Session 52
description
Transcript of Session 52
![Page 1: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/1.jpg)
Session 52
Security Architecture – What Does It Mean
Katie Blot
Nina Colon
![Page 2: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/2.jpg)
2
“What is security architecture and what are the critical functionalities? Learn about Federal Student Aid's security architecture - the what and the why - and how it affects you. Federal Student Aid's security architecture pilot with the eCampus-Based (eCB) system will be discussed as well as our plans for the future, including E-Authentication.”
Security Architecture - What Does It Mean?
![Page 3: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/3.jpg)
3
Agenda
• Security Architecture Overview (Katie Blot)
• Security Architecture and eCB (Nina Colon)
• E-Authentication Overview (Katie Blot)
![Page 4: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/4.jpg)
Security Architecture Overview
![Page 5: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/5.jpg)
5
What is Security Architecture?• Security Architecture uses Tivoli Access Manager (TAM) to enable
consistent Authentication, Authorization, and Accountability– Authentication: Who are you?– Authorization: What are you allowed to do?– Accountability: What did you do?
• Security Architecture will enable a single unique source of Identity Management throughout Federal Student Aid using Tivoli Identity Manager (TIM)– One user profile per person for all Security Architecture protected
applications• Federal Student Aid Security Infrastructure utilizing TIM and TAM
provides the best in breed security software products to support the Federal Student Aid Security Architecture
![Page 6: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/6.jpg)
6
Security Architecture Functions:• Provides consistent security services & configurations across Federal
Student Aid systems– Decrease security risks– Improves maintainability of systems– Offloads ad hoc application security from application teams
• Gives better service to our customers/partners– Single sign-on for web applications– Simplified registration/approval processing– Delegated administration
• Promote enterprise security management– Consolidated security views and reporting– Flexibility to accommodate new or redeployed systems– Lowers security development and operational costs
![Page 7: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/7.jpg)
7
Security Architecture Conceptual Design
Manages trading partnereligibility, enrollment,
and oversight
School Users
School Servicers
Lenders
Guaranty Agencies
Collection Agencies
State & Federal Agencies
Accrediting Agencies
Auditors
Other Users
FSA and Trading Partners
Integrated Partner
Management
FSA Security Architecture
FSA Target State Vision
Systems
Enrollment Identity Management
Access Management
access management tools, identity management tools, enterprise policy
repositories, enterprise user repositories, and other related security components
FSA Users
Audit
Access
1 2
4
3
System Response
Federal Student AidFederal Student Aid
![Page 8: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/8.jpg)
8
Benefits of Tivoli Access Manager
• Too Many Passwords to Remember• Multiple Administrators• Access control different by application• User information spread throughout the environment• Security is an application task• Security standards managed by application
• Single Sign-on for web applications• Unified administration• Single tool for access control• User security information centralized• Security is a centralized IT management task• Common security standards for all applications
Before Tivoli Access Manager After Tivoli Access Manager
Application 1
Application 2
Application 3
Application 4
Sec
urity
1
Inte
rnet
User
Data 4
Data 3
Data 2
Data 1
Sec
urity
2S
ecur
ity 3
Sec
urity
4
User ID1, Password1
User ID 2, Password 2
User ID 3, Password 3
User ID 4, Password 4
Sec
urity
Arc
hite
ctur
e A
uthe
ntic
atio
n an
d A
utho
rizat
ion
Application 1
Application 2
Application 3
Application 4
Inte
rnet
School / Partner User
Data 4
Data 3
Data 2
Data 1
User ID, Password
Porta
l App
licat
ion
![Page 9: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/9.jpg)
9
Security Architecture Today• Eight applications secured behind Security Architecture
– Including Financial Partners DataMart and Experimental Sites• eCB Integration with Security Architecture in Dec 2006
– Registration for existing eCB users available in PC Lab– New users will be able to self-register in December
• Federal Student Aid Target State Vision applications are being built with Security Architecture. These applications include:– IPM– ADvance– Portals– Enterprise Service Bus (ESB)– e-Authentication to eCB
![Page 10: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/10.jpg)
10
Security Architecture and eCampus-Based
![Page 11: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/11.jpg)
11
Security Architecture – How Is It Easier Than SAIG Enrollment?
• All forms will be pre-populated with existing data from the SAIG Enrollment System and verified and updated by individual users.
• New users will need to provide all data necessary to create userid and password.
• Required data fields will be indicated by an *.
• The user must know his or her institution/organization OPEID or correct Institution/organization name.
