ITANA Screen-to-Screen:
Enterprise Authorization
Presented by: Marina Arseniev, Director of Enterprise Architecture,
Security, and Data Management Services
Administrative Computing Services, UC Irvine
April 16, 2009 - 1:30-3:00 pm EDT
Session Abstract
• Truly enterprise-wide authorization solutions present challenges
from the technology perspective and even more challenges from the
business and cultural requirements perspective. Questions about
scope, granularity, roles, delegation, and data integration with
vendor and other software continue to be posed in many institutions
where authorization solutions have difficulty meeting campus needs.
Specific common problems and case studies, such as campus-wide
access audits, are the focus of this session. We will share real-world
experiences, identify common requirements and discuss solutions
(successful or possibly not) to better understand common
challenges.
• This session will discuss why enterprise authorization is so elusive
for so many of our institutions; it will be a forum to share successes
and failures. The goal is to define what specific actionable steps or
decisions architects across our campuses might be able to make
that bring vision and clarity to their organizations.
Agenda
• Part 1 - Presentation and Discussion – 30 minutes
–
–
–
–
UC Irvine’s Case Studies
Our Requirements
Alternative solutions and products reviewed
Role of “business process / data owners”. Campus
Auditor / Controller role.
• Part 2 - Working Session – 60 minutes
What does UC Irvine’s Administrative
Computing Services do?
SNAP
Financial System
Administrative Portal
IBM Mainframe
uPortal
Payquest
CICS/Cobol
Web/Java
Reimbursement
Purchasing and
Solaris
Human Resources
Accounts Payable
Web/Java
Self-Service
Payroll at UCOP
IBM Mainframe
GreenTree
Solaris
IBM Mainframe
CICS/Cobol
Hiring Manager/
Web/Java
CICS/Cobol
Applicant Tracking System
TED
Microsoft IIS/.ASP
Facilities
Learning Management
Vendor
Self-Services
Microsoft IIS/.ASP
Student
Solaris
Vendor
Billing System
Web/Java
Facilities Management
Powerbuilder
Work Order / Billing
Data Center
Budget System
Tririga ERP Vendor
Desktop Support
Powerbuilder
JBoss/Java
And Helpdesk
Central Credit Card
Payment - Solaris
Web/Java
And much more…
Case Study – Our computing
environment Cobweb
• Effective authorization and access control across all the
systems, platforms, vendor solutions, and languages we
support is extremely challenging
• User provisioning and termination of access is complex,
error prone, and often not sufficiently timely
• The “cobweb” is only Administrative Computing
applications, not of the whole “enterprise”.
• Extending authorization services across UC Irvine’s main
computing centers requires campus governance and
policy, which we struggle with.
• We are a decentralized IT campus
Case Study – UC Irvine’s Identity
Theft and FBI/Police Collaboration
• Campus incurs high risk because the measures being used
to protect personal data are inadequate, difficult to
administer and impossible to audit centrally.
• Between September 2007 and February 2008, UC Irvine’s
student SSNs were stolen and used to file their tax returns
Registrar
Academic
Services
Administrative
Computing Services
Graduate
Studies
Payroll
Student
SSNs
Parking
Housing
Health
Sciences
Office of Institutional
Research
Student
Health
Case Study – UC Irvine’s Identity
Theft and FBI/Police Collaboration
• Group of students affected was finally identified as
“Graduate Students” who filed for Student Health Insurance.
• Identifying users who had accessed Graduate Student
SSNs within a window of time for breach investigation
proved difficult in our de-centralized computing environment.
• *Many* applications in *many* departments required review
and audit of access control lists and proprietary
authorization solutions.
• Finally, campus leak was ruled out
• ‘United Health Care’, an agent of UC that provides student
insurance, turned out to have an ‘inside job’ of a ring of
identity thieves. Case solved!
Case Study – Campus Centralized
Credit Card System (CCCS)
• UC Irvine has a centralized credit card payment taking
web service, offered to all departments
• Payment Credit Card Industry Data Security Standard
(PCI DSS) require audit trails
• Departments are allowed to write their own “store front”
and must maintain user access control
Case Study – our SAS 112
PriceWaterHouseCoopers Audit
• Audit of our financial applications.
• Like Sarbanes-Oxley for industry
• ‘Proof’ that users only have access to what they need to
perform their job requires research scattered across many
systems and applications across the campus
• Audits on who provided access to whom and when are
almost impossible.
• Audits on when user access was last reviewed require
business “owner” verification and formal documentation.
Are rarely done…
Case Study – our SAS 112
PriceWaterHouseCoopers Audit
• Audits to determine if there is adequate separation of
duties and no conflict of interests is difficult.
– Example 1: Validate that the same person who is able
to “cut a check” is also not the person who can “request
a check”
– Example 2: Validate that at a specific point in time, this
person did not have access to request and approve a
salary increase
• We don’t use Roles and often, due to staff shortages, the
same person may need exceptions to the policy…
Our systems today do not meet the audit challenges
Case Study: Our current solution ‘SAMS’
• AdCom Services’ Security Access Maintenance System
(SAMS) has worked well for delegated access control of
AdCom’s administrative and financial systems that rely
only on the campus Financial Hierarchy
Organization
Department
Account
Fund
Case Study: Our current solution ‘SAMS’
• New requirements to restrict by constraints other than
the Financial Hierarchy, such as by Building (as in for
door locks), Academic Hierarchies, Kuali Coeus research
Hierarchies require redesign.
