access and identity management system (aims) federal student aid pesc fall 2009 data summit october...
TRANSCRIPT
Access and Identity Management System (AIMS)
Federal Student Aid
PESC Fall 2009 Data SummitOctober 20, 2009
Balu Balasubramanyam
Target State Vision
Access and Identity Management System• Identity Management• Access Management
FAA Access to CPS Online
Active Confirmation
Two Factor Authentication
Contents
2
Target State Vision – Business View
Identity and Access Management
Enterprise Analytics and Reporting
Enterprise Shared Services
Student Aid History Management
Financial Management
Partner Payment and Reporting Management
Integrated Partner Management
Common Services for Borrowers
Campus BasedProgram Guidance & Information
Origination & DisbursementAid Awareness and Application
LendersState Agencies Schools
Aid Awareness & Application Aid Delivery Institution Participation Servicing
Guaranty Agencies
Determine Aid Eligibility
Establish Person Record
AidAwareness
School Aid Payments and Funding Level Management
Award and Disbursement Processing
Service CancellationsCB Award ProcessingApply for Funding
Partner OversightPartner Eligibility and Enrollment
State Agency Funding
Guaranty Agency Payment and Reporting Administration
Lender Payment and Reporting Administration
Financial ReportingFunds ManagementPayables ManagementReceivables Management
Recovery and Resolution
Consolidate Loans
ServiceDebts
Monitor Security Environment
Control Access to Systems and Resources
Create and Publish Materials
Outreach for Partners
Training for Partners
Aid Education Submission Eligibility Repayment Consolidation Collections
Org
aniz
atio
ns
Fed
eral
Stu
den
t A
idP
erso
nL
ife
Cyc
le
Ph
ase
Other External PartnersDepartment of Education
App and Participation Mgmt Funding and Allocation Origination and Disbursement Servicing Reporting
General Public Applicants Borrowers
Produce Enterprise Reports and Queries
Calculations and Reporting
Default Rate ProcessingManage IF DataMonitor Aid Eligibility
Predictive Modeling
Fee Payment
Manage Identity Community
Manage Security Environment
Person Record Management Service
Application Customer Service
Application Reporting and Analytics
O&D Customer Service
O&D Reporting and Analytics
Organization Record Management Service
Integrated View Retrieval Service
CB Reporting and Analytics
3
IntegratedTechnical Architecture
Target State Vision
Customers &Partners
Integrated Technical Architecture
Portal / Gateway / Call Center
Students, Borrowers, Applicants
Schools
Financial Partners
Department of Education
Federal Agencies
State Agencies
Service Providers
Security Architecture
Security Architecture
Security Architecture
Enterprise Service Bus
Enterprise Service Bus
Inte
grate
d P
artn
er
Man
agem
ent
Ap
plicatio
n
*Co
mm
on
Services fo
rB
orro
wers
eCa
mp
us B
ased
Fin
ancia
l Man
agem
en
t S
ystem
Info
rmatio
n F
ramew
ork
Enterprise Applications/Services
Perso
n R
ecord
Man
ag
em
ent
Servic
e
Orig
inatio
n an
d D
isbu
rsem
ent
Target State Vision – Technical View
4
5
Access and Identity Management System
(AIMS)
6
Access and Identity Management System (AIMS)AIMS provides a single integrated access and identity management
framework that can be used by all business applications and infrastructure components for partner and employee/ contractor users
Manages trading partnereligibility, enrollment,
and oversight
School Users
School Servicers
Lenders
Guaranty Agencies
Collection Agencies
State & Federal Agencies
Accrediting Agencies
Auditors
Other Users
FSA and Trading Partners
Integrated Partner
Management
FSA Security Architecture
FSA Target State Vision
Systems
Enrollment Identity Management
Access Management
access management tools, identity management tools, enterprise policy
repositories, enterprise user repositories, and other related security components
FSA Users
Audit
Access
1 2
4
3
System Response
• •
7
What is AIMS?
• AIMS provides a single, integrated authentication and authorization framework that can be used by all of Federal Student Aid business applications and infrastructure components, including Enterprise Portal and ESB
• AIMS enables consistent Authentication, Authorization, and Accountability– Authentication: Who are you?– Authorization: What are you allowed to do?– Accountability: What did you do?
