Information Technology Information Systems Architecture What’s new. What’s happening.

Information Technology 6/4/20152 Where are We Going? Self-service. Increased security and privacy protections Real-time. More open access to information. Mobility.

Information Technology University System Architecture

Information Technology 6/4/20154 Architecture Purpose Create reliable, extendable, standards- based, maintainable infrastructure Distribute management and development Speed deployment with increased reliability Support necessary security and extensive self-service applications

Information Technology 6/4/20155 User Devices Network Servers Data Management Integration Middleware DirectoriesSecurity Systems Management Financial, HR, SES, CMS Identity, SSO, Messaging Oracle, SQL Win2003, UNIX, Linux IP, VOIP, Wireless Desktop, Mobile CONDUITS, School NAS Expanded Architectural Model School/Department/Division Applications Core Enterprise Systems Platforms Delivery Systems Applications

Information Technology 6/4/20156 User Devices Situation –Desktop, mobile, handheld units Current efforts –Purchasing guidelines; anti-virus license –Maintenance contracts; software site-licenses Future directions –Device independence through Web interfaces –Network backup services

Information Technology 6/4/20157 Network Situation –state-of-the-art connectivity Current efforts –Access to National/International networks; on- campus wireless; iCAIR R&D –Advancing applications of network Future directions –Voice services (VoIP); cellular-IP services –Role-based access and service levels

Information Technology 6/4/20158 Servers Situation –Highly-available service platforms Current efforts –Redundant power and network paths –Narrowing supported systems to focus skills Future directions –Parallel/hot service site; flexible server management –Consolidation of server support

Information Technology 6/4/20159 Data Management Situation –Holding and protecting University information Current efforts –Data stewards moving to common definitions Future efforts –Data warehousing for analysis and reporting –Near real-time access to data across systems –Standard reporting and data retrieval tools

Information Technology 6/4/ Integration Middleware Situation –Delegated identity management and access control Current efforts –Improve identity management processes –Deploy and leverage standard technology Future directions –Define standard inter-application work flows –Role-based portal to integrate presentation

Information Technology 6/4/ Core Enterprise Systems Situation –Two major systems replaced in past 6 years Current efforts –Leverage abilities of newer systems (HRIS, SES) –Implement new financial and research systems Future directions –Integrate cross-system transactions –Open data to near real-time secure queries

Information Technology 6/4/ School/Department/Division Applications Situation –Local systems holding institutional information –Procurements often isolated from IT planning Current efforts –Identify systems and data Future directions –Procurements must meet integration plans –Eliminate data replication; enforce security model

Information Technology 6/4/ Systems Management Ensure service availability Current efforts –Automatic monitoring of central network and central servers Future directions –Monitor all network devices –Monitor enterprise applications

Information Technology 6/4/ Directories Authenticate and authorize Current efforts –Widely-used identifier (NetID) –Deploy standard infrastructure Future directions –Web single sign-on –Unified identity management for all applications –Enterprise portal roles

Information Technology 6/4/ Security Prevent intrusion or disruption Current efforts –Installing network firewalls –Installing intrusion detection Future directions –Network-wide anti-virus –Continuous vulnerability scanning

Information Technology 6/4/ User Devices Network Servers Data Management Integration Middleware DirectoriesSecurity Systems Management Financial, HR, SES, CMS Identity, SSO, Messaging Oracle, SQL Win2003, UNIX, Linux IP, VOIP, Wireless Desktop, Mobile CONDUITS, School NAS Expanded Architectural Model School/Department/Division Applications Core Enterprise Systems Platforms Delivery Systems Applications

Information Technology 6/4/ Integration Middleware Identity management, Web SSO System integration via Web Services (XML, SOAP, WSDL, SAML)

Information Technology 6/4/ Web Single Sign-On Application Web Server Authentication Application Web Server Browser Web SSO Token

Information Technology 6/4/ System Integration Integrated enterprise systems can reduce the time to complete services across the University, eliminate manual steps (and errors), and create auditable transaction records. A hiring event can trigger financial and service actions. Some actions could be immediate and others queued for review by service administrators before fulfillment. Later events, such as completed training, can be promoted back into the HR record for the employee. Human Resources System Hiring Event Provision NetID Provision Wildcard Encumber salary and benefits Provision access Schedule training Provision ETES Notify supervisor Subscribe to lists Queue to ERP Notify supervisor Provision directory Provision calendar Provision local services Schedule training Subscribe to lists Queue to school Notify supervisor Notify unit fundsmgr Employee Record

Information Technology 6/4/ The Challenge – Application Silos Application silos develop naturally around business systems and software under standard architectural planning and funding. Each business unit invents user management, tracks authorizations, and builds interfaces to other systems. Silos limit views of institutional data, fragment security, require manual re-entry of data and detract from the user’s “integrated system” experience. Business Unit IT

Information Technology 6/4/ The Future IT IdM & Portal IT Services and Facilities Business Unit Focus

Information Technology Authentication & Authorization

Information Technology 6/4/ Importance of Identity Management Without robust Identity Management, we can never be confident of our security Without confidence in security, data stewards will not be willing to expose information Without current information, responsible decisions are difficult – hence shadow systems The University should change its culture to make information available to those with proper authorization by default

Information Technology 6/4/ Fundamental Concepts 1.Service providers must have confidence in Identification and Authentication services. 2.Service providers determine the authentication strength required for their applications and data. 3.Application software must recognize central identity and support definition of local entitlements and access rules. 4.Digital identities should be derived from authoritative sources.

