a security model that works for you! - … lunch - a security model...years experience in security,...
TRANSCRIPT
A SECURITY MODEL THAT WORKS FOR YOU!
S E P T E M B E R 1 3 , 2 0 1 2
@ 2 0 1 1 C O P Y R I G H T J E R I H A L E - U T D A L L A S
A L L R I G H T S R E S E R V E D
@2011 Copyright Jeri Hale-UTD
Jeri Hale, University of Texas at Dallas Director of IR Quality, Compliance, and Accessibility at UTD with over 27
years experience in security, internal controls, implementations, process design, business analysis, and development. Designed Security, Integrations, and HCM custom applications at UTD. Currently responsible for compliance reviews, audit coordination, and quality consulting for all enterprise applications.
Ben Dai, Tunabear Consulting, Inc. Principle Consultant for Tunabear Consulting, Ben’s extensive PeopleSoft
experience, along with MBA, CPA, and HUB certifications give him unique perspective and insight. Under Ben’s direction and hands-on efforts, Tunabear developed many of the customizations and integrations needed for the security model.
@2011 Copyright Jeri Hale-UTD
Enrollment: 17,800 Among top ranked schools
management/geosciences & best value
Ranked 29th in “world’s most outstanding young universities (Times Higher Education)
Executive MBA Ranked #1 in Texas and #10 in USA (Financial Times)
@2011 Copyright Jeri Hale-UTD
Boutique Consultancy with “User Experience” Methodology for tight communication links
Usability Assessments Key Milestones Customer Satisfaction
Role on the Security Implementation:
Web Services (Inbound Integrations) PeopleCode Role Rules Outbound Integrations App Engine Dynrole &
Data Storage Solutions
@2011 Copyright Jeri Hale-UTD
PeopleSoft 9.0/9.1 − Enterprise Portal − FMS / SCM − HCM / Global Payroll − Campus Solutions − PeopleTools − Linux DB Server − NT Application Server/Web Server
Oracle − Database − Business Intelligence Enterprise Edition − Higher Ed Constituency Hub − Identity Manager
Server Technology − Linux DB − NT Application/Web
SciQuest Higher Markets
@2011 Copyright Jeri Hale-UTD
• UT Dallas security model overview for business/student applications "computing cloud“
• UT Dallas critical control objectives: Accessibility Auditability Administrative feasibility
• Functional/Technical Methods meeting control objectives • Portal as single point of entry for security administration and
computing cloud
@2011 Copyright Jeri Hale-UTD
TECHNICAL/FUNCTIONAL How do we secure it?
USER EXPERIENCE How do we maintain it?
AUDITABILITY How do we control and track changes?
EFFICIENCY How do we keep it clean?
ADMINISTRATION How can we AFFORD effective security and controls?
@2011 Copyright Jeri Hale-UTD
Situation Technical Challenges Shared HCM/FMS Databases at UT System Domain
Campus-specific User IDs Campus-specific authentication services Campus-specific Portal Content
UTD-Specific Portal/Campus Solutions Multiple EmplIDs for Campus & Shared HCM/FMS
Varied User Types Technical(Developers/Batch IDs) Functional (Super Users and Functional Processes) Departmental (Campus-Based Department Users) End-Users (Self Service) Systems (Sys Adm / Integrations) Other Campuses
Campus-specific Row Security Campus-specific Process Schedules Campus-specific Primary Permissions Campus-specific Business Processes Campus-specific IT and Security Policies Campus-specific Dynamic Role Criteria
@2011 Copyright Jeri Hale-UTD
Web Services communicates between two electronic devices over the Internet • usually includes a “broker” that looks for web-based messages formatted
in “XML” protocol
Digital Certificate brokers encryption keys using web services for Secure Socket Layer (SSL) communications over the server Lightweight Directory Access Protocol(LDAP) accesses
and maintains distributed directories on web services LDAP Attributes identifies attributes associated with an LDAP
account that grant it access to various internet services
@2011 Copyright Jeri Hale-UTD
User Profile Defines PeopleSoft user accounts Roles Identifies PeopleSoft object permissions for a user
Permission lists Grants access to PeopleSoft objects
Dynamic roles Assigns roles using programs and web
services
@2011 Copyright Jeri Hale-UTD
Security Model UT Dallas’s conceptual model for securing its enterprise application systems within “the cloud” Golden Roles Role-based (rather than access-based) roles.
