website—and don’t forget to register!

The Enterprise Identity and Access Management (EIAM) program at U-M coordinates and unites IAM efforts for all four U-M campuses to improve and simplify the technology and administrative processes that allow authorized individuals to access U-M resources. The multi-year initiative is jointly funded by the Office of the Provost and Michigan Medicine through the end of June 2018.

September 2017

Improving U-M’s Uniqname and Account Setup Process

Over the summer, the Account Lifecycle and Optimization project focused on simplifying and expanding the current uniqname setup process to improve the onboarding experience for new community members and for the staff who support them on their journey to becoming Wolverines.

Today, new students in Ann Arbor and most new employees on the Ann Arbor, Flint, and Dearborn campuses create their own uniqname. The process uses a One-Time Identifier or OTID number. (Alternatively, Michigan Medicine assigns uniqnames for their new employees.) The self-service feature aims for convenience, but is hampered by a back-end that updates data only once-a-day and a front-end that can be difficult to use. The resulting frustration for the community and the 100s of calls to IT service centers wastes time and resources.

On October 21, the new uniqname & account setup process will eliminate the OTID (One-Time Identifier) number currently sent to new students and employees, replacing it with a clickable link. Other highlights of the modern, more intuitive process include:

  • Mobile-friendly web design for students and staff on the go
  • More timely and accurate data with near real-time database updates
  • Expedited support resulting in fewer delays for new Wolverines
  • Flexible design allows for future use by other U-M groups

While the change is relatively minor, the team has sent advance notice and guidance for Admissions and Human Resources staff.

PLEASE NOTE: Michigan Medicine will continue to set up uniqnames for its new faculty, staff, and students as they do now. The changes DO NOT apply to Michigan Medicine.

August 2017

Who Are You? New Project Focuses on How U-M Units Answer That

One year ago this month, the U-M Office of the Provost and Michigan Medicine funded the Enterprise Identity and Access Management (EIAM) Program. The Identity Assurance project underway this summer focuses on how various schools, colleges, administrative, and clinical areas verify the identity of individuals within their purview, a process known as “identity proofing.”

The Identity Assurance project will

  • Document the current state of U-M procedures, tools, and processes for identity proofing.
  • Identify gaps based on nationally-recognized practices (National Institute of Standards and Technology).
  • Recommend future improvements.
  • Suggest immediate changes to close gaps.

Of particular interest is uncovering any process that might easily allow an individual to impersonate someone affiliated with the university—for example, a U-M staff member—and thus allow them to gain unauthorized access to U-M resources.

In fewer than 8 weeks, the team has already identified gaps and, in at least one instance, recommended a corrective step that has already been implemented by the U-M business partner. By their nature, many IT security improvements are unnoticeable to clinicians, students, staff, and faculty in the course of daily business. However, taking steps to safeguard U-M physical and IT resources through a long-term, consistent approach to verifying an individual’s identity ultimately has huge benefits for the University of Michigan community, enabling us to focus on strategic work rather than reactively respond to breaches after they occur.

July 2017

First Meeting of Steering Committee

Through the EIAM program, U-M is embarking on the first-ever universitywide Identity and Access Management strategy. In late June, the 14-member EIAM Program steering committee convened to begin overseeing the implementation of the EIAM roadmap at the University of Michigan. These senior leaders from all four campuses—representing administration, teaching & learning, research, and patient care—will coordinate unified efforts to make it easier and less confusing for authorized individuals to get the right access to U-M systems and information at the right time and to better secure university resources from unauthorized access.

With executive sponsorship from Kelli Trosvig, Vice President for Information Technology and Chief Information Officer, and support from Andrew Rosenberg, Chief Information Officer for Michigan Medicine, the committee will:

Enable consistent coordination between stakeholders and mission areas
Foster increased visibility of and communication about program activities and goals

The steering committee specifically agreed to address program risks; facilitate decisions around foundational IAM technologies, policies, or processes; and help identify any barriers to EIAM roadmap objectives. Overall, the committee shared their belief that the EIAM Program and their role in it is a “worthwhile effort for the University of Michigan and Michigan Medicine.”

See the complete list of steering committee members.

June 2017

Universitywide Participation in RAMP

Tasked to help solve the long-standing challenges of role-based access at U-M is the Role and Access Management Project, which is in the midst of reviewing proposals from vendors who are also demonstrating their role and access management products on the Ann Arbor campus this week. Dozens of individuals have put in hours of proposal review over the past two months to identify critical business requirements and other needs for a future enterprise-level, role-based management system. It is early collaboration such as this—along with an ongoing commitment to the long-term vision of easier, more secure access to U-M resources—that will lead to real change in years to come.
The RAMP project team—led by Gail Lift in ITS and Mike Kijewski in HITS—gratefully acknowledge the following schools, colleges, administrative units, and other areas that have participated in the vendor selection process alongside HITS and ITS staff:

  • College of Engineering - CAEN
  • Dearborn
  • Key Office, U-M Facilities & Operations
  • Life Sciences Institute
  • College of Literature, Science and the Arts
  • Michigan Medicine (cross-representation)
  • School of Nursing
  • School of Dentistry
  • Shared Services Center
  • Student Housing
  • University Audits

The vendor selection process is slated to conclude in August.

May 2017

"I love this new email to students!"

While many EIAM program efforts are laying the foundation for bigger things to come, the Account Lifecycle Optimization project is focused on identifying the university’s current pain points with IAM-related processes and tools—and improving them wherever possible. These efforts will roll out in waves over the coming months.

Recently, the Account Lifecycle Optimization project completed revisions to emails used to orient students, faculty, and staff to their online identity at the University of Michigan. By simplifying the language, making it consistent across campuses, and updating information, the revisions ensure recipients have more timely and clear information on everything from establishing their uniqname to accessing protected Michigan Medicine resources. The revisions should also reduce calls to the ITS Service Center and HITS Service Desk. Initial feedback has been positive (see below!) and most of the emails are already in use.

“I love this new email to students! It is very clear and explains everything very well. I also love the link to the Help Me Now locations. The subject line in the email should grab their attention.”

—Mary Anne Brancheau, Educational Nurse Coordinator Mastery, Michigan Medicine