Transcript Document

Information Technology
Information Systems Architecture
What’s new.
What’s happening.
Information Technology
Where are We Going?
•
•
•
•
•
Self-service.
Increased security and privacy protections
Real-time.
More open access to information.
Mobility.
7/17/2015
2
Information Technology
University System Architecture
Information Technology
Architecture Purpose
• Create reliable, extendable, standardsbased, maintainable infrastructure
• Distribute management and development
• Speed deployment with increased reliability
• Support necessary security and extensive
self-service applications
7/17/2015
4
Core Enterprise Systems
7/17/2015
Systems
Management
CONDUITS,
School NAS
Financial, HR,
SES, CMS
Identity, SSO,
Messaging
Integration Middleware
Delivery
Systems
Applications
School/Department/Division Applications
Platforms
Expanded Architectural Model
Information Technology
Data Management
Oracle, SQL
Servers
Win2003,
UNIX, Linux
Network
IP, VOIP,
Wireless
User Devices
Desktop,
Mobile
Directories
Security
5
Information Technology
User Devices
• Situation
– Desktop, mobile, handheld units
• Current efforts
– Purchasing guidelines; anti-virus license
– Maintenance contracts; software site-licenses
• Future directions
– Device independence through Web interfaces
– Network backup services
7/17/2015
6
Information Technology
Network
• Situation
– state-of-the-art connectivity
• Current efforts
– Access to National/International networks; oncampus wireless; iCAIR R&D
– Advancing applications of network
• Future directions
– Voice services (VoIP); cellular-IP services
– Role-based access and service levels
7/17/2015
7
Information Technology
Servers
• Situation
– Highly-available service platforms
• Current efforts
– Redundant power and network paths
– Narrowing supported systems to focus skills
• Future directions
– Parallel/hot service site; flexible server
management
– Consolidation of server support
7/17/2015
8
Information Technology
Data Management
• Situation
– Holding and protecting University information
• Current efforts
– Data stewards moving to common definitions
• Future efforts
– Data warehousing for analysis and reporting
– Near real-time access to data across systems
– Standard reporting and data retrieval tools
7/17/2015
9
Information Technology
Integration Middleware
• Situation
– Delegated identity management and access
control
• Current efforts
– Improve identity management processes
– Deploy and leverage standard technology
• Future directions
– Define standard inter-application work flows
– Role-based portal to integrate presentation
7/17/2015
10
Information Technology
Core Enterprise Systems
• Situation
– Two major systems replaced in past 6 years
• Current efforts
– Leverage abilities of newer systems (HRIS, SES)
– Implement new financial and research systems
• Future directions
– Integrate cross-system transactions
– Open data to near real-time secure queries
7/17/2015
11
Information Technology
School/Department/Division Applications
• Situation
– Local systems holding institutional information
– Procurements often isolated from IT planning
• Current efforts
– Identify systems and data
• Future directions
– Procurements must meet integration plans
– Eliminate data replication; enforce security model
7/17/2015
12
Information Technology
• Ensure service availability
• Current efforts
– Automatic monitoring of central
network and central servers
• Future directions
– Monitor all network devices
– Monitor enterprise applications
Systems
Management
7/17/2015
13
Information Technology
• Authenticate and authorize
• Current efforts
– Widely-used identifier (NetID)
– Deploy standard infrastructure
• Future directions
– Web single sign-on
– Unified identity management for all
applications
– Enterprise portal roles
Directories
7/17/2015
14
Information Technology
• Prevent intrusion or disruption
• Current efforts
– Installing network firewalls
– Installing intrusion detection
• Future directions
– Network-wide anti-virus
– Continuous vulnerability scanning
Security
7/17/2015
15
Core Enterprise Systems
7/17/2015
Systems
Management
CONDUITS,
School NAS
Financial, HR,
SES, CMS
Identity, SSO,
Messaging
Integration Middleware
Delivery
Systems
Applications
School/Department/Division Applications
Platforms
Expanded Architectural Model
Information Technology
Data Management
Oracle, SQL
Servers
Win2003,
UNIX, Linux
Network
IP, VOIP,
Wireless
User Devices
Desktop,
Mobile
Directories
Security
16
Information Technology
Integration Middleware
• Identity management, Web SSO
• System integration via Web Services (XML,
SOAP, WSDL, SAML)
7/17/2015
17
Information Technology
Web Single Sign-On
Browser
Token
Authentication
Web Server
Web Server
Web SSO
Application
7/17/2015
Web SSO
Application
18
Information Technology
System Integration
Human Resources System
Integrated enterprise systems
can reduce the time to
complete services across the
University, eliminate manual
steps (and errors), and create
auditable transaction records.
