Information Technology Information Systems Architecture What’s new. What’s happening.

Information Technology

Information Systems Architecture

What’s new.

What’s happening.

04/18/23 2


Where are We Going?

• Self-service.

• Increased security and privacy protections

• Real-time.

• More open access to information.

• Mobility.


University System Architecture

04/18/23 4


Architecture Purpose

• Create reliable, extendable, standards-based, maintainable infrastructure

• Distribute management and development• Speed deployment with increased reliability• Support necessary security and extensive

self-service applications

04/18/23 5


User Devices

Network

Servers

Data Management

Integration Middleware

Directories SecuritySystemsManagement

Financial, HR,SES, CMS

Identity, SSO,Messaging

Oracle, SQL

Win2003,UNIX, Linux

IP, VOIP,Wireless

Desktop,Mobile

CONDUITS,School NAS

Exp

ande

d A

rchi

tect

ural

M

odel

School/Department/Division Applications

Core Enterprise Systems

Pla

tfor

ms

Del

iver

y

Sys

tem

sA

ppli

cati

ons

04/18/23 6


User Devices• Situation

– Desktop, mobile, handheld units

• Current efforts– Purchasing guidelines; anti-virus license– Maintenance contracts; software site-licenses

• Future directions– Device independence through Web interfaces– Network backup services

04/18/23 7


Network• Situation

– state-of-the-art connectivity

• Current efforts– Access to National/International networks; on-campus

wireless; iCAIR R&D– Advancing applications of network

• Future directions– Voice services (VoIP); cellular-IP services– Role-based access and service levels

04/18/23 8


Servers• Situation

– Highly-available service platforms

• Current efforts– Redundant power and network paths– Narrowing supported systems to focus skills

• Future directions– Parallel/hot service site; flexible server management– Consolidation of server support

04/18/23 9


Data Management• Situation

– Holding and protecting University information

• Current efforts– Data stewards moving to common definitions

• Future efforts– Data warehousing for analysis and reporting– Near real-time access to data across systems– Standard reporting and data retrieval tools

04/18/23 10


Integration Middleware• Situation

– Delegated identity management and access control

• Current efforts– Improve identity management processes– Deploy and leverage standard technology

• Future directions– Define standard inter-application work flows– Role-based portal to integrate presentation

04/18/23 11


Core Enterprise Systems• Situation

– Two major systems replaced in past 6 years

• Current efforts– Leverage abilities of newer systems (HRIS, SES)– Implement new financial and research systems

• Future directions– Integrate cross-system transactions– Open data to near real-time secure queries

04/18/23 12



• Situation– Local systems holding institutional information– Procurements often isolated from IT planning

• Current efforts– Identify systems and data

• Future directions– Procurements must meet integration plans– Eliminate data replication; enforce security model

04/18/23 13


Systems Management

• Ensure service availability• Current efforts

– Automatic monitoring of central network and central servers

• Future directions– Monitor all network devices– Monitor enterprise applications

04/18/23 14


Directories

• Authenticate and authorize• Current efforts

– Widely-used identifier (NetID)– Deploy standard infrastructure

• Future directions– Web single sign-on– Unified identity management for all

applications– Enterprise portal roles

04/18/23 15


Security

• Prevent intrusion or disruption• Current efforts

– Installing network firewalls– Installing intrusion detection

• Future directions– Network-wide anti-virus– Continuous vulnerability scanning

04/18/23 16


User Devices

Network

Servers

Data Management


Directories SecuritySystemsManagement

Financial, HR,SES, CMS

Identity, SSO,Messaging

Oracle, SQL

Win2003,UNIX, Linux

IP, VOIP,Wireless

Desktop,Mobile

CONDUITS,School NAS

Exp

ande

d A

rchi

tect

ural

M

odel


Core Enterprise Systems

Pla

tfor

ms

Del

iver

y

Sys

tem

sA

ppli

cati

ons

04/18/23 17



• Identity management, Web SSO

• System integration via Web Services (XML, SOAP, WSDL, SAML)

04/18/23 18


Web Single Sign-On

Application

Web Server

Authentication

Application

Web Server

Browser

Web SSOWeb SSO

Token

04/18/23 19


System IntegrationIntegrated enterprise systems can reduce the time to complete services across the University, eliminate manual steps (and errors), and create auditable transaction records.