• AIMS will enable a single unique source of Identity Management throughout Federal Student Aid – One user profile per person for all SA protected
applications
8
AIMS Concept of OperationsManage Security Environment
• Access Policies (Roles)• Provisioning Policies• User Policies• Logging & Archive Policies• Create System Identities• Process Governance
Manage Identity Community
• Enroll to Apply• Enroll as Administrator• Enroll as User of Systems • Enroll to Transmit Batches• Provide Self-Service Tasks
Monitor Security Environment
• Security Audit Trails• Security Exceptions• User Audits• Policy Compliance• Policy Improvements
Manage Access To Systems & Resources
• Access On-Line Services• Access Batch Services
EnterpriseApplications
(NSLDS, Portal, IPM, etc)
System Security OfficersAuditorsSecurity Management
All Users
Partner Systems
EDNET
Gateway
9
AIMS Authentication
Public/Private Data Networks
Students Schools Financial Partners Vendors Federal Student Aid Others
Protocol FirewallFSA
Enterprise Bounary
Domain Firewall
Demilitarized Zone
Reverse Proxy
Tivoli Access Manager WebSEAL
Enterprise Zone
TAM Server
TAM Policy Server
TAM Authorization Server
Tivoli Directory Server
Portal Application Server(s)
Portal Server(s)
Service Portlets AuthorizationDatabase
ESB
Federal Student Aid Applications
COD FMS NSLDS Other
2
1
3
4
5
TIM Server
SA RCSTIM UserRegistry
User Registry
Authorization Database
1. User enters URL in Web browser to access Portal resource
2. WebSEAL determines that user is requesting protected resource and prompts user with login page
3. User submits completed login page to WebSEAL;
4. WebSEAL connects with Policy Server to validate the identify of the user in the User Registry
5. WebSEAL uses validated identity; creates a session ID for the user; and obtains a credential for the user
10
AIMS Authorization
Public/Private Data Networks
Students Schools Financial Partners Vendors Federal Student Aid Others
Protocol FirewallFSA
Enterprise Bounary
Domain Firewall
Demilitarized Zone
Reverse Proxy
Tivoli Access Manager WebSEAL
Enterprise Zone
TAM Server
TAM Policy Server
TAM Authorization Server
Tivoli Directory Server
Portal Application Server(s)
Portal Server(s)
Service Portlets AuthorizationDatabase
ESB
Federal Student Aid Applications
COD FMS NSLDS Other
7
6
8
10
9TIM Server
SA RCSTIM UserRegistry
User Registry
Authorization Database
6. The Session ID and credential are stored in the WebSEAL session / credential cache
7. WebSEAL provides TAM authorization services with the user credentials where they are compared to ACLs and POPs
8. Upon authorization, WebSEAL forwards user request to Portal
9. Service Portlet is invoked, passes user credentials, and interacts with back-office
10.WebSEAL send response to user, where results are presented
11
FAA Access to CPS Online
12
FAA Access to CPS Online Login
Enhance current state of access to limit use of Personal Identifying Information (PII)
First Time Registration
CPS Online Login
13
Old FAA Access to CPS Online Login
Old:Enter SSN, first 2 letters of last name, DOB, and PIN on the FAA Access to CPS Online login page to access the application
14
Enrollment for FAA Access to CPS
Entry of Personal information in SAIG, for verification
Enter credential information in AIMS.
Confirmation of data entry
Acknowledgement of successful registration
18
FAA Access to CPS Online Login
Enter User ID and password on the FAA Access to CPS Online Login page to access the application
http://faaacess.ed.gov
19
Password Policies
Password Policy• Expires every 90 days
• Complex alpha-numeric passwords
• Answer Challenge Questions to reset password
Password Lockout• 3 unsuccessful login attempts
• Can still use “Forgot Password” application
• Login disabled for 30 minutes
20
Active Confirmation
21
What is Active Confirmation?
• Active confirmation is the process of a Designated Point Administrator (DPA) reviewing users' access privileges on a establish time schedule and confirming these users' privileges. This will help ensure an updated and secure environment for system accessibility.
• The Federal Student Aid DPAs will be required to review their list of users who access Federal Student Aid systems and confirm that each individual continues to be a valid user. This will be done on a periodic basis.
22
“Active Confirmation” Process
The DPA Roster
• Provides a list of employees that currently possess TG numbers• Requires validation or deletion of TG Numbers assigned to
your organization in the SAIG Enrollment Web site
The FAA Roster
• Provides a list of employees at your organization who are currently enrolled for access to FAA Access to CPS Online services
• Requires validation or deletion of FAA Users assigned to your organization in the SAIG Enrollment Web site
23
Two-Factor Authentication
24
T-FA Implementation Objectives
Federal Student Aid is implementing Two-Factor Authentication (T-FA) for privileged users to access Federal Student Aid systems from the internet to enhance the security of its information systems
25
What is Two-Factor Authentication?
Two-Factor Authentication (T-FA) uses two pieces of information and processes (two different methods) to authenticate a person's identity for security purposes. Authentication factors are generally classified into three categories:
Something the user has
• ID card, security token, software token, phone, or cell phone Something the user knows
• password, pass phrase, or personal identification number Something the user is
• fingerprint or retinal pattern, voice recognition, or another biometric identifier
Two-Factor Authentication requires the use of solutions from two of the three categories of factors.
26
T-FA Technologies
Some of the common technologies used as the second factor authentication in concert with UserID and Password include:
Hardware Tokens - generate a constantly changing one-time password to enable authentication.
Software Tokens on PCs - enable authentication with computer as second factor authenticator.
Software Tokens on Mobile Devices - allow authentication from smart phones and PDAs.
Smart Cards - enable authentication as well as of physical access.
USB Tokens - enable authentication without the need to key in a token code (can be plugged into a standard USB port).
Biometric Devices - enable authentication according to the physical characteristics of a user (fingerprint and retina scans).
27