UofA Remote Access Proposal for High Risk Access to PeopleSoft April 2006 The purpose of this proposal is to describe the steps necessary to ensure that users accessing PeopleSoft and related systems remotely have an appropriate level of network, user and desktop security. Due to the sensitivity of some access levels to PeopleSoft and the increasing ease of remote access, the need for determining policy and procedure for accessing PeopleSoft from non University secure locations is paramount. What we are trying to protect is data from financial, personnel and student systems. While much of this data is publicly available, unauthorized access, change or disclosure of portions of this data could cause significant reputational and financial losses to the University. There are several groups that access University data. Each of these groups has a different level of access that they require to the PeopleSoft applications and therefore, a different set of rules. The groups that have access to the highly sensitive data to either view and/or update is typically from the central departments that support these systems. They include: Human Resources, Financial Services, Supply Management Services, Registrar, Faculty of Graduate Studies, AIS and Research Services. All of these users connect from local highly secured desktops to PeopleSoft. Each network has firewalls that are controlled by local technical support, machines have controlled software installed, security patches installed, virus protection and anti-spyware software. Basically, the University can trust that a connection from one of these machines to PeopleSoft is not likely to be compromised. The desktop is secure. Many of these users have requirements to work from home or to connect while away from the University on business. Although we could block access from these high-level users to only secure LANs this would cause inconvenience to those users. We have spent significant effort ensuring that our systems are fully web-enabled and it would be wise to ensure that remote access to these systems is allowed but happens with appropriate security. These users may require access to self-service transactions or low risk transactions from non-secured LANs. Simply because they also have high risk transactions, they should not be denied access to their low risk transactions. We are trying to deal with two related issues. High risk users should be able to use their regular roles from insecure locations and they should be able to use their high risk roles from remote locations by connecting with a secure laptop. For regular access from insecure locations, check roles as users connect to PeopleSoft and check where they are connecting from. If they are connecting from a non-secure network address then simply disable their high risk roles. So, if the user can see their paycheck and can also submit payroll jobs and they connect from a home computer, allow them to look up their paycheck and do not allow them to submit payroll. If their id and password is collected by a hacker, then the hacker could never run payroll as the hacker would never be connecting from a secure lan or a secure laptop. Only when that -1- user connects from a secure LAN or a secure laptop would the ability to submit payroll or upgrade grades be re-enabled. Home computers are perhaps the most vulnerable of any computer. They tend to get infected with viruses and spyware and they lack the rigour of the IT resources that the University employs. We all know what our teenagers install on our home computers and those are not the computers that should be used to access or process data that is critical to the University. As an aside, one of the barriers to implementing single sign-on for BearTracks EPI users, has been the risk to adding self-service transactions such as viewing a paycheck to a user with high risk roles. The addition of view paycheck would increase the likelihood of these users connecting from a home computer. If we simply disable the high risk roles, these users could connect from a home computer without putting the University at risk and we could use the same ID for both BearTracks/EPI and regular University PeopleSoft access. To enable high risk users to connect remotely and have access to high risk roles securely, we need to ensure that these users are connecting from machines that will not be easily compromised. We recommend that we adopt rigorous standards for secure laptops. Any remote accesses to high risk roles away from secure LANs must meet the following standards: 1) Using a departmentally controlled laptop configured for access to PeopleSoft. This laptop is not to be used for any other purpose than University business including PeopleSoft. The laptop can be the users’ primary workstation in the office. This laptop is for exclusive University business use at home, it cannot be used by spouses, children, etc. 2) Be configured to be remotely managed by the departmental IT staff over a secure VPN configuration. 3) Primary user CANNOT have Administrative privileges to the machine. 4) Use an enterprise level AntiVirus (AV), Spyware, and Firewall configuration. Such software must automatically update and cannot require user intervention for updates, etc. Antivirus must report back to the departmental central AV server that is monitored by the departmental IT staff. 5) Use a non user interactive method for installing all appropriate security patches within a reasonable time frame. These updates cannot be canceled by the end user. This will require a fast network connection. 6) Cannot automatically login when booted, it must prompt for a user id and password. All failed attempts must be monitored. (IE: Login validated against a monitored Domain Controller - cached windows credentials are acceptable). 7) Connection to PeopleSoft must be through VPN and departmentally managed Citrix/Terminal Services. The VPN must be managed by the University. 8) Computer must have separate BIOS, boot and configuration passwords. Must prompt for boot password on power on. There will be multiple passwords for each user and they must keep those passwords separate from the laptop. -2- 9) No confidential files are to be stored on the local laptop hard drive; they should be kept on the Terminal Server unless the laptop is also the primary workstation. 10) Modifications to PeopleSoft connections will be done so that any access from a non-secure network location will result in high risk roles being disabled, once a connection from a secure LAN or secure laptop is intiated these roles will be reenabled. In order for this recommendation to be implemented, we are estimating that there will be work completed by IBM, laptops purchased, software purchased and departmental IT staff time required to support these machines. Resources will be needed, both within each department and possibly AICT to configure, test and install the VPN software on each LAN. The IT Support for each department will retain responsibility for selecting laptops, VPN and installing software that conforms to their local standards. This implies that all laptops will not be identical or supported by one IT area. Estimates on the costs are as follows: Description Notes Units Unit Cost Implement PeopleSoft Secure Logon Laptop Computers Laptop Software VPN Installs Implement network security checking for PeopleSoft logins. Needs IBM Change Order. All incremental Software per machine. Estimate of time. Some departments may require AICT involvement. VPN Software Software costs On going Support Assume all areas can do support. Estimate some troubleshooting and assistance each year. Total One Time Costs (First Year) Evergreening Assume replacement every 3 years On going Support Assume all areas can do support. Estimate some troubleshooting and assistance each year. Ongoing Costs Total $25,000 30 $3,000 30 $400 20 $65 hours $90,000 $12,000 $1,300 6 $500 100 $65 hours $3,000 $6,500 $137,800 $30,000 100 $65 hours $6,500 $36,500 There are two parts to this proposal. The first is to implement sign on security that will disable the use of high risk roles from insecure network locations. The second is to implement secure laptops. -3- If we only proceed with disabling of high risk roles, then we lose the productivity gains that we would see by giving those users a secure laptop and secure remote access to high risk roles. We are currently monitoring connections and will be able to produce statistics on how many high risk connections are being established from non-secure LANs. We strongly recommend that we implement a secure laptop strategy so all high level users can access PeopleSoft remotely and securely. Colin Harford Network Administrator Human Resources Shelagh Hohm Director AIS -4-