implementing infrastructure for the euniversity
DESCRIPTION
Implementing Infrastructure for the eUniversity. Art Vandenberg Director 404-463-9601 [email protected]. Fred Przystas Project Manager 404-463-9602 [email protected]. Information Systems & Technology Advanced Campus Services Georgia State University. - PowerPoint PPT PresentationTRANSCRIPT
Implementing Infrastructure Implementing Infrastructure for the eUniversityfor the eUniversity
Art Vandenberg
Director
404-463-9601
Fred Przystas
Project Manager
404-463-9602
University System of Georgia Annual Computing ConferenceUniversity System of Georgia Annual Computing ConferenceOctober 25-27, 2000October 25-27, 2000
Information Systems & TechnologyAdvanced Campus Services
Georgia State University
The “eUniversity”The “eUniversity”
Why the Rush? Why Do We Need It?
Why the Rush?Why the Rush?
As universities continue to expand their customer base via the internet, they are reaching beyond their territory into YOUR territory.
Distance is no longer a barrier as a result of the internet and “Distance Learning.”
Playing “catch-up” is difficult given the rate at which technology and information is currently speeding along this virtual internet highway.
Why do we need the Why do we need the “eUniversity?”“eUniversity?”
Improve the quality of University ServicesReduction of CostsOpen New Avenues for RevenueMore sophisticated ways of doing businessEnhance collaborative researchProvide a campus portal for students to
obtain various services
Major Areas of FocusMajor Areas of Focus
E-academics – enhanced technology learning and distance learning
E-research – promotes collaborative research and scholarly publishing
Major Areas of FocusMajor Areas of Focus
E-business – electronic administrative services, i.e., travel, purchasing, and supply
E-community – become a valued resource for the surrounding communities we serve by providing easy access to various online services such as GIL, G.L.O.B.E, and eCore
How do we get there?How do we get there?
Coordination – Project PlanningCooperation – Inclusion of StakeholdersCreativity – Funding and ResourcesConsultation – Hire an outside group to
examine what you have, and what you will need to implement the “eUniversity”
What Else Is Needed?What Else Is Needed?S
E
C
U
R
I
T
YPublic Key Infrastructure
PKI
SSEECCUURRIITTYY
SAFE ENVIRONMENT
ENCRYPTED TRANSACTIONS
CERTIFICATE AUTHORITY
UNIVERSAL UNIQUE ID (UUID)
REGISTRATION AUTHORITY
TRUST
IDENTIFICATION
YOU NEED IT TO...
COMPETE & SURVIVE!COMPETE & SURVIVE!
Public Key InfrastructurePublic Key Infrastructure
– Confidentiality– Integrity– Authentication– Non-repudiation
Components of PKIComponents of PKI
– Security PolicyDefines Organization’s Top-Level
SecurityCertificate Practice Statement (CPS)
–Outlines Key Creation/Distribution and Certificate Issuance
Identifies Levels of Risk
Components of PKIComponents of PKI
– Certificate Authority (CA)Sets Expiration Dates for Digital
CertificatesTracks Certificate Revocation Lists
(CRLs)Issues Certificates binding identity of
user or system to a public key with a Digital Signature (DS)
Components of PKI (Cont.)Components of PKI (Cont.)
– Registration Authority (RA)Interface between User and CAAuthenticates Identity of User
following Security Policies Quality of Authentication sets level of
trust placed on certificates issued
Components of PKI (Cont.)Components of PKI (Cont.)
– Certificate Distribution SystemDirectory ServiceUser DistributedEnterprise PKI solution
Components of PKI (Cont.)Components of PKI (Cont.)
– PKI Enabled ApplicationsWeb Servers and BrowsersE-mailElectronic Data Interchange (EDI)Credit card Transactions over the Internet
Virtual Private Networks (VPNs)
PKI Evaluation ConsiderationsPKI Evaluation Considerations
– FlexibilityInterface with standard directory structures
like Lightweight Directory Access Protocol (LDAP) and X.500 (DAP)
Allow users to request certificates via e-mailStandard interfaces such as PKCS#11 to
work with various security tokens (example: smart cards and hardware security models (HSMs))
Automated RA, if needed
PKI Evaluation Considerations PKI Evaluation Considerations (Cont.)(Cont.)
– Ease of UseManagement of PKI should be simple and
not require a technical background to manage
Interface should be graphical and intuitive– Supports Security Policy
CA/RA should be able to reflect security policies of organization in certificate issuance
PKI Evaluation Considerations PKI Evaluation Considerations (Cont.)(Cont.)
– ScalabilitySupport for additional applications as
they come onlineAbility to add CAs and RAs as needed
to support organizational growthAbility to support increased numbers
of certificates issued as the PKI grows
PKI Evaluation Considerations PKI Evaluation Considerations (Cont.)(Cont.)
– InteroperabilityPKI should be built to the most
common commercial standardsPKI should be completely open to
allow for future integration as IT infrastructure grows
PKI needs to be interoperable globally
PKI Evaluation Considerations PKI Evaluation Considerations (Cont.)(Cont.)