• The Institution/Organization name and location will be displayed so that user can be sure of selecting the right school.
![Page 12: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/12.jpg)
12
Security Architecture – How Is It Easier Than SAIG Enrollment?
• The access rights are pre-defined from pre-loaded data from the SAIG Enrollment System.
• Access rights will be rolled over from the prior year.
• Rolling the access rights from the prior years will alleviate the need for the Destination Point Administrator (DPA) go back into the Enrollment System to give user access rights to new year.
![Page 13: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/13.jpg)
13
Change in Registration Process• Starting December 16, 2006 all current user of
eCB will need to register with Security Architecture
• There will be no issuances of PINs for use with eCB application for Authentication of user
• Starting December 16, 2006 Authentication will be only through Security Architecture with a userid and password.
![Page 14: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/14.jpg)
14
E-Campus Base Authentication
Module
E-Campus Base Application
PINN SERVER
For Authentication
Security Architecture (SA)
Authentication
www.cbfisap.ed.gov
www.pilot.cbfisap.ed.gov
- Social security number-- First two (2) letters of last name-- Date of birth-- PIN
-- User ID-- Password
Match? (Yes or No)
Forwarded to Application after successful Authentication
Other Application #1
Other Application #2
Other Application #3
Overview Diagram
![Page 15: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/15.jpg)
15
What Is New?
• Registration screens are the same for all parties
– DPA
– FAA
– Third Party Service Providers
• Email is sent to registrants’ Supervisors for additional confirmation of user account being created.
![Page 16: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/16.jpg)
16
eCampus Based Login• Go to eCB home page at the
following URL:
– www.cbfisap.ed.gov
• Click Login• Current eCB users data is
preloaded and limited additional information is needed to complete the registration.
– You will be referred to the Security Architecture system from eCB login.
![Page 17: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/17.jpg)
17
• Click on eCB Self Registration to start the registration process.
Getting Started with Security Architecture
![Page 18: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/18.jpg)
18
Getting Started with Security Architecture
• To see if you are already in the database we need you to provide the following data (this will only occur the very first time you register):
• First Name• Last Name• Date of Birth• Last 4 digits of SSN
– Click submit to go to the next screen.
![Page 19: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/19.jpg)
19
Getting Started with Security Architecture
• Pre-populated fields like name, last four digits of SSN, OPEID and School Name can not be updated.
– If you are a new user, you will need to provide data in all fields
• Indicate if your organization is a Service Provider.
![Page 20: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/20.jpg)
20
• Your demographic information has been pre-populated. We have carried over your information from the SAIG Participation Management System.
– Please verify that the information provided is still correct.
– If the information is incorrect in our system,please make necessary updates during the registration process.
• Fields such as address and email can be updated.
Getting Started with Security Architecture
![Page 21: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/21.jpg)
21
• On each screen within the registration process, it will be necessary to verify that we have loaded the correct data.
• Provide a password that only you will know. This will be part of your login for eCB.
Getting Started with Security Architecture
![Page 22: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/22.jpg)
22
• Fly over help text has been added to certain fields to the registration screens for clarification of the information being requested.
Getting Started with Security Architecture
![Page 23: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/23.jpg)
23
![Page 24: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/24.jpg)
24
• Security Architecture is requiring the Supervisor contact information so we can send an email for approval for all users that request a user id and password. – If you are a Financial Aid
Administrator or Service Provider self registering, please provide the Destination Point Administrator’s contact information for email to be sent for approval of access rights to eCB.
Getting Started with Security Architecture
![Page 25: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/25.jpg)
25
• You can either search for your organization information by name or OPEID Code.
• If your information is pre-populated, please just verify that your organization information is correct.
Getting Started with Security Architecture
![Page 26: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/26.jpg)
26
![Page 27: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/27.jpg)
27
![Page 28: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/28.jpg)
28
![Page 29: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/29.jpg)
29
![Page 30: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/30.jpg)
30
![Page 31: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/31.jpg)
31
• You will be asked to confirm the registration information that either has been pre-populated in the system or that you have entered on each screen.
Getting Started with Security Architecture
![Page 32: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/32.jpg)
32
![Page 33: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/33.jpg)
33
![Page 34: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/34.jpg)
34
eCB Access Rights• Please verify your access
right by year. If you have the same access as the DPA you will select same as DPA. The Access rights are as follows:– Read– Read/Write/Submit– DRAP Access Only
![Page 35: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/35.jpg)
35
Access Rights for Multiple Schools• If you are a Service
Provider with more than 1 campus or Institution please register complete access rights for each OPEID and access for each cycle year.
