Session 52 Security Architecture – What Does It Mean Katie Blot Nina Colon.

Session 52

Security Architecture –

What Does It Mean

Katie Blot

Nina Colon

2

“What is security architecture and what are the critical functionalities? Learn about Federal Student Aid's security architecture - the what and the why - and how it affects you. Federal Student Aid's security architecture pilot with the eCampus-Based (eCB) system will be discussed as well as our plans for the future, including E-Authentication.”

Security Architecture - What Does It Mean?

3

Agenda

• Security Architecture Overview (Katie Blot)

• Security Architecture and eCB (Nina Colon)

• E-Authentication Overview (Katie Blot)

Security Architecture

Overview

5

What is Security Architecture?• Security Architecture uses Tivoli Access Manager (TAM) to enable

consistent Authentication, Authorization, and Accountability

– Authentication: Who are you?

– Authorization: What are you allowed to do?

– Accountability: What did you do?

• Security Architecture will enable a single unique source of Identity Management throughout Federal Student Aid using Tivoli Identity Manager (TIM)

– One user profile per person for all Security Architecture protected applications

• Federal Student Aid Security Infrastructure utilizing TIM and TAM provides the best in breed security software products to support the Federal Student Aid Security Architecture

6

Security Architecture Functions:• Provides consistent security services & configurations across Federal

Student Aid systems

– Decrease security risks

– Improves maintainability of systems

– Offloads ad hoc application security from application teams

• Gives better service to our customers/partners

– Single sign-on for web applications

– Simplified registration/approval processing

– Delegated administration

• Promote enterprise security management

– Consolidated security views and reporting

– Flexibility to accommodate new or redeployed systems

– Lowers security development and operational costs

7

Security Architecture Conceptual Design

Manages trading partnereligibility, enrollment,

and oversight

School Users

School Servicers

Lenders

Guaranty Agencies

Collection Agencies

State & Federal Agencies

Accrediting Agencies

Auditors

Other Users

FSA and Trading Partners

Integrated Partner

Management

FSA Security Architecture

FSA Target State Vision

Systems

Enrollment Identity Management

Access Management

access management tools, identity management tools, enterprise policy

repositories, enterprise user repositories, and other related security components

FSA Users

Audit

Access

1 2

4

3

System Response

Federal Student AidFederal Student Aid

8

Benefits of Tivoli Access Manager

• Too Many Passwords to Remember

• Multiple Administrators

• Access control different by application

• User information spread throughout the environment

• Security is an application task

• Security standards managed by application

• Single Sign-on for web applications

• Unified administration

• Single tool for access control

• User security information centralized

• Security is a centralized IT management task

• Common security standards for all applications

Before Tivoli Access Manager After Tivoli Access Manager

Application 1

Application 2

Application 3

Application 4

Se

curi

ty 1

Inte

rne

t

User

Data 4

Data 3

Data 2

Data 1

Se

curi

ty 2

Se

curi

ty 3

Se

curi

ty 4

User ID1, Password1

User ID 2, Password 2

User ID 3, Password 3

User ID 4, Password 4

Sec

urity

Arc

hit e

ctur

e A

uth e

ntic

a tio

n a n

d A

u tho

rizat

ion

Application 1

Application 2

Application 3

Application 4

Inte

rnet

School / Partner User

Data 4

Data 3

Data 2

Data 1

User ID, Password

Por

tal A

p plic

atio

n

9

Security Architecture Today• Eight applications secured behind Security Architecture

– Including Financial Partners DataMart and Experimental Sites

• eCB Integration with Security Architecture in Dec 2006

– Registration for existing eCB users available in PC Lab

– New users will be able to self-register in December

• Federal Student Aid Target State Vision applications are being built with Security Architecture. These applications include:

– IPM

– ADvance

– Portals

– Enterprise Service Bus (ESB)

– e-Authentication to eCB

10

Security Architecture

and eCampus-Based

11

Security Architecture – How Is It Easier Than SAIG Enrollment?

