federal student aid technical architecture initiatives james mcmahon ganesh reddy u.s. department of...
TRANSCRIPT
Federal Student Aid Technical Architecture
Initiatives
James McMahon Ganesh Reddy
U.S. Department of Education
Session T-03
2
Person Record Management System and
PIN Re-engineering
James McMahon
3
Gathering and Using Person Data
CPS
• Create or
• Update• Create or• Update
• Create or
• Update
• Create Or Update
PIN
COD
DLCS
NSLDS
Aid Awareness and Application
Aid DeliveryServicing/
Consolidation
DMCS
DLSS
• (DL, FFEL and • Perkins)
4
Why Person Data Management?
• No single version of the “truth” for a customer account
• Disparate systems developed with duplicative and conflicting information about applicants and recipients
• Different system keys for identifying individuals
• Use of the SSN in authentication and customer identification
5
Why Person Data Management? (cont’d)
• Difficulty in developing single picture of customer data
• Comingling of authentication and demographic functions
• Lack of integration with enterprise security architecture
• No flexibility in interfacing with authenticated and unauthenticated users
6
What will Person Data Management do?
• Deploy a new paradigm for person data management via a shared service at the enterprise level that all business applications can use
• Improve data quality for person data throughout the Student Aid Lifecycle
• Enable increased tracking and reporting capabilities for program integrity and program oversight
• Enable the Integrated Student View, Single Sign-On, and additional streamlining initiatives
• Provide infrastructure to allow for elimination of use of SSN as key identifier in Federal Student Aid systems
7
What is the Person Data Management Program?
• Person Data Management (PDM) is primarily comprised of two major projects:– The Person Record Management Service
(PRMS)– A re-engineering of the current PIN
solution
8
What is PRMS?• PRMS will be the master record for Federal
Student Aid of an applicant or recipient’s demographic information
• PRMS will be an enterprise shared service using a publish and subscribe model following Service-Oriented Architecture principles
• Legacy applications will transition to use of the PRMS in a phased manner
9
What is PRMS? (cont’d)• Will provide an enterprise account number (FAN =
FSA Account Number) for persons: – Creates a unique identifier as the enterprise
identifier– Protects the person’s identity– Passes the new identifier to other systems– Allows people interacting with Federal Student
Aid systems to not use personal identifying information to access detailed information
• Helps in resolving data quality issues• Maintains history of person data• Acts as the master source/location of person data
where it is maintained and shared with other internal systems
1010
Conceptual Diagram of PRMS
Conceptual Depiction
Person Data Providers
Borrower Services
Enterprise Portal
Person Record Management Service Solution
Business Capabilities
Student Aid History Management (Information Framework)
Origination & Disbursement
Federal Student Aid Functional Areas Using Person Data
• Person Master Record Management Service• Enrollment/Profile Update Services• Synchronization Services• Look up Services• Audit Trail
• Pre-Applicants • Applicants• Students• Parents• Borrowers• Endorsers
Person Data Consumers
• Employees
Integrated Views
• Integrated views• Queries• Data look-up• Standard and Ad-
hoc reports
CPSPINNSLDSCODDLCSDLSSDMCSCDDTSSAOTW
CPSPINNSLDSCODODSDLCSDLSSDMCSCDDTSSAOTWOmbudsman
Application
Ombudsman
Person Data Providers
Borrower Services
Enterprise Portal
Person Record Management Service Solution
Business Capabilities
Student Aid History Management (Information Framework)
Origination & Disbursement
Federal Student Aid Functional Areas Using Person Data
• Person Master Record Management Service• Enrollment/Profile Update Services• Synchronization Services• Look up Services• Audit Trail
• Pre-Applicants • Applicants• Students• Parents• Borrowers• Endorsers
Person Data Consumers
• Employees
Integrated Views
• Integrated views• Queries• Data look-up• Standard and Ad-
hoc reports
CPSPINNSLDSCODDLCSDLSSDMCSCDDTSSAOTW
CPSPINNSLDSCODODSDLCSDLSSDMCSCDDTSSAOTWOmbudsman
Application
Ombudsman
11
What is PIN Re-engineering?• A re-engineered PIN solution will:
• Separate person demographic and authentication information and the functions associated
• Introduce an enterprise approach to use of user ID and password
• Strengthen the authentication credential (PIN)
• Integrate the authentication function with Federal Student Aid ’s enterprise security architecture solution
12
Conceptual Diagram of Re-engineered PIN
