Identity and access management for 10 million users? No sweat!

The state of North Carolina is undertaking a massive initiative to put all of its school districts – more than 250 of them – on one IT infrastructure in the cloud. A foundational service for this infrastructure is an all-encompassing identity and access management system built on Amazon AWS. The IAM system is built to support at least 10 million identities at once.

What do you do when you are asked to build an identity and access management (IAM) system that can handle up to 10 million individual identities? You build it in the cloud, of course, where the dynamic elasticity can support the rigorous demands of the system.

That’s precisely what the North Carolina Department of Public Instruction (NCDPI) had in mind when it put out a request for proposal (RFP) seeking a vendor that could build and maintain a cloud-based IAM system that would accommodate every student, teacher, staff member and parent/guardian within the state’s more than 250 school districts and charter schools.

This IAM system is a critical piece of a state-wide initiative called NCEdCloud. The primary objective of NCEdCloud is to provide a world-class IT infrastructure as a foundational component of the North Carolina educational enterprise. Rather than leaving the job of building and maintaining a separate IT infrastructure to each and every individual school district, the state is using a Race to the Top federal grant to build one massive infrastructure to serve all. When fully built out, NCEdCloud will provide for:

  • Equity of access to servers and storage resources.
  • Efficient scaling according to aggregate North Carolina K-12 usage requirements.
  • Consistently high availability, reliability and performance.
  • A common infrastructure platform to support emerging instructional and data systems.
  • A sustainable and predictable operational model.

NCEdCloud has been in development for more than a year, and the first portions of it just went live at the beginning of April. Fully building out all of the planned capabilities is a multi-year effort.

+ ALSO ON NETWORK WORLD K-12 schools can make the grade with identity and access management +

NCDPI awarded the contract to build and maintain NCEdCloud-IAM to Identity Automation of Houston. In large part, the decision to award the project to Identity Automation was based on this vendor’s ability to prove its abilities in a working proof of concept.

“The PoC was a real test for the prospective vendors,” according to systems architect Sammie Carter, the state’s Service Manager for the NCEdCloud project. “Our project is quite sophisticated, so we wanted real proof that the vendor we selected could handle the work. We gave the bidding vendors millions of records of simulated data that matched the challenges of our real source data. Then we gave them changes to that data and asked them to run it through their system to see how it works. Basically we ran the prospective vendors through the wringer and had very specific requirements to show us that they truly understood our problem.”

Prior to this project, Identity Automation had mostly provided on-premise IAM systems for K-12 schools. Identity Automation has its own set of tools for identity federation for single sign-on, provisioning life cycle management, and for self-service and delegation. For the NCEdCloud project, Identity Automation had to port all of its tools and applications to run natively on Amazon Linux in order to run the NCEdCloud-IAM system on Amazon Web Service (AWS). Once that was done, the vendor was able to build the system that can support up to 10 million identities at once.

Identity Automation set up three components of their application, each in its own subnet on Amazon EC2. Here’s a quick look at each of these components and what they do.

Lifecycle provisioning

This part of the IAM solution is driven by Identity Automation’s Data Synchronization System (DSS). This application is what takes data from multiple source databases and brings all these identities together in one database to provision and maintain accounts in Active Directory and key applications required by the state, including Google Apps for Education, Discovery Education, Follet Destiny, Zscaler and Central Directory Local Replica.

The source data – the information about students, teachers, and other users of NCEdCloud – comes from the 250+ school districts across the state. There are hundreds of files in a wide range of formats. Identity Automation consolidates all of this data, normalizes it and puts it into a “person registry” database where it is cleansed, de-duplicated, checked for missing required values, and so on. The “clean” data is then put into a central Active Directory instance on EC2 where it is the authoritative source used to drive the provisioning of accounts in applications and services and to authenticate people as they login. Successfully getting to this point, especially with the enormous volume of data, has been a huge achievement.

Identity Automation has scheduled jobs that regularly check the source files for changes that need to cascade into Active Directory and the various educational applications. For example, if a student changes schools, his identity needs to be updated to reflect his new school, and he must be provisioned for the right resources and applications according to his new profile.

Single sign-on

The state has a list of various cloud-based applications it wants to make available to every school district. To simplify access to these and other locally chosen applications, Identity Automation was charged with setting up single sign-on capabilities to the apps. The vendor uses its Federated Identity Management System (FIMS) to enable single sign-on. If an end user initially goes to an application, say Google Apps for Education, he gets redirected to a branded login page that the user knows as My.NCEdCloud, where he enters his credentials. Identity Automation authenticates the user with a SAML identity provider via FIMs. From there he is redirected back into Google Apps.

Once the user is authenticated, if he doesn’t close his browser, he can go right into other applications without having to login again. FIMS takes care of all the authentication work behind the scenes, making the user’s process to access applications much more streamlined.

Self-service and delegation

People forget passwords all the time, and it’s time consuming to ask a help desk to reset them. So, Identity Automation built in self-service capabilities so that students and other users can reset their own passwords if necessary. Additionally, teachers and local administrators can be delegated the capability to reset passwords and perform other minor maintenance duties on behalf of their students. Identity Automation uses its Access Request Management Systems (ARMS) to enable self-service and delegation.

The Importance of Building IAM in the Cloud

The elasticity of the cloud is a crucial factor in being able to build and operate NCEdCloud-IAM. Consider what happens each weekday morning when students and teachers across the entire state of North Carolina login to access their educational applications for the day — all at approximately the same time. Everyone needs to authenticate using the same service, and it’s important that performance not be an issue.

Identity Automation takes advantage of Amazon’s Elastic Load Balancer service, which distributes transactions across three availability zones on the East Coast. For each of the three component services I discussed above, Identity Automation has a minimum of three instances running at any given time. When utilization reaches a specified threshold, three more instances are automatically spun up in a matter of minutes to maintain desired performance levels. The service can keep adding instances as demand peaks, and then just as quickly drop the instances when demand tapers off—all automatically, and all within minutes.

Identity Automation also utilizes the Amazon Relational Database Services. This web service makes it easy to setup, operate and scale the relational database in the cloud. Everything is automatically clustered and highly available with automatic failover. This makes something that is usually very complicated and difficult to support very simple for Identity Automation.

NCEdCloud-IAM isn’t yet supporting the full 10 million users it expects to reach in a few years, but with the system being built on Amazon EC2 platform, there’s no concern about scalability, performance and availability.

Learn more about NCEdCloud at here and about the NCEdCloud IAM project.Linda Musthaler is a Principal Analyst with Essential Solutions Corp., which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.  

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2014 IDG Communications, Inc.