bridget-anne hampden | nov. 2012 u.s. department of education 2012 fall conference enterprise...
TRANSCRIPT
Bridget-Anne Hampden | Nov. 2012
U.S. Department of Education
2012 Fall Conference
Enterprise Identity Management – Leveraging Participation Management (PM) to Provide Single Sign-On for COD
Session 29
Contents
• Current State• Objectives of the Enterprise Identity Management
Service (EIMS) Project – Phases 1 and 2• Approach• EIMS Target State• Changes • Important Dates• Next Steps• Questions
2
Current State: User Feedback
We Heard You Loud and Clear: Multiple log-ins for COD are frustrating and inefficient.
EIMS is a solution which allows a single user sign-on for COD and
other FSA systems.
3
Current State
FSA Anchor Accounts
John.Doe@FSA
Larry.Brown@FSA
Linda.Green@FSA
FSA Internally Hosted
FSA
Exte
rnal
ly H
oste
d
NSLDS
CPS-FAA
COD
DMCS2
DLSS
GA
NFP
PCA
JD123@FSA
JohnD@COD
JohnD2@COD
JohnD3@COD
JohnD@FSA
FAAJohnD@FSA
JDabc1@DMCS
EdJD2@DLSS
JDfsa1@GA1
JohnDfsa@GA2
JohnD@FSA
Jddebt@PCA
Direct control over user accounts
Indi
rect
con
trol
ove
r use
r acc
ount
s
Individuals have multiple access identities to internal FSA systems In some cases the same individual has multiple access identities in one
system (Common Origination and Disbursements) Individuals have additional access identities to externally hosted FSA
systems User account management is fragmented Inconsistent methods are used for authentication (application specific,
personal identity numbers, etc…)
4
Objectives of EIMS Project Phases 1 and 2
Objective: To make registration and sign-on for users a more efficient process while still maintaining security for FSA systems by:
• Simplifying access to FSA systems with single (reduced) sign-on
• Creating a standardized solution supporting the entire user community and all business systems
• Removing Personally Identifiable Information (PII), such as the current use of Social Security Numbers (SSN) and Date of Birth from log-in
• Maintaining a consistent data security posture across all FSA systems
5
Approach
Step1: Placing all FSA systems behind a single authentication application (AIMS) e.g. National Student Loan Data System (NSLDS), eCampus-Based System (ECB), Central Processing System (CPS)
Step 2: Leverage PM system for COD enrollments to provide privileged users a single FSA ID for COD
Step 3: Create non-identifiable standard user IDs and passwords for students and borrowers to access FSA systems
Step 4: Move from physical (hard) tokens to the use of soft tokens
6
EIMS Target State
FSA IDFSA ID CODCODCODCOD
FSA System(s)
Log-in IDAll Users
CODCOD
FSA IDFSA ID
Multiple IDs
Log-in IDPrivileged Users
FSA System(s)
Current State 2012 Target State 2015
PIN (SS#, DOB)
PIN (SS#, DOB)
Non-Privileged Users
NSLDS, ECB
CPS, etc…
ALL Systems
• Create single sign-on • Centralize provisioning• Allow self-service• Replace PII in log-in
information• Increase security• Provide eSignature
7
EIMS Target State
SchoolsFinancialPartners
Department ofEducation
State AgenciesServiceProviders
Federal Agencies
eZ-Audit CDDTSFMS
e-Campus Based
FPDM
FOTW
NSLDSFAP
FAAA Website
eZ-Audit Datamart
DLSSPEPSFAFSA4CASTER DMCS CPS
General Public &Applicants FSA Employees Borrowers
DLCS
IHC F GB EA D
Application Specific Security
W
WWW SS
Legend
W Website E ESB S SAIG I ITA
Target State Enterprise Identity Management Service
E E I W E I E E E W E IW E IS
W E IS
I
W E IS
W E IS
I
App
licat
ion
Leve
l Sec
urity
Application Level SecurityFederated Identity Management
DMCS2
ERMS
CODEN
PCASystems
Servicer Systems
CODCOD Data
ArchiveI
eMPN
W E IS
TFA IPMACR-SSO
Identity Proofing
Enterprise Identity Management Service (EIMS)
W IS
ExternalHosting
Internal Hosting (VDC)
National Strategy for Identities inCyberspace (NSTIC)
Identity, Credential, and Access Management (ICAM)
User Self-Service FSA Identity Federation
Centralized Administration (e.g., Logging, Audit, Provisioning, Lockout Disablement)
Federated Identity
8
Changes: COD online access
Current Future• Primary DPA enrolls users
through COD for online access
• Users receive different log-ins for each school and profile
• Users need to log-out to change schools or profile
• Users only have access to report structures created for a specific school or profile
• Primary DPA enrolls users through PM for COD online access
• Users receive 1 FSA log-in for all schools and profile
• Users are able to change schools or profile without logging-out
• Users have access to all report structures created for any schools or profile
9
• PM will provision COD online access enrollments
• Primary DPA will only need to enter user and enrollment information into one system, PM, for COD, NSLDS, ECB etc...
