ABOUT IS

Information Security

Identity and Access Management

Identity and Access Management (IAM) is responsible for:

Managing centralized data, tools, technologies and processes related to Penn State Accounts and used by various Penn State services to control access to university resources,
Providing a framework of enterprise policies and standards that ensure the security, consistency, and accuracy of IAM data and processes,
Ensuring only authorized individuals access specific data, applications, or systems.

WHAT WE DO

Identity and Access Management is comprised of two teams: the Access and Account Services Team and the Authentication and Directory Services Team.

The Access and Account Services Team

The Business Services Team. As the primary customer-facing support team for IS, the Business Services Team provides specialized end-user support for various account and access issues and requests. They enhance, maintain, and support critical university-wide accounts and access systems and services, such as the Digital Identity Management Center (DIMC) and Sponsored Account applications and services. They consult with stakeholders and business partners, as well as troubleshoot complex application and account issues. They serve the entire Penn State community with the goal of providing exceptional customer support.
The IIQ Team. SailPoint’s IdentityIQ (IIQ) software product serves as Penn State’s Identity Governance and Administration (IGA) system. IIQ provides a centralized mechanism for managing and governing various types of IAM-related information and processes across multiple systems. This includes information associated with user accounts; rules and processes for requesting, approving, and granting access to various systems; and tools and information used to review, audit, and revoke user access. The IIQ Team onboards/integrates systems to IIQ, maintains the IIQ system, provides user support, and handles annual certification and audit reviews.
The ERP Security Team. The ERP Security Team are subject matter experts for security in relation to business process analysis, functional design/configuration, testing, training, documentation, and implementation of enhancements and upgrades to Penn State’s enterprise systems. Specifically, they provide security services for WorkLion – the HR and payroll system, LionPATH – the student information system, and SIMBA – the financial system.

ID icon

The Authentication and Directory Services Team

The On-Premises Authentication (OPA) Team. For Penn State systems that are not web-based, the On-Premises Authentication (OPA) team maintains a Microsoft Active Directory environment. Enterprise Active Directory (EAD) is the shared centralized Microsoft Active Directory authentication and authorization service for users and computers. It enforces security policies, installs and updates software, and assists with identity management. To protect privileged accounts, such as server administrative accounts, the OPA team manages CyberArk. CyberArk is a Privileged Access Management (PAM) system that is designed to secure, restrict, and monitor access or privileged accounts. The CyberArk service securely stores privileged account credentials, allowing IT units to configure access to these credentials, as needed, while enforcing the concept of least privilege. The CyberArk service features built-in auditing and reporting to monitor privileged account access and usage.
The Web Single Sign-On (WebSSO) Team. Microsoft’s Web Single Sign-On (WebSSO) is a service that enables users to securely authenticate multiple applications and websites by logging in only once with just one set of credentials. Rather than logging in separately to each protected Penn State website or application, users simply log in to WebSSO with their Penn State user ID, password, and multifactor authentication. The WebSSO team manages identity data in Microsoft’s identity environment (Entra ID) and ensures that data is kept up to date between the on-premises Active Directory (EAD) and Entra ID. The WebSSO team also manages the Penn State Directory. The Penn State Directory service provides a single directory for all Penn State personnel. Students, faculty, and staff are automatically entered into the directory. Also known as the LDAP Enterprise Directory, the directory is based on the Lightweight Directory Access Protocol (LDAP).