A hiring event can trigger
financial and service actions.
Some actions could be
immediate and others queued
for review by service
administrators before
fulfillment.
Later events, such as
completed training, can be
promoted back into the HR
record for the employee.
7/17/2015
Hiring Event
Employee
Record
Provision
NetID
Provision
ETES
Queue to
ERP
Provision
Wildcard
Notify
supervisor
Provision
access
Provision
local services
Provision
directory
Encumber salary
and benefits
Schedule
training
Schedule
training
Provision
calendar
Notify unit
funds mgr
Subscribe to
email lists
Subscribe to
email lists
Notify
supervisor
Notify
supervisor
Queue to
school
19
Information Technology
The Challenge – Application Silos
Identity Management and
Authentication
Authorization
Users
Business
Unit
Business Rules
Processing
IT
7/17/2015
Database
Reporting
Interfaces
Application silos develop
naturally around business
systems and software under
standard architectural planning
and funding. Each business
unit invents user management,
tracks authorizations, and
builds interfaces to other
systems.
Silos limit views of institutional
data, fragment security, require
manual re-entry of data and
detract from the user’s
“integrated system” experience.
20
Information Technology
The Future
IT IdM &
Portal
Identity Management and Authentication
Users
Role-Based Business Rules
Business
Unit Focus
Application
Business Rules
Application
Business Rules
Application
Business Rules
Application
Business Rules
Application
Business Rules
Database
Database
Processing
IT
Services
and
Facilities
Database
Database
Transaction Bus
Warehouse
7/17/2015
Database
Reporting
21
Information Technology
Authentication & Authorization
Information Technology
Importance of Identity Management
• Without robust Identity Management, we can
never be confident of our security
• Without confidence in security, data stewards will
not be willing to expose information
• Without current information, responsible
decisions are difficult – hence shadow systems
• The University should change its culture to make
information available to those with proper
authorization by default
7/17/2015
23
Information Technology
Fundamental Concepts
1. Service providers must have confidence in
Identification and Authentication services.
2. Service providers determine the authentication
strength required for their applications and data.
3. Application software must recognize central
identity and support definition of local
entitlements and access rules.
4. Digital identities should be derived from
authoritative sources.
7/17/2015
24
Information Technology
Current IdM Structure
Manual
Admissions
Manual
SES
Manual
HRIS
Manual
SES
Auth_z
Manual
HRIS
Auth_z
Manual
CUFS
Auth_z
SNAP
Manual
Synchronization
E-mail
Meeting Maker
Active
Directory
Course Mgmt
ETES
Kerberos
Student SES
Auth_z
Novell
Servers
Manual
Windows
Servers
Department file &
print services
VPN/Modems
Department Servers
(NT4)
7/17/2015
Windows
2000/03
25
Information Technology
Current Practice Issues
• Separate identity databases lead to multiple
usernames and passwords for each principal. This
increases security risk.
• Without ties to authoritative sources, changes in
the status of a principal have delayed effect on
authorizations.
• Disjoint systems make common role/rule
authorizations impossible
7/17/2015
26
Information Technology
Future Requirements
• School/Division/Department system administration must
be linked to central identity services
• Systems with secure information must be themselves
secure
• Maintenance of authentication will be more distributed and
less convenient for higher-security systems
• University must define business rules for when the status
of an individual changes.