• All forms will be pre-populated with existing data from the SAIG Enrollment System and verified and updated by individual users.

• New users will need to provide all data necessary to create userid and

password.

• Required data fields will be indicated by an *.

• The user must know his or her institution/organization OPEID or correct Institution/organization name.

• The Institution/Organization name and location will be displayed so that user can be sure of selecting the right school.

12

Security Architecture – How Is It Easier Than SAIG Enrollment?

• The access rights are pre-defined from pre-loaded data from the SAIG Enrollment System.

• Access rights will be rolled over from the prior year.

• Rolling the access rights from the prior years will alleviate the need for the Destination Point Administrator (DPA) go back into the Enrollment System to give user access rights to new year.

13

Change in Registration Process

• Starting December 16, 2006 all current user of eCB will need to register with Security Architecture

• There will be no issuances of PINs for use with eCB application for Authentication of user

• Starting December 16, 2006 Authentication will be only through Security Architecture with a userid and password.

14

E-Campus Base Authentication

Module

E-Campus Base Application

PINN SERVER

For Authentication

Security Architecture (SA)

Authentication

www.cbfisap.ed.gov

www.pilot.cbfisap.ed.gov

- Social security number-- First two (2) letters of last name-- Date of birth-- PIN

-- User ID-- Password

Match? (Yes or No)

Forwarded to Application after successful Authentication

Other Application #1

Other Application #2

Other Application #3

Overview Diagram

15

What Is New?

• Registration screens are the same for all parties

– DPA

– FAA

– Third Party Service Providers

• Email is sent to registrants’ Supervisors for

additional confirmation of user account being

created.

16

eCampus Based Login• Go to eCB home page at the

following URL:

– www.cbfisap.ed.gov

• Click Login

• Current eCB users data is

preloaded and limited

additional information is

needed to complete the

registration.

– You will be referred to the

Security Architecture

system from eCB login.

17

• Click on eCB Self

Registration to start the

registration process.

Getting Started with Security Architecture

18

Getting Started with Security Architecture

• To see if you are already in the database we need you to provide the following data (this will only occur the very first time you register):

• First Name

• Last Name

• Date of Birth

• Last 4 digits of SSN

– Click submit to go to the next screen.

19

Getting Started with Security Architecture

• Pre-populated fields like name,

last four digits of SSN, OPEID

and School Name can not be

updated.

– If you are a new user, you

will need to provide data in

all fields

• Indicate if your organization is

a Service Provider.

20

• Your demographic information has been pre-populated. We have carried over your information from the SAIG Participation Management System.

– Please verify that the information provided is still correct.

– If the information is incorrect in our system,please make necessary updates during the registration process.

• Fields such as address and email can be updated.

Getting Started with Security Architecture

21

• On each screen within the

registration process, it will

be necessary to verify that

we have loaded the correct

data.

• Provide a password that

only you will know. This

will be part of your login

for eCB.

Getting Started with Security Architecture

22

• Fly over help text has

been added to certain

fields to the registration

screens for clarification of

the information being

requested.

Getting Started with Security Architecture

23

24

• Security Architecture is requiring the Supervisor contact information so we can send an email for approval for all users that request a user id and password.

– If you are a Financial Aid

Administrator or Service Provider self registering, please provide the Destination Point Administrator’s contact information for email to be sent for approval of access rights to eCB.

Getting Started with Security Architecture

25

• You can either search for

your organization

information by name or

OPEID Code.

• If your information is pre-

populated, please just

verify that your

organization information

is correct.

Getting Started with Security Architecture

26

27

28

29

30

31

• You will be asked to

confirm the registration

information that either has

been pre-populated in the

system or that you have

entered on each screen.

