Security Architecture

1
Session 52

• Security Architecture What Does It Mean
• Katie Blot
• Nina Colon

2
Security Architecture - What Does It Mean?
What is security architecture and what are the
critical functionalities? Learn about Federal
Student Aid's security architecture - the what
and the why - and how it affects you. Federal
Student Aid's security architecture pilot with
the eCampus-Based (eCB) system will be discussed
as well as our plans for the future, including
E-Authentication.
3
Agenda

• Security Architecture Overview (Katie Blot)
• Security Architecture and eCB (Nina Colon)
• E-Authentication Overview (Katie Blot)

4

• Security Architecture Overview

5
What is Security Architecture?

• Security Architecture uses Tivoli Access Manager
  (TAM) to enable consistent Authentication,
  Authorization, and Accountability
• Authentication Who are you?
• Authorization What are you allowed to do?
• Accountability What did you do?
• Security Architecture will enable a single unique
  source of Identity Management throughout Federal
  Student Aid using Tivoli Identity Manager (TIM)
• One user profile per person for all Security
  Architecture protected applications
• Federal Student Aid Security Infrastructure
  utilizing TIM and TAM provides the best in breed
  security software products to support the Federal
  Student Aid Security Architecture

6
Security Architecture Functions

• Provides consistent security services
  configurations across Federal Student Aid systems
• Decrease security risks
• Improves maintainability of systems
• Offloads ad hoc application security from
  application teams
• Gives better service to our customers/partners
• Single sign-on for web applications
• Simplified registration/approval processing
• Delegated administration
• Promote enterprise security management
• Consolidated security views and reporting
• Flexibility to accommodate new or redeployed
  systems
• Lowers security development and operational costs

7
Security Architecture Conceptual Design
Federal Student Aid
8
Benefits of Tivoli Access Manager
After Tivoli Access Manager
Before Tivoli Access Manager

• Too Many Passwords to Remember
• Multiple Administrators
• Access control different by application
• User information spread throughout the
  environment
• Security is an application task
• Security standards managed by application

• Single Sign-on for web applications
• Unified administration
• Single tool for access control
• User security information centralized
• Security is a centralized IT management task
• Common security standards for all applications

9
Security Architecture Today

• Eight applications secured behind Security
  Architecture
• Including Financial Partners DataMart and
  Experimental Sites
• eCB Integration with Security Architecture in Dec
  2006
• Registration for existing eCB users available in
  PC Lab
• New users will be able to self-register in
  December
• Federal Student Aid Target State Vision
  applications are being built with Security
  Architecture. These applications include
• IPM
• ADvance
• Portals
• Enterprise Service Bus (ESB)
• e-Authentication to eCB

10

• Security Architecture and eCampus-Based

11
Security Architecture How Is It Easier Than
SAIG Enrollment?

• All forms will be pre-populated with existing
  data from the SAIG Enrollment System and verified
  and updated by individual users.
• New users will need to provide all data necessary
  to create userid and password.
• Required data fields will be indicated by an .
• The user must know his or her institution/organiza
  tion OPEID or correct Institution/organization
  name.
• The Institution/Organization name and location
  will be displayed so that user can be sure of
  selecting the right school.

12
Security Architecture How Is It Easier Than
SAIG Enrollment?

• The access rights are pre-defined from pre-loaded
  data from the SAIG Enrollment System.
• Access rights will be rolled over from the prior
  year.
• Rolling the access rights from the prior years
  will alleviate the need for the Destination Point
  Administrator (DPA) go back into the Enrollment
  System to give user access rights to new year.

13
Change in Registration Process

• Starting December 16, 2006 all current user of
  eCB will need to register with Security
  Architecture
• There will be no issuances of PINs for use with
  eCB application for Authentication of user
• Starting December 16, 2006 Authentication will be
  only through Security Architecture with a userid
  and password.

14
Overview Diagram

• Social security number
• - First two (2) letters of last name
• - Date of birth
• - PIN

PINN SERVER For Authentication
E-Campus Base Authentication Module
www.cbfisap.ed.gov
Match? (Yes or No)
E-Campus Base Application
Forwarded to Application after successful
Authentication
Other Application 1
www.pilot.cbfisap.ed.gov

• - User ID
• - Password

Other Application 2
Security Architecture (SA) Authentication
Other Application 3
15
What Is New?

• Registration screens are the same for all parties
• DPA
• FAA
• Third Party Service Providers
• Email is sent to registrants Supervisors for
  additional confirmation of user account being
  created.

16
eCampus Based Login

• Go to eCB home page at the following URL
• www.cbfisap.ed.gov
• Click Login
• Current eCB users data is preloaded and limited
  additional information is needed to complete the
  registration.
• You will be referred to the Security Architecture
  system from eCB login.

17
Getting Started with Security Architecture

• Click on eCB Self Registration to start the
  registration process.

18
Getting Started with Security Architecture

• To see if you are already in the database we need
  you to provide the following data (this will only
  occur the very first time you register)
• First Name
• Last Name
• Date of Birth
• Last 4 digits of SSN
• Click submit to go to the next screen.

