Enterprise Directory Design - Facing the Initial Challenges Brendan Bellina Identity Services...
-
Upload
solomon-ferguson -
Category
Documents
-
view
214 -
download
0
Transcript of Enterprise Directory Design - Facing the Initial Challenges Brendan Bellina Identity Services...
Enterprise Directory Design - Facing the Initial
ChallengesBrendan Bellina
Identity Services ArchitectUniversity of Southern California
Copyright © Brendan Bellina, 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Spot Quiz
What is the relationship of these numbers?
79
3000
38
Answer provided at the end of the session
An Enterprise Directory is…A specialized database serving multiple services that contains information about the institution’s:
members authorizations
affiliates devices
roles accounts
groups
Why An Enterprise Directory?
Distributed Data = Leaks
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
Security Breach
User Error
Intentional Email
Inadequate Training
Equipment Theft
Recycled Equipment
SSN
Name
Date of Birth
Gender
Ethnicity
Address
Phone
Reported Cases of Higher-Ed Identity Theft: 2003-2005
(note: this list is only a sampling)
October 2003 - University of Texas at Austin administrative database breached exposing 55,200 SSN’s. https://www.utexas.edu/datatheft/
January 2004 - University of Georgia systems breached - 20,000 student SSN’s exposed http://www.informationweek.com/story/showArticle.jhtml?articleID=17501920
May 2004 - University of California, San Diego - 380,000 people, including 178,000 students and 3,800 employees, at risk for identity theft after hacker break into 4 servers in the UCSD Business and Financial Services Department. http://www.informationweek.com/story/showArticle.jhtml?articleID=20000129
June 2004 - UCLA laptops stolen with 145,000 SSN’s for blood donors and 62,000 SSN’s for patients. http://news.com.com/UCLA+laptop+theft+exposes+ID+info/2100-1029_3-5230662.html?tag=nl
January 2005 - George Mason University ID card server broken into releasing 30,000 SSN’s. http://news.com.com/Hackers+steal+ID+info+from+Virginia+university/2100-7349_3-5519592.html
March 2005 - A laptop stolen from the University of California-Berkeley contained the Social Security numbers of 98,369 alumni, graduate students and past applicants. http://www.berkeley.edu/news/media/releases/2005/03/28_security.shtml
May 2005 - Stanford Career Development Center breached, exposing 9,600 SSN’s. http://www.computerworld.com/printthis/2005/0,4814,102075,00.html
July 2005 - Sonoma State University workstations accessed containing SSN’s for students and applicants from 1995-2002 and faculty from 1999-2005. http://www.sonoma.edu/uaffairs/incident/
October 2005 - Montclair State University - an employee unwittingly posted SSN’s and names of 9,100 students on a public web server for almost 5 months http://www.montclairtimes.com/page.php?page=10627
Of course it is 2006 and we are much smarter now…
January 2006 - University of Notre Dame Development Office server hacked. Notre Dame refuses to comment on the number of people compromised, but the number is believed to be significant.http://idtheft.about.com/od/databreaches/p/Notre_Dame.htm
March 2006 - Vermont State Colleges laptop stolen from under car seat with personal information for 20,000 employees and students of the Vermont College System.http://idtheft.about.com/od/2006/p/VSU_Breach.htm
March 2006 - Metropolitan State College of Denver laptop stolen from the home of an Admissions Office employee with SSN’s of more than 93,000 students.http://idtheft.about.com/od/2006/p/Metro_State.htm
March 2006 - Georgetown University researcher server hacked for SSN’s, names, and birth dates of 41,000 elderly.http://idtheft.about.com/od/2006/p/GeorgeTown.htm
April 2006 - University of South Carolina department chair mistakenly emailed the SSN’s of 1,400 students to 1,000 classmates. http://www.myrtlebeachonline.com/mld/myrtlebeachonline/news/local/14340642.htm
April 2006 - Texas University School of Business database server hacked for 197,000 student and employee identities.http://idtheft.about.com/od/2006/p/Texas_U.htm
May 2006 - Ohio University alumni database server hacked and releases informtion on 300,000 alumni and 137,000 SSN’s.http://idtheft.about.com/od/2006/p/Ohio_data_theft.htm
May 2006 - Ohio University medical records system hacked for 60,000 identities.http://idtheft.about.com/od/2006/p/Ohio_University.htm
May 2006 - Sacred Heart University system hacked and compromises 135,000 SSN’s.http://idtheft.about.com/od/2006/p/Sacred_Heart.htm
Problems With Having Multiple Directories
• Data synchronization problems• Provisioning takes too much time• Access Revocation takes way too much time –
sometimes a lifetime• Inability to readily determine who has access to
what• Problems keeping confidential data confidential
(FERPA, HIPAA)• Multiple entry points leads to orphan and back-
door accounts
Why An LDAP Directory?