A hiring event can trigger financial and service actions. Some actions could be immediate and others queued for review by service administrators before fulfillment.

Later events, such as completed training, can be promoted back into the HR record for the employee.

Human Resources System

Hiring Event

ProvisionNetID

ProvisionWildcard

Encumber salaryand benefits

Provisionaccess

Scheduletraining

ProvisionETES

Notifysupervisor

Subscribe toemail lists

Queue toERP

Notifysupervisor

Provisiondirectory

Provisioncalendar

Provisionlocal services

Scheduletraining

Subscribe toemail lists

Queue to

school

Notifysupervisor

Notify unitfundsmgr

EmployeeRecord

04/18/23 20


The Challenge – Application SilosApplication silos develop naturally around business systems and software under standard architectural planning and funding. Each business unit invents user management, tracks authorizations, and builds interfaces to other systems.

Silos limit views of institutional data, fragment security, require manual re-entry of data and detract from the user’s “integrated system” experience.

D atab as e

P r o c es s in g R ep o r tin g

Bu s in es s R u les

I n te r f ac es

I d en tity M an ag em en t an dAu th en tic a tio n

Au th o r iza tio nUs er s

BusinessUnit

IT

04/18/23 21


R ep o r tin g

R o le- Bas ed Bu s in es s R u les

T r an s ac tio n Bu s

I d en tity M an ag em en t an d Au th en tic a tio n

W ar eh o u s e

D atab as e

Ap p lic a tio nBu s in es s R u les

D atab as e


D atab as e


D atab as e


D atab as e


Us er s

P r o c es s in g

The FutureIT IdM &

Portal

IT Services

and Facilities

Business Unit Focus


Authentication & Authorization

04/18/23 23


Importance of Identity Management• Without robust Identity Management, we can

never be confident of our security• Without confidence in security, data stewards

will not be willing to expose information• Without current information, responsible

decisions are difficult – hence shadow systems• The University should change its culture to make

information available to those with proper authorization by default

04/18/23 24


Fundamental Concepts1. Service providers must have confidence in

Identification and Authentication services.2. Service providers determine the authentication

strength required for their applications and data.3. Application software must recognize central

identity and support definition of local entitlements and access rules.

4. Digital identities should be derived from authoritative sources.

04/18/23 25


HR I SS E SM an u al

S N AP

M an u al

M an u al

Ad m is s io n s

S E SAu th _ z

M an u al

HR I SAu th _ z

M an u al

C UF SAu th _ z

M an u al

Ker b er o sAc tiv eD ir ec to r yS y n c h r o n iza tio n

S tu d en t S E SAu th _ z

E - m ailM eetin g M ak er

VP N /M o d em s

D ep ar tm en t S er v er s( N T 4 )

C o u r s e M g m tE T E S

N o v ellS er v er s

M an u al

W in d o w sS er v er s

M an u al

D ep ar tm en t f ile &p r in t s e r v ic es

W in d o w s2 0 0 0 /0 3

Current IdM Structure

04/18/23 26


Current Practice Issues• Separate identity databases lead to multiple

usernames and passwords for each principal. This increases security risk.

• Without ties to authoritative sources, changes in the status of a principal have delayed effect on authorizations.

• Disjoint systems make common role/rule authorizations impossible

04/18/23 27


Future Requirements• School/Division/Department system administration must

be linked to central identity services• Systems with secure information must be themselves

secure• Maintenance of authentication will be more distributed and

less convenient for higher-security systems• University must define business rules for when the status

of an individual changes.