Information Technology 6/4/ Current IdM Structure

Information Technology 6/4/ Current Practice Issues Separate identity databases lead to multiple usernames and passwords for each principal. This increases security risk. Without ties to authoritative sources, changes in the status of a principal have delayed effect on authorizations. Disjoint systems make common role/rule authorizations impossible

Information Technology 6/4/ Future Requirements School/Division/Department system administration must be linked to central identity services Systems with secure information must be themselves secure Maintenance of authentication will be more distributed and less convenient for higher-security systems University must define business rules for when the status of an individual changes.

Information Technology 6/4/ Future IdM Structure

Information Technology 6/4/ LDAP Cluster SESHRIS Load balancing Load balancing Replication registry.northwestern.edudirectory.northwestern.edu IT Computing Services Extraction Replication SNAP RegistryWhite Pages Note: schematic – not an engineering representation

Information Technology 6/4/ Registry (LDAP) Enterprise forest School A School B Division Z AD / eDirectory Structure

Information Technology 6/4/ LDAP Access to Data Items Access is controlled in four ways: –Anonymous bind to registry is reserved to known hosts –User binding restricted by IP address –Attribute retrieval protected by application credentialing and Access Control Lists –White pages is an extract of registry data

Information Technology 6/4/ Anonymous Binding Appropriate for white pages lookup Fast – no encryption Program binds, then queries by indexed attribute Return is defined by ACL Eudora Outlook Relay LDAP Service ??

Information Technology 6/4/ User Binding The only means to check username and password validity Restricted by IP address to avoid brute-force attacks Encrypted via SSL Will eventually be isolated from the application by SSO Return is defined by ACL SES SNAP Hecky LDAP Service

Information Technology 6/4/ Attribute Retrieval Binding Application presents assigned credentials to bind as itself Queries and receives return defined by unique ACL Encrypted via SSL Ex: from NetID get DN and jpegphoto NUTV VPN Course Mgmt LDAP Service

Information Technology 6/4/ IP Address Restrictions Restriction of LDAP protocols by IP address is performed by ITCS firewall Request-specific ACL limits exposure of data items ACLs Registry Data LDAP Registry

Information Technology 6/4/ Typical Three-Step Scenario Binding with DN and password is IP-restricted and isolated from application coding Binding as an application presents credentials defining returned attributes LDAP Plug-in Web Server LDAP Plug-in Application Server Registry 3. Bind as application Key: NetID Return: attributes Transaction data including NetID 1.Bind as web server, search by NetID for DN, then 2.Bind by DN to validate password (SSL)

Information Technology 6/4/ How is Registry Access Governed? Due to the protections in place, access must be requested through NUIT. Requests must be approved by the custodian(s) of the data. NUIT then assigns the appropriate ACL to restrict access to only the approved data items.

Information Technology Anticipating the Future Getting ahead of the changes

Information Technology 6/4/ Trends: Web-Based Access Web should be the primary tool for user access to applications Anticipates Web SSO Anticipates portal interfaces Minimizes platform dependencies

Information Technology 6/4/ Trends: Data Security Custodians will grant access to data for specific purposes, not general use. Use may be audited. Limit information retained locally to what is unique to the application. Obtain general information as needed from the Registry, given performance requirements

Information Technology 6/4/ Trends: Authentication and User Management NetID will become the universal identifier. Web SSO will be deployed. Password security concerns will limit some user management flexibility. Stronger authentication may be justified for some applications – but it is costly.

Information Technology 6/4/ Trends: Web Services Exposure of central data will move to WS. Applications will use XML to expose data to portals. Real-time transaction systems will use WS to relay changes to other systems

Information Technology 6/4/ Do’s and Don’ts Adopt NetID as your local identifier Migrate to NetID passwords Use two-step authentication binding to LDAP Stay on Windows NT Authenticate against Ph Assume you can construct a DN Write applications that see user passwords in clear text Do… Don’t…

Information Technology 6/4/ More Advice… Learn about XML and Web Services Develop applications for the Web Involve NUIT early in planning and especially software acquisition Learn about data privacy regulations Think globally while acting locally

Information Technology Questions?