– Security of CA and RACA/RA is the center of PKI and should be
held in a tamper resistant security moduleBackup copies are essential protection for
disaster recoveryCA/RA system should have a secure audit
trail that includes a time/date stamp and signature for each transaction
CA should be held to the highest commercial standard security
WHAT ARE WE WAITNG WHAT ARE WE WAITNG FOR?FOR?
LET’S LET MIKEY TRY IT FIRST…
Meet Mikey!
Taking Strategic ActionsTaking Strategic Actions
Advanced Campus Services – CIO/Associate Provost Information Systems & Technology creates a strategic unit
Discovery of Resources – educatingOrganizational Structure – enabling interactionPerformance Objectives – accomplishing goals
Advanced Campus ServicesAdvanced Campus ServicesA Response to Ongoing IssuesA Response to Ongoing Issues
CSO to LDAP directory conversion “in the queue” for several years
Authentication/authorization needsStudent email a campus pressure pointAudit findings call for account managementData feeds, interfaces between application
domains becoming increasingly complex
Advanced Campus ServicesAdvanced Campus ServicesEstablishing a Strategic IT UnitEstablishing a Strategic IT Unit
ACS unit created February 2000 Charged to plan and develop actions for:
– University-wide directory services– Public-private key infrastructure– Universal email solutions– Interfaces to one-card, library, other systems
“broad, coordinating role in the establishment of standards, methods and processes…”
Discovery of Resources – Discovery of Resources – EducatingEducating
Aim is to find “best practices”Research resources:
– Higher education groups– Standards groups– Industry analysts– Application vendors– Trade journals, News, Georgia Code...
Internet/Libraries/People!
Discovery of Resources (cont.)Discovery of Resources (cont.)
Internet2 Middleware Initiative <http://www.internet2.edu/middleware/>
Higher Education “Middleware” services:– Identifiers, directories, authentication, authorization
Overviews, conceptual framework, best practices, “LDAP recipe”
Extensive links to other sites The Authoritative Hub for Higher Education
Discovery of Resources (cont.)Discovery of Resources (cont.)
CREN <http://www.cren.net/>
“mission is to support higher education and research organizations with strategic IT knowledge services…”
TechTalk series – live audiocastsInterviews with technology experts – real life
scenariosCREN Certificate Authority initiative
Discovery of Resources (cont.)Discovery of Resources (cont.)
Federal PKI Technical Working Group <http://gits-sec.treas.gov/fpkitechwork.htm>
Providing leadership in public key and directory technology over last decade
Establishing models for interoperationAddressing policy issues, cf. ACESGTRI participated in Federal Bridge CA
demonstration project
Discovery of Resources (cont.)Discovery of Resources (cont.)
Net@Edu PKI for Networked Higher Education Working Group <http://www.educause.edu/netatedu/groups/pki/>
Sponsoring “a series of summit meetings”eduPerson LDAP objectclass (with Internet2)
– attributes of a higher education personUSG Central Office personnel involved
Discovery of Resources (cont.)Discovery of Resources (cont.)
The Burton Group <http://www.tbg.com/>
Network infrastructure strategy consultantsGSU subscribes to Network Strategy ServiceConducted seminars on directories (9/1999)
and PKI (3/2000) for USGTBG recommendations endorsed by ACIT[FYI: Jamie Lewis, CEO, is GSU grad]
Discovery of Resources (cont.)Discovery of Resources (cont.)
The GartnerGroup <http://gartner4.gartnerweb.com/public/static/home/home.html>
Industry consultant providing research highlights and analysis of industry trends
USG subscriptionDecision Drivers service includes PKI model:
– 2,800 factors related to PKI vendor evaluation– Tool facilitates collaborative definition of criteria
Discovery of Resources (cont.)Discovery of Resources (cont.)
Internet Engineering Task Force (IETF) <http://www.ietf.org/>– LDAP Specifications (RFCs 2251-2256)
Understanding and Deploying LDAP Directory Services, by Timothy Howes– Author of LDAP while at U. Michigan– Developed Netscape’s LDAP directory
– Text introduces directory architecture, addresses life-cycle deployment, and provides case studies
Discovery of Resources (cont.)Discovery of Resources (cont.)Directory Interoperability Forum <
http://www.directoryforum.org/> – Forum established 1999, then merged in July 2000 with...
The Open Group’s Directory Program <http://www.opengroup.org/directory/>– “promotes open and interoperable directories based on open standards”– Members: Cisco, HP, IBM, Microsoft, Netscape, Novell...
Universal Schema Reference <http://home.netscape.com/eng/server/directory/schema/>– 150+ objectclasses, 600+ attributes...
Discovery of Resources (cont.)Discovery of Resources (cont.)
SCT SUMMIT Conference for Banner Users <http://www.sctcorp.com/>– SCT architectural strategy – includes LDAP
CUMREC Annual Conference <http://www.cumrec.com/>– Directory, PKI sessions, networking (people)
Senate Bill 465 (Georgia Technology Authority) <
http://www.state.ga.us/cgi-bin/pub/leg/legdoc?billname=1999/SB465&docpart=full>
– Legislation that includes commitment to digital signatures technology solutions
Discovery of Resources (cont.)Discovery of Resources (cont.)