04/18/23 28


Future IdM Structure

HR I SS ESM an u al

S N AP

M an u al

M an u al

Ad m is s io n s

L D APR eg is tr y

W e b S ingle S ign-O nE -m ail

M e e ting M ake rC o urs e M gm t

E TE SSE S

H R ISFinanc ials

D ep ar tm en t f ile &p r in t s er v ic es

Ac tiv eD ir ec to r y

N e two rkVP N

R e s e arc h

M an u al

B us ine s sP ar tne r s

Ac ade m icP ar tne r s

N o v e lle dir e c t o r y

04/18/23 29

Information TechnologyLDAP Cluster

SES HRIS

Loadbalancing

Loadbalancing

Replication

registry.northwestern.edudirectory.northwestern.edu

IT Computing Services

Extraction

Replication

SNAP

RegistryWhite Pages

Note: schematic – not an engineeringrepresentation

04/18/23 30


Registry(LDAP)

Enterpriseforest School

ASchool

BDivision

Z

AD / eDirectory Structure

04/18/23 31


LDAP Access to Data Items

• Access is controlled in four ways:– Anonymous bind to registry is reserved to

known e-mail hosts– User binding restricted by IP address– Attribute retrieval protected by application

credentialing and Access Control Lists– White pages is an extract of registry data

04/18/23 32


Anonymous Binding

• Appropriate for white pages lookup

• Fast – no encryption• Program binds, then

queries by indexed attribute

• Return is defined by ACL

Eudora

Outlook

Relay

LDAPService

??

04/18/23 33


User Binding

• The only means to check username and password validity

• Restricted by IP address to avoid brute-force attacks

• Encrypted via SSL• Will eventually be isolated

from the application by SSO

• Return is defined by ACL

SES

SNAP

Hecky

LDAPService

04/18/23 34


Attribute Retrieval Binding

• Application presents assigned credentials to bind as itself

• Queries and receives return defined by unique ACL

• Encrypted via SSL• Ex: from NetID get

DN and jpegphoto

NUTV

VPN

Course Mgmt

LDAPService

04/18/23 35


IP Address Restrictions

• Restriction of LDAP protocols by IP address is performed by ITCS firewall

• Request-specific ACL limits exposure of data items

ACLs

RegistryDataLDAP

Registry

04/18/23 36


Typical Three-Step Scenario

• Binding with DN and password is IP-restricted and isolated from application coding

• Binding as an application presents credentials defining returned attributes

LDAPPlug-

in

Web Server

LDAPPlug-

in

Application Server

Registry

3. Bind as applicationKey: NetIDReturn: attributes

Transaction data including NetID

1. Bind as web server, search by NetID for DN, then

2. Bind by DN to validate password

(SSL) (SSL)

(SSL)

04/18/23 37


How is Registry Access Governed?

• Due to the protections in place, access must be requested through NUIT.

• Requests must be approved by the custodian(s) of the data.

• NUIT then assigns the appropriate ACL to restrict access to only the approved data items.


Anticipating the Future

Getting ahead of the changes

04/18/23 39


Trends: Web-Based Access

• Web should be the primary tool for user access to applications

• Anticipates Web SSO

• Anticipates portal interfaces

• Minimizes platform dependencies

04/18/23 40


Trends: Data Security

• Custodians will grant access to data for specific purposes, not general use. Use may be audited.

• Limit information retained locally to what is unique to the application.

• Obtain general information as needed from the Registry, given performance requirements

04/18/23 41


Trends: Authentication and User Management

• NetID will become the universal identifier.• Web SSO will be deployed.• Password security concerns will limit some

user management flexibility.• Stronger authentication may be justified for

some applications – but it is costly.

04/18/23 42


Trends: Web Services

• Exposure of central data will move to WS.

• Applications will use XML to expose data to portals.

• Real-time transaction systems will use WS to relay changes to other systems

04/18/23 43


Do’s and Don’ts

• Adopt NetID as your local identifier

• Migrate to NetID passwords

• Use two-step authentication binding to LDAP

• Stay on Windows NT• Authenticate against Ph• Assume you can construct

a DN• Write applications that see

user passwords in clear text

Do… Don’t…

04/18/23 44


More Advice…

• Learn about XML and Web Services• Develop applications for the Web• Involve NUIT early in planning and

especially software acquisition• Learn about data privacy regulations• Think globally while acting locally


Questions?

http://www.it.northwestern.edu/isa/

Information Technology Information Systems Architecture What’s new. What’s happening.

Documents

Transcript of Information Technology Information Systems Architecture What’s new. What’s happening.