19
Getting Started with Security Architecture

• Pre-populated fields like name, last four digits
  of SSN, OPEID and School Name can not be updated.
• If you are a new user, you will need to provide
  data in all fields
• Indicate if your organization is a Service
  Provider.

20
Getting Started with Security Architecture

• Your demographic information has been
  pre-populated. We have carried over your
  information from the SAIG Participation
  Management System.
• Please verify that the information provided is
  still correct.
• If the information is incorrect in our
  system,please make necessary updates during the
  registration process.
• Fields such as address and email can be updated.

21
Getting Started with Security Architecture

• On each screen within the registration process,
  it will be necessary to verify that we have
  loaded the correct data.
• Provide a password that only you will know. This
  will be part of your login for eCB.

22
Getting Started with Security Architecture

• Fly over help text has been added to certain
  fields to the registration screens for
  clarification of the information being requested.

23
(No Transcript)
24
Getting Started with Security Architecture

• Security Architecture is requiring the Supervisor
  contact information so we can send an email for
  approval for all users that request a user id and
  password.
• If you are a Financial Aid Administrator or
  Service Provider self registering, please provide
  the Destination Point Administrators contact
  information for email to be sent for approval of
  access rights to eCB.

25
Getting Started with Security Architecture

• You can either search for your organization
  information by name or OPEID Code.
• If your information is pre-populated, please just
  verify that your organization information is
  correct.

26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
Getting Started with Security Architecture

• You will be asked to confirm the registration
  information that either has been pre-populated in
  the system or that you have entered on each
  screen.

32
(No Transcript)
33
(No Transcript)
34
eCB Access Rights

• Please verify your access right by year. If you
  have the same access as the DPA you will select
  same as DPA. The Access rights are as follows
• Read
• Read/Write/Submit
• DRAP Access Only

35
Access Rights for Multiple Schools

• If you are a Service Provider with more than 1
  campus or Institution please register complete
  access rights for each OPEID and access for each
  cycle year.

36
eCB Access Rights for Service Providers
37
Access Rights

• If you are a DPA or Service Provider with more
  than 1 campus or Institution, please register
  complete access rights for each OPEID.

38
Access Rights

• Shows how many schools remaining to setup access
  rights for. Message on screen indicates how many
  schools you will be registering access for. Once
  you select the School, you need to identify your
  role and access rights.
• If you have multiple schools, you will need to
  complete the access rights for each School you
  are associated with

39
Access Rights for Multiple Schools

• If you are a DPA or Service Provider with more
  than 1 campus or Institution, please register
  complete access rights for each OPEID and access
  for each cycle year.

40
Access Rights Verification
41
Access Rights Confirmation
42
Registration Confirmation

• Submission Confirmation of your Registration for
  userid and password.

43
e-Mail Notification of Account

• Once your registration has been submitted, you
  will receive an email with your userid. You will
  not get the password in an email.
• Sample e-mail text

Subject Line DEV Your eCB account has been
approved. Your eCB account has been approved.
Your userid will be ecb.testuser
44
What Next?

• After your initial registration, you will go to
  www.cbfisap.ed.gov and click login
• You will be directed to the Security Architecture
  Screen to provide your userid and password.
• You will no longer need to provide your SSN, DOB,
  First 2 letter of last name or PIN.
• We will verify you are in the database and then
  pass your access rights back to eCB and you will
  continue to work in the application.

45

• E-Authentication Overview

46
What is E-Authentication?

• It is about authenticating identity
  credentialsbut the set of identity credentials
  is expandedto include other external electronic
  credentials.
• For Federal Student Aid business systems you
  could use your school credential to access our
  systems instead of the ones we provide.
• For other Federal Agency business systemsyou
  could do the same thing.

47
How Could This Happen?

• Approach this as an enterprise initiative. In
  this case, the enterprise is the federal
  government.
• Get executive sponsorship. Federal agencies are
  participating as part of the Presidential
  Management Agenda (PMA) eGov initiative.
• Establish the standards, governance agreements
  and technology that build a circle of trust.

48
Future Model for Federations of Trust
EDUCAUSE Higher Education Bridge Certificate
Authority
Univ. of CA
Ohio Univ.
Dartmouth
NSF
Cornell
Penn State
E-Authentication Federation
Univ. of CA
InCommon
DOE
Dartmouth
Cornell
GSA
HHS
Penn State
ED
Sallie Mae
NCHELP Meteor
American Education Services (AES)
Student Loan Finance Association
Texas Guaranteed Student Loan Corporation
49
Security Architecture and E-Authentication
Federal Student Aid
Credential Service Providers
Non-Federal Student Aid Credential
E-Authentication
50
When Does This Happen?

eCB Integrated into Security Architecture Dec
2006
Security Architecture Developed Jun 2005
Jan 2007 E-Auth Architecture Developed
Spring 2007 eCB Integrated into E-Auth
Architecture
??? Other Systems
51
Contact Information

• We appreciate your feedback and comments.
• We can be reached at

Name Katie Blot Phone 202-377-3528 Email Katie.
Blot_at_ed.gov Name Nina Colon Phone 202-377-3384
Email Nina.Colon_at_ed.gov