Getting Started with Security Architecture

32

33

34

eCB Access Rights

• Please verify your access right by year. If you have the same access as the DPA you will select same as DPA. The Access rights are as follows:

– Read

– Read/Write/Submit

– DRAP Access Only

35

Access Rights for Multiple Schools

• If you are a Service

Provider with more than 1

campus or Institution

please register complete

access rights for each

OPEID and access for

each cycle year.

36

eCB Access Rights for Service Providers

37

Access Rights

• If you are a DPA or

Service Provider with

more than 1 campus or

Institution, please register

complete access rights for

each OPEID.

38

• Shows how many schools remaining to setup access rights for. Message on screen indicates how many schools you will be registering access for. Once you select the School, you need to identify your role and access rights.

– If you have multiple schools, you will need to complete the access rights for each School you are associated with

Access Rights

39

Access Rights for Multiple Schools

• If you are a DPA or

Service Provider with

more than 1 campus or

Institution, please register

complete access rights for

each OPEID and access

for each cycle year.

40

Access Rights Verification

41

Access Rights Confirmation

42

Registration Confirmation

• Submission Confirmation

of your Registration for

userid and password.

43

e-Mail Notification of Account

• Once your registration has been submitted, you

will receive an email with your userid. You will

not get the password in an email.

• Sample e-mail text :

Subject Line: DEV: Your eCB account has been approved.

Your eCB account has been approved. Your userid will be ecb.testuser

44

What Next?

• After your initial registration, you will go to www.cbfisap.ed.gov and click “login”

• You will be directed to the Security Architecture Screen to provide your userid and password.

• You will no longer need to provide your SSN, DOB, First 2 letter of last name or PIN.

• We will verify you are in the database and then pass your access rights back to eCB and you will continue to work in the application.

E-Authentication

Overview

46

What is E-Authentication?

• It is about authenticating identity credentials…but the set

of identity credentials is expanded…to include other

external electronic credentials.

• For Federal Student Aid business systems… you could

use your school credential to access our systems instead of

the ones we provide.

• For other Federal Agency business systems…you could

do the same thing.

47

How Could This Happen?

• Approach this as an enterprise initiative. In this case,

the enterprise is the federal government.

• Get executive sponsorship. Federal agencies are

participating as part of the Presidential Management

Agenda (PMA) eGov initiative.

• Establish the standards, governance agreements and

technology that build a “circle of trust”.

48

Future Model for Federations of Trust

ED

HHS

Dartmouth

Penn State

Univ. of CA

E-Authentication Federation

EDUCAUSE Higher

Education Bridge

Certificate Authority

Ohio Univ.

Cornell

InCommon

NCHELP Meteor

Dartmouth

Penn State

Univ. of CA

Cornell

Student Loan FinanceAssociation

Sallie Mae

American Education

Services (AES)

TexasGuaranteed Student

Loan Corporation

GSA

DOE

NSF

49

Security Architecture and E-Authentication

Manages trading partnereligibility, enrollment,

and oversight

School Users

School Servicers

Lenders

Guaranty Agencies

Collection Agencies

State & Federal Agencies

Accrediting Agencies

Auditors

Other Users

FSA and Trading Partners

Integrated Partner

Management

FSA Security Architecture

FSA Target State Vision

Systems

Enrollment Identity Management

Access Management

access management tools, identity management tools, enterprise policy

repositories, enterprise user repositories, and other related security components

FSA Users

Audit

Access

1 2

4

3

System Response

Federal Student AidFederal Student Aid

Credential Service

Providers

Non-Federal Student Aid Credential

E-AuthenticationE-Authentication

50

When Does This Happen?

Security Architecture Developed

Jun 2005

eCB Integrated

into Security Architecture

Dec 2006

Jan 2007

E-Auth Architecture Developed

Spring 2007

eCB Integrated into E-Auth

Architecture

???

Other Systems

51

Contact Information

We appreciate your feedback and comments.

We can be reached at:

Name: Katie Blot

Phone: 202-377-3528

Email: [email protected]

Name: Nina Colon

Phone: 202-377-3384

Email: [email protected]