• PM will be linked to AIMS which will provide COD online access authentication
Changes: PM
Current Future• PM does not provision
enrollments for COD online access
• Primary DPAs may need to enter user and enrollment information into multiple systems, COD and PM
• PM is not linked to AIMS for COD online access authentication
10
Changes: The Transition Period
• During the transition period from the first week of March 2013 to the first week of May 2013:• Primary DPAs will need to enroll current COD online
users in PM
• Users will need to register in PM, if they do not have an FSA ID (john.doe.fsa)
• During this period, new COD online users will need to be enrolled in both systems
• After 1st week of May, Primary DPAs will only be able to use PM to enroll COD online users
11
Changes: Summary of Required Actions
Current ID March - May Tokens (March – May)
After May 2013
FSA ID usersjohn.doe.fsa
Primary DPA enrolls user for COD online access through PM
If you: Are using an FSA ID and tokenNo action needed------Do not have a tokenGet a token and register it using assigned FSA ID-------Are only using COD and a tokenRegister token using FSA ID
FSA ID used to log-in to COD online access
Existing COD Online Users
Primary DPA enrolls user for COD online access through PM
User registers in PM and creates a profile
NEW COD Online Users
Primary DPA enrolls user in both COD and PM
User registers in PM and creates a profile
12
Changes: Privacy and Security Improvements
• FSA requires that all users accept their responsibilities regarding the use of FSA systems and information as is written in the Privacy Statement and the Rules of Behavior
• In addition, FISMA requires that FSA track this information and provide audit information as requested
• On a daily basis, users will be asked to accept both these statements when they first log-in to COD
13
Changes: Annual Security Training Notification
• Users are required to complete an Annual Security Training• Provides an understanding of the security responsibilities associated
with accessing FSA systems• Reminds users of their responsibilities to protect the information in
FSA systems especially the PII data of the students, borrowers, and users
• Specifies certain activities as not allowed, such as the sharing of FSA IDs
• For the ten (10) days prior to expiration, users will be notified of the expiration of their security training when they log-in to COD
• If the Annual Security Training is not complete, user will not be able to access COD
14
Changes: COD Enrollments and Log-in
User
User registers in PM and receives
FSA ID
User registers in PM and receives
FSA ID
User enters FSA ID and password to access COD
User enters FSA ID and password to access COD
Privacy / ROB
Accepted, Security Training
Complete?
User completes Annual Security
Training
User completes Annual Security
Training
NO
YES User logged into COD
User logged into COD
15
Important Dates
• February 2013• Initial information available on IFAP website
• March 2013 – May 2013• Detailed instructions available on IFAP website• Primary Destination Point Administrators (DPA) enroll
COD users in PM• COD users register and create a profile in PM to get a
new FSA ID and Password
• First Week of May 2013• Single (reduced) sign-on for COD goes live!
16
Next Steps for EIMS
• Complete enhancements to PM• Send out communications through IFAP
(Feb/March/May)• Implement new COD single (reduced) sign-on – COD
Release 12.1, first week of May 2013• Begin work on removing PII for non-privileged users
– Late Fall 2014• Perform feasibility testing with InCommon Federation • Provide ongoing progress information through IFAP
17
QUESTIONS?
18