• SAMS uses a home-grown proprietary HTTP API for
validating access.
– Vendor applications are increasingly using open standards
including SAML for access control decisions, and integration with
those vendor solutions using the homegrown API is expensive
and difficult.
– There are no Web server plug-ins for SAMS for PHP,
ColdFusion, .Net or Java.
– Can not be used outside of our Administrative Computing
Department
Requirements: System Features
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
High: Web Application Integration for “home grown” applications – API for low-level
granularity on access to business functions and resources - .NET, PHP, Java, Cold
Fusion. Plug-ins to Apache, Tomcat, IIS at minimum.
High: Integration for Vendor and “Externally developed” systems such as Kuali Financial
System, Kuali Coeus, Hannon Hill Content Management System (CMS), Portal (uPortal)
High: Web server file and directory access controls for IIS, Apache, JBoss, Tomcat
High: Delegated access control administration over different business domains. Roles.
High: Reports indicating when access was last reviewed
High: Complete audit capabilities including reporting and retention of all historical snapshot and transaction records.
High: Shibboleth, Campus SSO (WebAuth) support
High: Identity Management Integration – Kuali KIM, Sun’s OpenSSO / Access Manager
High: Scalability, 24/7 availability, robustness, ability to cluster, performance
Medium: Access control solution should handle access to applications shared with other
non-UCI users as well as third-party affiliates with access controlled by and assigned to
other UCI users. Federation.
Medium: Operating System access control support (group and user) including Microsoft
(Active Directory), Mac OS X, Linux, and Solaris.
Use Cases for Enterprise AuthZ
• Push or Pull access from home grown and vendor apps
– Course view / update
– Web Financial application such as Kuali FS, Coeus
• Can read/update specific or range of account-level data
• Designate financial approvers for several electronic financial
transactions
• Push ACLs to hosted SAAS applications, such as Connexxus
Travel Management or Learning Management System – 24
hour batch feeds
• Surveys – access to result or to publish
• Portal or Wiki groups
• Files / directory access
• Targeted Announcements / Calendaring / Events
– Who has authority to publish campus emergency notification, budget
deadlines?
Alternative Solutions Considered
• Do nothing
– Continue to handle access controls on a per Web server or application
basis via internal database tables
– Continue to use .htaccess files for Apache
– SAMS for AdCom applications
• Augment SAMS functionality to support more types of
constraints on access and write Web server plug-ins for PHP,
ColdFusion, Java, and .NET
• Integrate Grouper + a SIGNET-like product
• Handle all authorization in LDAP and integrate with Microsoft’s
Active Directory and other repositories for access control.
– No nice GUI, no auditing, no delegated access control, poor logging
• Invest in a vendor product, such as Sun’s Access Manager, for
enterprise authorization management
Rational for Enterprise Authorization
Solution at UC Irvine
• We currently spend a great deal of money on staff resources
managing access control in individual solutions such as our Portal
SNAP, Web servers, Vendor applications, home grown applications,
LDAP, and others.
• We would reduce costs long term by migrating to a single master-ofrecord system.
• We would improve security, especially in dealing with “separations”
and re-assignments of staff across departments.
• We could more easily enforce policy, such as “separation of duties”,
and detect “conflict of interests” across campus applications
• We would pass PriceWaterhouseCoopers SAS 112 audit!
• Campus Auditor/Controller would be happy!
Non Technical Considerations
• Centralized AuthZ requires a culture change, coordination, and
education
– bottom up, top down, across
– Marketing and education of programmers on tools and solutions
– Departments: Registrar, Network and Academic Computing,
Administrative Computing, Purchasing, Financial Services,
Cashier, Payroll, Research and Graduate Studies, Office of
Analytical Studies, Health Affairs,
• Campus policy must be updated
• Enforcement would be done by Audit department
• All “business process / data owners”, such as Financial Controller
and Payroll must have ultimate approval over all access (and
confidence in proper management of delegated access) to their
data.
– Campus Audit/Controller role must periodically audit access
Do other campuses
share UC Irvine’s challenges?
• We have found no tool that meets all our needs, have you?
• What are our common problems? Common Requirements?
– How are other campuses handing AuthZ? Is it distributed and delegated?
Centralized?
– Who is in charge of AuthZ in the campus? CIO/IT? Campus
Audit/Controller? Risk Management?
– What policies govern AuthZ?
– What access control granularity works most effectively? All-or-nothing
access to an applications? How about specific functions within an
application?
– Are roles useful or do too many people span too many roles?
– How do you handle “separation of duties” and “conflict of interests”?
– What about “separations” and terminations? How are ties to IdM handled?
– How do you deal with culture change and training required to run a
centralized service?
– What has worked well? Why? Good Tools?
– Failures? Bad tools?
Part 2 – Working Session