• These are the roles we centralized on the portal Role System Identifier identifies systems to which the Golden
Roles pertain Role Map maps PeopleSoft roles to standard roles in hosted
systems (i.e., SciQuest/OBIEE) Constituent Roles sources roles from LDAP attributes
@2011 Copyright Jeri Hale-UTD
Easy Signon - LDAP Authentication/Single Sign-on Across Domains Role-Based Roles = Assigned Duties “Desktop”
• Single set of roles OR ability to map to a single set of roles across all systems in the computing cloud
• Provisions standardized across all systems based on campus business process requirements
• Permissions attached to roles within each database Auto-Provisioning – Access assigned based on users’
identifying information • (Employee…Applicant…Student…Alumni)
@2011 Copyright Jeri Hale-UTD
Database Audit “Triggers” for role assignments Writes ANY change to an audit table (Online or SQL updates) Downside – on same database – looking at Oracle Governance, Risk,
and Compliance Platform for this purpose LDAP data logged upon login Expired IDs archived before role removal Logon Logs archived before purged Access/Role assignment reports for entire cloud from Portal Electronic justification for Role-Based Access
@2011 Copyright Jeri Hale-UTD
Automate User Creation and Constituent (SS) Role Assignment at Signon Centralize Security Administration Single Task for Role Assignment Across the Cloud Row Security Roles
Dynamic Role Assignment Based on Jobcode, Dept Mgr ID, Project Team, Chartfield Attributes, etc.
Role Grant for Functional Roles Extends administrative capabilities to functional security administrators
@2011 Copyright Jeri Hale-UTD
User Creation/Updates with Signon PeopleCode Log Tables Multiple User Types using “ID Type Table” Role System Identifiers User Sync Messaging Dynamic Role Rules:
− PeopleCode Role Rules with Web Services to access criteria in source systems − Query Rules - Criteria Inside Portal
Custom AE Dynrole Process Sciquest Signon XML Portal Content Reference Links Dynamically assigned OBIEE SQL Access to Portal Database
@2011 Copyright Jeri Hale-UTD
1) LDAP Authentication (signon PeopleCode)
2) Creates
User Profile
3) User Types = Different ID’s
4) PeopleSoft SSO (cross-domain webserver alias)
Campus Solutions
Human Capital
Management
@2011 Copyright Jeri Hale-UTD
INITIAL PROVISIONING
HCM
HECH - Person Data/
Relation-ships
OIM - NetID & Email
Address)
LDAP - Access
Attributes
Campus Solutions
Portal -
Role Assignment
FMS -
User Profiles/ Constituent
Roles
HCM - User Profiles/
Constituent Roles
Campus Sol – User Profiles/ Constituent
Roles
R O L E
S Y S I D
OBIEE (Applicable
Users/Roles)
@2011 Copyright Jeri Hale-UTD
SECONDARY PROVISIONING
HCM Empl Status,
JobCode Position,
Dept, etc.
FMS- Chartfield Attribute, Project Team,
etc.
CS – Prog/Plan
Status, Class
Instructor, etc.
Portal -
Role Assignment
FMS -
User Profiles/ Constituent
Roles
HCM - User Profiles/
Constituent Roles
Campus Sol – User Profiles/ Constituent
Roles
R O L E
S Y S I D
OBIEE (Applicable
Users/Roles)
Request System: Manual Role &
Row Sec Requests
W E B S E R V I C E S
@2011 Copyright Jeri Hale-UTD
Clone user sync message for each system Correct EmplID for Correct System Uses Role System Identifiers to filter by target Sends manually and automatically assigned roles Sends changes to user profile locks, password
changes, rowsecclass, and primary permissions
@2011 Copyright Jeri Hale-UTD
LDAP Attributes to mapped to “Constituent” Roles used for Self Service and assigned/updated during Signon Dynamic role assignment −Based on attributes in Psoft tables (Job Data, Student Data, Project
Data, etc.) −Custom Web Services among systems deliver assignment criteria Dynamic role assignment customization -- ONLY updates
when someone’s roles should be changed Large files with many changes are messaged to Portal,
where dynamic role rules run
@2011 Copyright Jeri Hale-UTD
Hourly on the half hour: Job data refreshed from Job Record
Hourly on the hour: PeopleCode Rules with custom web services Query Rules against Job Record/Role System IDs
@2011 Copyright Jeri Hale-UTD
Required Users in Temp Table (as delivered) Identify required changes against RoleUser (mod) Assign only changes Trigger User Sync messages Routing based on Role System Identifier
@2011 Copyright Jeri Hale-UTD
PeopleSoft Roles Mapped to Sciquest Roles Employees are Shoppers Web Service to FMS Identifies Approvers and accessible Cost Centers XML sends User Info, SciQuest Role (functional access), Cost Centers (row access) Creates Sciquest User
@2011 Copyright Jeri Hale-UTD
Dynamically assigned based on Role-System IDs Limits required security maintenance for Portal
Content References Query rules inserted at signon and updated on the
hour
@2011 Copyright Jeri Hale-UTD
Universal interface utilizing standard XML SOA model Disparate systems working as one Powerful Flexible and scalable, secure and synchronous
@2011 Copyright Jeri Hale-UTD
Beyond Single Sign On Disparate Applications working seamlessly External vs. Internal Bottom line that defines success SOA, Web Services, Cloud -- User does not have to
know where they are, just WHAT THEY ARE DOING
@2011 Copyright Jeri Hale-UTD
HECH/OIM Testing with the Model – no test Active Directory Load Testing Message Queues - User Sign-on vs. Dynamic Role Dynamic Role locks on User Profile Logging for Finding out PURGE the logs, app message queues, archive tables, audit
tables, process scheduler Rebuild audit triggers when move from one environment to another Timeouts across domains