7/17/2015
27
Information Technology
Future IdM Structure
Manual
Admissions
Manual
Manual
SES
HRIS
SNAP
Network
VPN
Research
Web Single Sign-On
E-mail
Meeting Maker
Course Mgmt
ETES
SES
HRIS
Financials
LDAP
Registry
Business
Partners
Active
Directory
Manual
Novell
edirectory
Academic
Partners
Department file &
print services
7/17/2015
28
Information Technology
LDAP Cluster
IT Computing Services
SNAP
SES
HRIS
Extraction
Replication
Replication
Load
balancing
Load
balancing
directory.northwestern.edu
registry.northwestern.edu
White Pages
Registry
Note: schematic – not an engineering
representation
7/17/2015
29
Information Technology
Registry
(LDAP)
Enterprise
forest
7/17/2015
Division
Z
AD / eDirectory
Structure
School
A
School
B
30
Information Technology
LDAP Access to Data Items
• Access is controlled in four ways:
– Anonymous bind to registry is reserved to
known e-mail hosts
– User binding restricted by IP address
– Attribute retrieval protected by application
credentialing and Access Control Lists
– White pages is an extract of registry data
7/17/2015
31
Information Technology
Anonymous Binding
Outlook
Relay
• Appropriate for white
pages lookup
• Fast – no encryption
• Program binds, then
queries by indexed
attribute
• Return is defined by
ACL
7/17/2015
??
Eudora
LDAP
Service
32
Information Technology
User Binding
• The only means to check
username and password
validity
• Restricted by IP address to
avoid brute-force attacks
• Encrypted via SSL
• Will eventually be isolated
from the application by
SSO
• Return is defined by ACL
7/17/2015
SNAP
Hecky
SES
LDAP
Service
33
Information Technology
Attribute Retrieval Binding
VPN
• Application presents
assigned credentials to
bind as itself
• Queries and receives
return defined by
unique ACL
• Encrypted via SSL
• Ex: from NetID get
DN and jpegphoto
7/17/2015
Course Mgmt
NUTV
LDAP
Service
34
Information Technology
IP Address Restrictions
• Restriction of LDAP
protocols by IP address
is performed by ITCS
firewall
• Request-specific ACL
limits exposure of data
items
7/17/2015
ACLs
LDAP
Registry
Registry
Data
35
Information Technology
Typical Three-Step Scenario
Web Server
Transaction data
including NetID
(SSL)
Application
Server
LDAP
Plug-in
1.
2.
•
•
Bind as web server,
search by NetID for
DN, then
Bind by DN to
validate password
LDAP
Plug-in
(SSL)
Registry
(SSL)
3. Bind as application
Key: NetID
Return: attributes
Binding with DN and password is IP-restricted and isolated from application coding
Binding as an application presents credentials defining returned attributes
7/17/2015
36
Information Technology
How is Registry Access Governed?
• Due to the protections in place, access must be
requested through NUIT.
• Requests must be approved by the custodian(s) of
the data.
• NUIT then assigns the appropriate ACL to restrict
access to only the approved data items.
7/17/2015
37
Information Technology
Anticipating the Future
Getting ahead of the changes
Information Technology
Trends: Web-Based Access
• Web should be the primary tool for user
access to applications
• Anticipates Web SSO
• Anticipates portal interfaces
• Minimizes platform dependencies
7/17/2015
39
Information Technology
Trends: Data Security
• Custodians will grant access to data for specific
purposes, not general use. Use may be audited.
• Limit information retained locally to what is
unique to the application.
• Obtain general information as needed from the
Registry, given performance requirements
7/17/2015
40
Information Technology
Trends: Authentication and User
Management
• NetID will become the universal identifier.
• Web SSO will be deployed.
• Password security concerns will limit some
user management flexibility.
• Stronger authentication may be justified for
some applications – but it is costly.
7/17/2015
41
Information Technology
Trends: Web Services
• Exposure of central data will move to WS.
• Applications will use XML to expose data
to portals.
• Real-time transaction systems will use WS
to relay changes to other systems
7/17/2015
42
Information Technology
Do’s and Don’ts
Do…
Don’t…
• Adopt NetID as your local
identifier
• Migrate to NetID
passwords
• Use two-step
authentication binding to
LDAP
• Stay on Windows NT
• Authenticate against Ph
• Assume you can construct
a DN
• Write applications that see
user passwords in clear
text
7/17/2015
43
Information Technology
More Advice…
• Learn about XML and Web Services
• Develop applications for the Web
• Involve NUIT early in planning and
especially software acquisition
• Learn about data privacy regulations
• Think globally while acting locally
7/17/2015
44
Information Technology
Questions?
http://www.it.northwestern.edu/isa/