a security model that works for you! - … lunch - a security model...years experience in security,...

A SECURITY MODEL THAT WORKS FOR YOU!

S E P T E M B E R 1 3 , 2 0 1 2

@ 2 0 1 1 C O P Y R I G H T J E R I H A L E - U T D A L L A S

A L L R I G H T S R E S E R V E D

@2011 Copyright Jeri Hale-UTD

Jeri Hale, University of Texas at Dallas Director of IR Quality, Compliance, and Accessibility at UTD with over 27

years experience in security, internal controls, implementations, process design, business analysis, and development. Designed Security, Integrations, and HCM custom applications at UTD. Currently responsible for compliance reviews, audit coordination, and quality consulting for all enterprise applications.

Ben Dai, Tunabear Consulting, Inc. Principle Consultant for Tunabear Consulting, Ben’s extensive PeopleSoft

experience, along with MBA, CPA, and HUB certifications give him unique perspective and insight. Under Ben’s direction and hands-on efforts, Tunabear developed many of the customizations and integrations needed for the security model.


Enrollment: 17,800 Among top ranked schools

management/geosciences & best value

Ranked 29th in “world’s most outstanding young universities (Times Higher Education)

Executive MBA Ranked #1 in Texas and #10 in USA (Financial Times)

http://en.wikipedia.org/wiki/File:UT_Dallas_Student_Service_Building.JPG


Boutique Consultancy with “User Experience” Methodology for tight communication links

Usability Assessments Key Milestones Customer Satisfaction

Role on the Security Implementation:

Web Services (Inbound Integrations) PeopleCode Role Rules Outbound Integrations App Engine Dynrole &

Data Storage Solutions

http://www.tunabear.com/


PeopleSoft 9.0/9.1 − Enterprise Portal − FMS / SCM − HCM / Global Payroll − Campus Solutions − PeopleTools − Linux DB Server − NT Application Server/Web Server

Oracle − Database − Business Intelligence Enterprise Edition − Higher Ed Constituency Hub − Identity Manager

Server Technology − Linux DB − NT Application/Web

SciQuest Higher Markets


• UT Dallas security model overview for business/student applications "computing cloud“

• UT Dallas critical control objectives: Accessibility Auditability Administrative feasibility

• Functional/Technical Methods meeting control objectives • Portal as single point of entry for security administration and

computing cloud


THE CHALLENGE

T H E C O M P U T I N G C L O U D


TECHNICAL/FUNCTIONAL How do we secure it?

USER EXPERIENCE How do we maintain it?

AUDITABILITY How do we control and track changes?

EFFICIENCY How do we keep it clean?

ADMINISTRATION How can we AFFORD effective security and controls?


Situation Technical Challenges Shared HCM/FMS Databases at UT System Domain

Campus-specific User IDs Campus-specific authentication services Campus-specific Portal Content

UTD-Specific Portal/Campus Solutions Multiple EmplIDs for Campus & Shared HCM/FMS

Varied User Types Technical(Developers/Batch IDs) Functional (Super Users and Functional Processes) Departmental (Campus-Based Department Users) End-Users (Self Service) Systems (Sys Adm / Integrations) Other Campuses

Campus-specific Row Security Campus-specific Process Schedules Campus-specific Primary Permissions Campus-specific Business Processes Campus-specific IT and Security Policies Campus-specific Dynamic Role Criteria


THE SOLUTION

T H E S E C U R I T Y M O D E L


Web Services communicates between two electronic devices over the Internet • usually includes a “broker” that looks for web-based messages formatted

in “XML” protocol

Digital Certificate brokers encryption keys using web services for Secure Socket Layer (SSL) communications over the server Lightweight Directory Access Protocol(LDAP) accesses

and maintains distributed directories on web services LDAP Attributes identifies attributes associated with an LDAP

account that grant it access to various internet services


User Profile Defines PeopleSoft user accounts Roles Identifies PeopleSoft object permissions for a user

Permission lists Grants access to PeopleSoft objects

Dynamic roles Assigns roles using programs and web

services


Security Model UT Dallas’s conceptual model for securing its enterprise application systems within “the cloud” Golden Roles Role-based (rather than access-based) roles.