![Page 36: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/36.jpg)
36
eCB Access Rights for Service Providers
![Page 37: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/37.jpg)
37
Access Rights • If you are a DPA or
Service Provider with more than 1 campus or Institution, please register complete access rights for each OPEID.
![Page 38: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/38.jpg)
38
• Shows how many schools remaining to setup access rights for. Message on screen indicates how many schools you will be registering access for. Once you select the School, you need to identify your role and access rights.– If you have multiple schools,
you will need to complete the access rights for each School you are associated with
Access Rights
![Page 39: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/39.jpg)
39
Access Rights for Multiple Schools• If you are a DPA or
Service Provider with more than 1 campus or Institution, please register complete access rights for each OPEID and access for each cycle year.
![Page 40: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/40.jpg)
40
Access Rights Verification
![Page 41: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/41.jpg)
41
Access Rights Confirmation
![Page 42: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/42.jpg)
42
Registration Confirmation• Submission Confirmation
of your Registration for userid and password.
![Page 43: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/43.jpg)
43
e-Mail Notification of Account
• Once your registration has been submitted, you will receive an email with your userid. You will not get the password in an email.
• Sample e-mail text :Subject Line: DEV: Your eCB account has been approved.
Your eCB account has been approved. Your userid will be ecb.testuser
![Page 44: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/44.jpg)
44
What Next?• After your initial registration, you will go to
www.cbfisap.ed.gov and click “login”• You will be directed to the Security Architecture Screen to
provide your userid and password.• You will no longer need to provide your SSN, DOB, First
2 letter of last name or PIN.• We will verify you are in the database and then pass your
access rights back to eCB and you will continue to work in the application.
![Page 45: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/45.jpg)
E-Authentication Overview
![Page 46: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/46.jpg)
46
What is E-Authentication?• It is about authenticating identity credentials…but the set of
identity credentials is expanded…to include other external electronic credentials.
• For Federal Student Aid business systems… you could use your school credential to access our systems instead of the ones we provide.
• For other Federal Agency business systems…you could do the same thing.
![Page 47: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/47.jpg)
47
How Could This Happen?• Approach this as an enterprise initiative. In this case,
the enterprise is the federal government.
• Get executive sponsorship. Federal agencies are participating as part of the Presidential Management Agenda (PMA) eGov initiative.
• Establish the standards, governance agreements and technology that build a “circle of trust”.
![Page 48: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/48.jpg)
48
Future Model for Federations of Trust
EDHHS
Dartmouth
Penn State
Univ. of CA
E-Authentication Federation
EDUCAUSE Higher
Education Bridge
Certificate Authority
Ohio Univ.
Cornell
InCommon
NCHELP Meteor
Dartmouth
Penn State
Univ. of CA
Cornell
Student Loan FinanceAssociation
Sallie Mae
American Education
Services (AES)
TexasGuaranteed Student
Loan Corporation
GSA
DOE
NSF
![Page 49: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/49.jpg)
49
Security Architecture and E-Authentication
Manages trading partnereligibility, enrollment,
and oversight
School Users
School Servicers
Lenders
Guaranty Agencies
Collection Agencies
State & Federal Agencies
Accrediting Agencies
Auditors
Other Users
FSA and Trading Partners
Integrated Partner
Management
FSA Security Architecture
FSA Target State Vision
Systems
Enrollment Identity Management
Access Management
access management tools, identity management tools, enterprise policy
repositories, enterprise user repositories, and other related security components
FSA Users
Audit
Access
1 2
4
3
System Response
Federal Student AidFederal Student Aid
Credential Service
Providers
Non-Federal Student Aid Credential
E-AuthenticationE-Authentication
![Page 50: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/50.jpg)
50
When Does This Happen?
Security Architecture Developed
Jun 2005
eCB Integrated
into Security Architecture
Dec 2006
Jan 2007
E-Auth Architecture Developed
Spring 2007
eCB Integrated into E-Auth
Architecture
???
Other Systems
![Page 51: Session 52](https://reader035.fdocuments.us/reader035/viewer/2022070423/56816799550346895ddcd52a/html5/thumbnails/51.jpg)
51
Contact InformationWe appreciate your feedback and comments.We can be reached at:Name: Katie BlotPhone: 202-377-3528Email: [email protected]
Name: Nina ColonPhone: 202-377-3384Email: [email protected]