The Computer Science Department has long provided its own identity management services. A CS Account was something separate and distinct from the University. On August 24th, 2017, we began transitioning our users from these independent CS identities to those already provided to everyone in the Brown community.
What Are Identity Management Services?
Simply put, they are a way to know that you are you. When you "sign in" to a service, you identify yourself, and the system verifies your identity. There is information associated with your identity, for instance a name and an email address. Your identity is also used to control your access to services and data.
For many years, the CS Department has provided two such services: Kerberos and LDAP. Kerberos was used for access to critical infrastructure, like our filesystem. LDAP was used for internet-facing services. The strategy behind having two such systems was to separate less secure use patterns, like logging in via a web browser, from our most sensitive services and data. In that way, an LDAP password compromise would not risk all.
The University provides Active Directory (AD) services for everyone in the Brown community. AD combines Kerberos and LDAP services, as well as some other things. Most people interact with their Brown Account through the MyAccount website.
The University did not always provide identity services we could use, but now they do. There is a cost to maintaining our own services. By "outsourcing" identity management to the University, we will be able to devote more energy to improve the things we do that are unique to the CS Department.
Why Change Now?
The CS Department has a considerable investment in filesystem services. Filesystems have long been the most costly service we provide. Our current file services are based on IBM's GPFS Clustered Fileserver product, and comprises more than 30 servers in addition to disks and disk controllers; nearly half a Petabyte of storage. Our hardware is nearing "end of life" and we are facing a costly upgrade to continue providing this service. The day-to-day cost in staff time is also significant.
Meanwhile, the University has made a major investment in file services. Their EMC Isilon servers provide the same or similar services that our GPFS cluster provides, and they have offered to provide for the CS Department's file service needs. But in order to take advantage of this offer, we must user their identity services first.
The impact on users of this identity change requires that we do it during the Summer. Migrating to University file services is much less disruptive, so we can accomplish that during the semester without affecting our users. This project (both identity and file service migration) has been underway for more than two years and the University side is ready to go. With our hardware set to expire in the near future, we had no choice but to push this change through before the start of the semester.
[this page is a work-in-progress, check back for more...]