• These are the roles we centralized on the portal Role System Identifier identifies systems to which the Golden

Roles pertain Role Map maps PeopleSoft roles to standard roles in hosted

systems (i.e., SciQuest/OBIEE) Constituent Roles sources roles from LDAP attributes


Accessible

Auditable Administratively

Feasible

Security Model Design


Easy Signon - LDAP Authentication/Single Sign-on Across Domains Role-Based Roles = Assigned Duties “Desktop”

• Single set of roles OR ability to map to a single set of roles across all systems in the computing cloud

• Provisions standardized across all systems based on campus business process requirements

• Permissions attached to roles within each database Auto-Provisioning – Access assigned based on users’

identifying information • (Employee…Applicant…Student…Alumni)


Database Audit “Triggers” for role assignments Writes ANY change to an audit table (Online or SQL updates) Downside – on same database – looking at Oracle Governance, Risk,

and Compliance Platform for this purpose LDAP data logged upon login Expired IDs archived before role removal Logon Logs archived before purged Access/Role assignment reports for entire cloud from Portal Electronic justification for Role-Based Access


Automate User Creation and Constituent (SS) Role Assignment at Signon Centralize Security Administration Single Task for Role Assignment Across the Cloud Row Security Roles

Dynamic Role Assignment Based on Jobcode, Dept Mgr ID, Project Team, Chartfield Attributes, etc.

Role Grant for Functional Roles Extends administrative capabilities to functional security administrators


THE DETAILS

H O W W E D I D I T


User Creation/Updates with Signon PeopleCode Log Tables Multiple User Types using “ID Type Table” Role System Identifiers User Sync Messaging Dynamic Role Rules:

− PeopleCode Role Rules with Web Services to access criteria in source systems − Query Rules - Criteria Inside Portal

Custom AE Dynrole Process Sciquest Signon XML Portal Content Reference Links Dynamically assigned OBIEE SQL Access to Portal Database


1) LDAP Authentication (signon PeopleCode)

2) Creates

User Profile

3) User Types = Different ID’s

4) PeopleSoft SSO (cross-domain webserver alias)

Campus Solutions

Human Capital

Management


INITIAL PROVISIONING

HCM

HECH - Person Data/

Relation-ships

OIM - NetID & Email

Address)

LDAP - Access

Attributes

Campus Solutions

Portal -

Role Assignment

FMS -

User Profiles/ Constituent

Roles

HCM - User Profiles/

Constituent Roles

Campus Sol – User Profiles/ Constituent

Roles

R O L E

S Y S I D

OBIEE (Applicable

Users/Roles)


SECONDARY PROVISIONING

HCM Empl Status,

JobCode Position,

Dept, etc.

FMS- Chartfield Attribute, Project Team,

etc.

CS – Prog/Plan

Status, Class

Instructor, etc.

Portal -

Role Assignment

FMS -

User Profiles/ Constituent

Roles

HCM - User Profiles/

Constituent Roles

Campus Sol – User Profiles/ Constituent

Roles

R O L E

S Y S I D

OBIEE (Applicable

Users/Roles)

Request System: Manual Role &

Row Sec Requests

W E B S E R V I C E S


Clone user sync message for each system Correct EmplID for Correct System Uses Role System Identifiers to filter by target Sends manually and automatically assigned roles Sends changes to user profile locks, password

changes, rowsecclass, and primary permissions


LDAP Attributes to mapped to “Constituent” Roles used for Self Service and assigned/updated during Signon Dynamic role assignment −Based on attributes in Psoft tables (Job Data, Student Data, Project

Data, etc.) −Custom Web Services among systems deliver assignment criteria Dynamic role assignment customization -- ONLY updates

when someone’s roles should be changed Large files with many changes are messaged to Portal,

where dynamic role rules run


Hourly on the half hour: Job data refreshed from Job Record

Hourly on the hour: PeopleCode Rules with custom web services Query Rules against Job Record/Role System IDs


Required Users in Temp Table (as delivered) Identify required changes against RoleUser (mod) Assign only changes Trigger User Sync messages Routing based on Role System Identifier


PeopleSoft Roles Mapped to Sciquest Roles Employees are Shoppers Web Service to FMS Identifies Approvers and accessible Cost Centers XML sends User Info, SciQuest Role (functional access), Cost Centers (row access) Creates Sciquest User


Dynamically assigned based on Role-System IDs Limits required security maintenance for Portal

Content References Query rules inserted at signon and updated on the

hour


Universal interface utilizing standard XML SOA model Disparate systems working as one Powerful Flexible and scalable, secure and synchronous


Beyond Single Sign On Disparate Applications working seamlessly External vs. Internal Bottom line that defines success SOA, Web Services, Cloud -- User does not have to

know where they are, just WHAT THEY ARE DOING


HECH/OIM Testing with the Model – no test Active Directory Load Testing Message Queues - User Sign-on vs. Dynamic Role Dynamic Role locks on User Profile Logging for Finding out PURGE the logs, app message queues, archive tables, audit

tables, process scheduler Rebuild audit triggers when move from one environment to another Timeouts across domains

a security model that works for you! - … lunch - a security model...years experience in security,...

Documents