Chronicle of Higher Education <http://chronicle.com/index.htm>
Information Week <http://www.informationweek.com/newsflash/default.html>
ACM TechNews <http://www.acm.org/technews/current/homepage.html>
“eUniversity” news items:– distance learning, online libraries, sharing research
facilities, mobile users, ecommerce, virtual classrooms...
Organizational Structure – Organizational Structure – Enabling InteractionEnabling Interaction
ACS - 2 staff providing “broad coordinating role” to “advance the development of a university-wide consensus regarding directions and strategies.”
A goal is to foster interactions and encourage communication
Use IETF model - working groups convened to address specific task
Organizational Structure – Organizational Structure – Steering GroupSteering Group
CIO & his IT Directors representing:– Networks, educational technology, library systems,
administrative applications, strategic planning
Discussion and consensus process sets:– Overall scope– Task priorities– Resource allocation
Liaison with University System & others
Organizational Structure – Organizational Structure – Data Stewards for GSU Person Data Stewards for GSU Person
Working GroupWorking Group
Functional data stewards representing:– Human resources, student systems, affiliates, library,
alumni, and information technology
Reviewing eduPerson objectclassMapping data sources to LDAP attributesReconciliation & synchronization processesRecommending policy
– cf. GSU Enterprise Directory Policy
Organizational Structure – Organizational Structure – LDAP Design Technical Working LDAP Design Technical Working
GroupGroupSenior technical staff – Unix and NovellSchema design technical issuesImplementation of the directory:
– Replication & synchronization– Interfaces between directories– Interoperability of clients– Migration of existing “directory” apps – sendmail alias
forwarding, dialin authorization, PPP access...
Organizational Structure – Organizational Structure – Interactions with other groupsInteractions with other groups
April 2000 – GSU, OIIT, GaTech re GartnerGroup Decision Drivers for PKI
June 2000 – “common directory” proposal becomes SURA response to I2 PKILabs RFP (not awarded but contacts good)
August 2000 – “common directory” proposal restated for Vice Chancellor OIIT
October 2000 – GSU, UGA, GIT, OIIT meet re LDAP directory implementation
Organizational Structure – Organizational Structure – Mutual Interest & Common GoalsMutual Interest & Common Goals
Internet2 Middleware Initiative’s Goal: “The goal… is to assist in the creation of interoperable middleware infrastructures among the membership of Internet2 and related communities.– 1. Make it happen...– 2. Be an honest broker…– 3. Integrate across applications...– 4. Interoperate between campuses…”
“Let’s work together.” says Mikey.
Performance Objectives – Performance Objectives – Accomplishing GoalsAccomplishing Goals
March 2000 – ACS establishes broad objectives based on:– The Burton Group recommendations– Internet2 Middleware Initiative– Existing GSU application needs
Expectation that as work proceeds, refinement of objectives will occur based on communication with and input of others
Performance Objectives (cont.)Performance Objectives (cont.)
White Paper 6/30/2000 – summarize issues for successful infrastructure deployment:– Take strategic enterprise approach– Use collaboration and communication– Leverage existing initiatives in community of interest
Define PKI evaluation criteria PKI 7/15/2000– Ambitious, but GartnerGroup Decision Drivers a tool– Refined to “First establish directory infrastructure…”
Performance Objectives (cont.)Performance Objectives (cont.)
Define GSU common directory 8/15/2000– Of course this is ambitious, but you need a start– Data Stewards WG met biweekly from June 2000– ~35 core attributes mapped to data sources– Reconciliation, prime authority issues being worked
Identify collaborative opportunities 8/15/2000– Common Directory...SURA...USG Common Directory– Internet2 BOF? SURA BOF? U. Alabama Birmingham?
“If you don’t ask, you can’t get it.”
Performance Objectives (cont.)Performance Objectives (cont.)
Draft policy and procedure for managing “GSU Person” 9/15/2000– Purpose and guiding principles of stewardship
Version 1.0 policy and procedure for managing “GSU Person” 12/15/2000– Finalize via campus review– Documentation of identifiers, timing & synchronization
for directory, information for administrative account management
Performance Objectives (cont.)Performance Objectives (cont.)Identify directory infrastructure and PKI funding
requirements & sources 12/15/2000– Timing for FY 2001 year end and FY 2002– Coordination with USG directory strategies
Establish account management for administrative applications 3/15/2001– Each new person has accounts set up in timely manner– I2-MI: “Identifiers, Authentication, and Directories: Best
Practices for Higher Education” <http://middleware.internet2.edu/best-practices.html>
ConclusionConclusion
Advanced Campus Services is key to GSU strategic focus for enterprise directories
Full time focus on “broad coordinating role” essential to establishing collaboration and consensus development of solutions
Goal: provide a strategic, competitive advantage to the University System community.