LDAP – Lightweight DirectoryAccess Protocol
• Created at the University of Michigan in 1993, first commercial LDAPv3 server shipped in 1998 by Netscape
• More widely adopted by vendors than competing standards
• Sun, Open-LDAP, IBM, Novell, Microsoft
• Reliable, Replicatable, Optimized for Read Access, Interoperability
Decision Maker
User Info
Application
“In-Bounds”
Directory Administrator“Out-of-Bounds”
Filter
Because the Enterprise Directory contains all people who use all applications, filtering must be done between the application and the directory. Directory Access Controls are an effective means of doing this and are external to the applications.
Easy to delegate, but proprietary interfaces may not be usable.
LDAP protocol
Enterprise
LDAP Directory
Internally developed
web interface
using LDAP
System of RecordSystem of
RecordSystem of Record
Application
Application
ApplicationGroups
Enterprise Directory Model
The Need for Policies
• Data Entry
• Data Collection
• Data Transformation
• Data Access
• Data Propagation
• Security
Rich technologies highlight poor policies. Ken Klingenstein, University of Colorado
• Account Creation
• Account Revocation
• Role Definition
• Guests / Affiliates
• Privacy
Policies for Making Policies
• Directory Services Steering Committee– Data “Affiliation” Stewards (Registrar, Provost)– System of Record owners (SIS, HRS)– Core Service owners (exp. Portal, Email)– Information Security– Legal Department– CIO
• “Person” Office
Initial Service Architecture Plan• Data Flows
– Directory Provisioning
• Data Mastery - entries and attributes• Accessibility• Availability• Responsiveness• Acceptable Latency for inbound and
outbound
EDS Architecture Models• Centralized EDS
– Everything queries the central EDS– Central control– Performance bottleneck risk
• Replicated EDS– Replicate servers for performance– Data Latency
• Derivative directories– Distribute EDS data to stand-alone directories– Issues managing identities– Risk of data leakage and inconsistent access controls
Challenges• Identity Resolution• Privileges for Guests / Affiliates• Account management• Institutional definition of roles• Data integration• Handling Exceptions• Multiple Authorization Models (Groups and
Attributes; self and proxied)• Data Access Policies
In Higher-Education, Roles are NOT Simple…
Plan on it, Plan for it
Groups, Rules, and Exceptions
User Info
System of RecordSystem of
RecordSystem of Record
EDS Entries
Rule-basedGroups
Decision Maker
Groups interface EDS Groups
ExceptionGroups
EnterpriseGroups
Summary: Political Challenges
• Policy requirements are significant• Research into institution practice is mandatory• Risk questioning common practice• Data Ownership is debatable• Service Sponsorship is debatable• Higher-Education is trust-based, not role-based• Higher-Education allows exceptions to all
privileges• Centralized standards fly in the face of
unregulated practices
Summary: Technical Challenges
• Integrating multiple data sources• Identity Resolution• The Goldilock’s Principle: Provide just the right
amount of access, not too little, not too much• Champion roles, but accept the need for
delegating exception management• Develop to standards, but deviate where
necessary• Flexible authorization model to support widest
variety of applications
Spot QuizWhat is the relationship of these numbers?
793000
38
The crime of identity theft occurs every 79 seconds.This presentation was 50 minutes or 3000 seconds in
length.There have been approximately 38 occurrences of
identity theft during this presentation.
Do you know where your identity data is?
Resources
• Presentations: http://its.usc.edu/~bbellina
• Internet2 middleware standards: http://middleware.internet2.edu
• USC Global Directory Service Website: http://www.usc.edu/gds
Contact Information
Brendan Bellina
Identity Services Architect
USC Information Technology ServicesEmail: [email protected]
Website: <http://its.usc.edu/~bbellina>