PRMS - Person DirectoryBusiness Capabilities
•Register users of citizen-facing systems•Manage user directory•Integrate with PRMS Person Data Hub•Provision credentials•Authenticate users•Validate PIN*•Implement EAM policies and processes
PRMS - Person DirectoryBusiness Capabilities
•Register users of citizen-facing systems•Manage user directory•Integrate with PRMS Person Data Hub•Provision credentials•Authenticate users•Validate PIN*•Implement EAM policies and processes
•Pre-Applicants•Applicants•Students•Parents•Borrowers
• Register to obtain access to systems
Student Authentication Network (STAN)Provide PIN* validation service to:
•Lenders•Guarantors•Schools
Student Authentication Network (STAN)Provide PIN* validation service to:
•Lenders•Guarantors•Schools
•Authenticate users
•Validate e-signature (PIN*)
•Use a Federal Student Aid system
•Electronically sign a document
Person Directory•User ID•Password•PIN*•FAN
Person Directory•User ID•Password•PIN*•FAN
Person Data Hub•FAN•Name•Address•Contact and PII
Person Data Hub•FAN•Name•Address•Contact and PII
Federal Student Aid systems using e-signature•eMPN•CPS•DLCS
Federal Student Aid systems using e-signature•eMPN•CPS•DLCS
Federal Student Aid’s citizen-facing systems•Student Aid on the Web•FAFSA on the Web•DLSS•NSLDS•Enterprise Portal
Federal Student Aid’s citizen-facing systems•Student Aid on the Web•FAFSA on the Web•DLSS•NSLDS•Enterprise Portal
* PIN functionality remains throughout transition period to Person Directory
13
PDM Solution(s) Conceptual Architecture
Person Data Hub will be the new master data management solution for person data for identity (e.g., SSN, name, DOB) and demographic data (e.g., address, email address)
Person Directory will store a copy of authentication information.
The PDM solution includes two databases: Person Data Hub and the Person Directory:
14
Questions?
15
Ganesh Reddy
Virtual Keyboard, Two Factor Authentication
and Active Confirmation
16
Tactical Improvements to IT Security
Quick fixes and high impact improvements that can be implemented in a short timeframe to enhance the IT security
Virtual Keyboard• Implement technologies appropriate for Federal Student Aid
that evade potential "key logging"
Two-Factor Authentication (T-FA)• Implement Two-Factor Authentication solution for privileged
users to access National Student Loan Data System (NSLDS) from internet
Active Confirmation• Assess current state of access controls for partners and
deploy an “active confirmation” process
17
Virtual Keyboard
18
Keylogging – Virtual Keyboard
Keylogging (Keystroke logging) is a method of capturing and recording user keystrokes. Some of the common technologies used to evade keylogging include:
Anti-spyware Monitoring what programs are running Firewall Network Monitors Automatic form filler programs Alternative keyboard layouts One-time passwords Smartcards Virtual keyboards
Virtual keyboards are provided on the application login page and do not require end users to acquire additional software
19
Keylogging – Virtual Keyboard
20
Keylogging – Virtual Keyboard (cont’d)
21
Keylogging – Virtual Keyboard at Federal Student Aid
22
Federal Student Aid Virtual Keyboard FeaturesVirtual keyboards are provided on the Security Architecture (SA) login page and do not
require end users to acquire additional software. Some of the features of Federal Student Aid Virtual Keyboard include:
Highly effective in evading “Key Logging” Widely used by many financial institutions Least expensive technology to deploy (even for 50 million users) Does not require any new hardware or software on client machines Does not require any changes to the applications Available to all applications that use SA Works in conjunction with the existing keyboard Usage is optional but can be made mandatory based on security
policy Keys can entered by mouse click or by leaving mouse on the key
for 2 seconds Virtual keyboard randomly shifts on the screen Supports multiple keyboard layouts (US and Dvork)
23
Two-Factor Authentication
24
What is Two-Factor Authentication?Two-Factor Authentication (T-FA) uses two pieces of information and processes (two different methods) to authenticate a person's identity for security purposes. Authentication factors are generally classified into three categories:
Something the user has
• ID card, security token, software token, phone, or cell phone Something the user knows
• password, pass phrase, or personal identification number Something the user is
• fingerprint or retinal pattern, voice recognition, or another biometric identifier
Two-Factor Authentication requires the use of solutions from two of the three categories of factors.
