Brian Koehmstedt, UC Berkeley’s primary identity architect, won Silver in the Sustained Impact Award category at the 2024 UC Tech Awards. This recognition honors his years of impactful work strengthening identity management, advancing inclusive data practices through the Gender Recognition and Lived Name policy, and securing user accounts — all while maintaining Berkeley’s core identity systems with excellence and dedication.
Summary
As primary identity architect, Brian has led UC Berkeley in implementing wide-impacting changes throughout his career. Most recently, Brian was instrumental in a successful implementation of UCOP’s Gender Recognition and Lived Name policy. He is also a valued campus partner, particularly in maintaining system security and improving end user experience.
Narrative
Brian Koehmstedt is the primary identity architect on UC Berkeley’s Identity Management Team, CalNet. Brian’s work is deserving of a sustained impact award.
Brian has led UC Berkeley in implementing wide-impacting changes throughout his career. Most recently, Brian was instrumental in a successful implementation of UCOP’s Gender Recognition and Lived Name (GRLN) policy. His work on this project was more than just architecture. Brian was able to document and explain to the large cross-campus GRLN core team how name data flows across campus systems, and suggest improvements and flows for implementing the GRLN directive. Brian made flow charts and diagrams to help colleagues understand the complexity of name setting. He also put together detailed and descriptive reports on how systems of records interact with our campus identity system, Berkeley Identity Management Suite (BIDMS). These tools allowed the core team to make decisions that enabled name setting to be programmatic and standard across campus. A silver lining of this project was that the directors and technologists involved now have a better understanding of identity data flow on campus, and how identity data flows into and out of their own systems.
The GRLN project impacted every student, employee, and affiliate on campus, as well as what data is displayed publicly for each campus population. Work Brian performed in addition to architecting the name setting data flow included turning UCPath data processing on and off as Path required for testing and deployment; deploying code that changed the way Lived Names were stored in UCPath DDODS; and deployed code to change how names are set in our campus LDAP (Lightweight Directory Access Protocol) and Active Directory to align new standards. Part of the GRLN project included changing how names are set and displayed in the campus directory; lived names replaced the preferred names that employees and UCPath affiliates had previously set in the UC Berkeley Directory Update application. He developed a new CalNet Directory Update Application that supports the display of pronouns and provides increased and customizable privacy settings; and he developed a new API for campus partners to obtain data from the campus directory.
In addition to his work on GRLN, Brian works with partners in the Information Security Office (ISO) and across campus on projects that enhance our security posture. Working with our Student Information Services (SIS) team, he developed a new process that required students to use account claim codes to claim new accounts, preventing unauthorized access. He developed a process for ISO to lock down accounts in bulk when large scale compromises are detected. He also worked with the CalNet System Admin to update our Duo device management integrations to a new, more secure service; retired phone calls as a MFA (Multi Factor Authentication) method; and implemented ID verification using Duo inside our help desk tools. He also was instrumental in implementing passphrase complexity standards, which resulted in every single user at UC Berkeley resetting their passphrase. During all of this, he kept our databases upgraded and secure.
Brian is responsive to the requests and needs of campus partners who work with and support end users. He developed a way for potential hire Persons of Interest (POIs) from UCPath to obtain “guest” accounts on campus, allowing them to access grant and other pre-hire systems without unnecessary access or privileges. He makes time to slot in bug fixes and enhancements to tools and processes, such as: aligning with our Productivity Suite team on namespace rules; developing better error messages and automated emails; adding expiration and grace dates to help desk tools; and dealing with “VOID VOID” records from UCPath. Brian’s responsiveness and accountability allows our team to be agile and practice continuous improvement especially for user-facing tools and communications.
In addition to this huge quantity of work that directly impacts end users and campus partners, Brian worked with our System Admin to refactor Berkeley Identity Management Suite (BIDMS) to containerize the Tomcat application server, which was necessary to support the Spring Boot 3 upgrade. Containerization is optimal due to its portability, speed of deployment, scalability, agility, and efficiency. More importantly, it offers increased security. Isolating applications as containers prevents malicious code from affecting other containerized apps or hosts.
I think it is important to note that all this work was completed over the last three years, during a time in which Brian had no manager and there were no additional developers on the CalNet Team. We were able to hire a second developer a couple years ago, who has spent time getting up to speed and is now a great partner to Brian; we also hired a manager just about a year ago. The amount of wide-reaching, well thought out, and beautifully implemented work Brian accomplished with limited resources and oversight is incredible.
Brian embraces the campus values of accountability, collaboration, excellence, innovation and integrity. He cares deeply about creating products that are secure, that allow us to be effective and efficient, that promote privacy, and that are user friendly. He responds to each challenge that comes his way with thoughtful consideration and is accountable to his team, colleagues, and the public. We are lucky to have him on our team.
Project Team
- Brian Koehmstedt — Primary Identity Architect, UC Berkeley
Contact
Information Security Office
UC Berkeley
Brian Koehmstedty
Identity Management Architect
UC Berkeley