25
T-FA Implementation ApproachEvaluate and select software for T-FA that can be incorporated quickly into Federal Student Aid security architecture.
The product selected will be Federal Student Aid’s (interim) enterprise standard for implementing T-FA and may be used with many of Federal Student Aid’s online applications.
The initial installation will likely be for the NSLDS application access for employees and contractors. In the future, T-FA will be added to other applications with PII data.
The T-FA application would control the request for a second factor for authentication and only make the request when the employee or contractor is accessing the application from outside of EDUCATE, the Department’s network. The future capability may include other trading partners, such as schools and financial partners.
The T-FA tool should work seamlessly with Federal Student Aid security architecture and applications.
26
T-FA Implementation Milestones
Implement Two-Factor Authentication (T-FA) for privileged users to access Federal Student Aid systems from internet, coming from outside of the EDUCATE network
Complete evaluation of Two-Factor Authentication technologies
Develop a Web Service to initiate T-FA challenge after standard application login
Coordinate with NSLDS team to integrate T-FA into its web login process
Conduct a product evaluation to select a T-FA tool for employees and contractors accessing NSLDS from internet
27
T-FA Technologies
Some of the common technologies used as the second factor authentication in concert with UserID and Password include:
Hardware Tokens - generate a constantly changing one-time password to enable authentication.
Software Tokens on PCs - enable authentication with computer as second factor authenticator.
Software Tokens on Mobile Devices - allow authentication from smart phones and PDAs.
Smart Cards - enable authentication as well as of physical access.
USB Tokens - enable authentication without the need to key in a token code (can be plugged into a standard USB port).
Biometric Devices - enable authentication according to the physical characteristics of a user (fingerprint and retina scans).
28
T-FA Requirements
The Two-Factor Authentication (T-FA) tool evaluation and selection is based on the following requirements categories:
1. Client-Side Software and Tokens
2. Server Environment
3. Security
4. Performance and Scalability
5. User Experience
6. Vender Support
7. Cost
29
T-FA Evaluation FactorsTwo-Factor Authentication solution or tool should: 1. Be reliable, scalable, and available, and meet sub-second performance standards
2. Be compatible and interoperable with Federal Student Aid Technology and Policy Standards
3. Seamlessly integrate with existing Federal Student Aid architectures and infrastructure
4. Support web applications and should not require client-side software
5. Be compliant with NIST, FIPS and other federal T-FA standards
6. Have well documented APIs, implementation and configuration procedures
7. Have ongoing operations and maintenance product support
8. Be based on mature technology and should be commercially available with a broad installed market base
30
Identity Protection (IP) Services
31
Active Confirmation
32
What is Active Confirmation?• Active confirmation is the process of a Designated Point
Administrator (DPA) reviewing users' access privileges on a establish time schedule and confirming these users' privileges. This will help ensure an updated and secure environment for system accessibility.
• The Federal Student Aid DPAs will be required to review their list of users who access Federal Student Aid systems and confirm that each individual continues to be a valid user. This will be done on a periodic basis.
33
“Active Confirmation” Process• Assess current state of access controls for partners and
determine feasibility of deploying an “active confirmation” process. Entities will be routinely asked to review their list of users with access to Federal Student Aid systems and confirm that each individual continues to be a valid user on his/her behalf.
• Internal Review Team performed a high level assessment and provided recommendations to determine feasibility of deploying an “active confirmation” process for NSLDS, CPS, DMCS, and COD
• The foundation for active confirmation exists in current state user management processes within NSLDS, CPS, and DMCS
• Enterprise Access Management group will review the recommendations and determine the feasibility of deploying an “active confirmation” process
34
Questions?
35
Contact Information
We appreciate your feedback and comments. We can be reached at: