Presentation on theme: "Protecting Identities at FSU Principles of SSN replacement Jeff Bauer Florida State University"— Presentation transcript:
Protecting Identities at FSU Principles of SSN replacement Jeff Bauer Florida State University
The SSN Problem SSN is used as a method for authenticating students and employees via web and in-person challenges Mandates to protect & hide SSN abound SSN is still required for certain business processes (HR, external identity of students to Feds, etc.)
The Proposal (2003) This proposal was an attempt to combine identity terms and solve the SSN/multiple identity problem Proposal: –FSUID = new public “login name”/password –FSUSN = new “SSN-like” private number –A combined directory will manage this information
FSU Identifier (FSUID) Unique public identifier First part of a person’s address (for the most part) Easy to remember (even student ones) Rarely changes Log in for key systems (OMNI, Bb, VPN, etc.) Everybody gets one as soon as officially associated with the University
FSU Security Number (FSUSN) Unique private identifier (nobody should know this but the owner) 9 characters long (same as SSN), with letters thrown in to distinguish from a real SSN A little more difficult to remember, but not impossible Will never change (unlike some SSNs) Everybody gets one as soon as officially associated with the University Currently ONLY used by instructors as a secondary challenge for on-line grade submission
IdentifierExampleProperties SSN“ ”9 digits, can change, ultra-private FSUID“jtbauer”, “ghs05c”, “stk6745”, “jmchannessey” Easy to remember, first part of official FSU address, student ones are short (Lacher naming convention), public, can change if role/name changes (e.g., student to employee) FSUSN“KT ”9 alphanumeric, only change if security breach, ultra-private replacement for SSN as user index & secondary password challenge (e.g., on-line grade submission) FSUCard“ ”16 digits, can change, semi-private bank number, hard to memorize, but use of photo card for identification is great OMNI EMPLID“ ”Only employees have them Registration PIN“4346”Only students have them, archaic 20-digit user key“ ”For internal use only
Moving Away from SSN use Two categories of SSN use: –Appropriate/required: IRS purposes for employees, external agency identification for students (Financial Aid) –Inappropriate: Any use as an identifier where the information can be easily compromised or –Undesired: An alternate unique identifier could be used instead (SSNs in person, , printouts; SSNs on web forms that aren’t SSL’d nor blocked, etc.)
Appropriate use of SSN example Web registration for classes
Current State of Affairs Acknowledge that many student systems still use SSNs in a variety of ways (Admissions, Registration, Fee Payments, Housing, etc.). Acknowledge that new development in student systems have a desire to try and not use SSNs (difficult to do though). Realize that the cost of replacing SSNs with FSUSNs in student systems will take time and money (not unlike the Y2K time & expense problem seven years ago). ** resource intensive ** (currently unfunded)
OTI Proposal FSU should mandate that all computer systems & business processes move away from inappropriate use of SSNs to a suitable SSN replacement. FSU should mandate that customers of identity information from now on obtain Vice President approval for providing SSNs.
Proposals All FSU offices (Admissions & Registrar, Orientation, Financial Aid, Student Financial Services, F&A, etc.) do an internal audit to discover inappropriate uses of SSNs in normal business practices. Any inappropriate use in these offices should change their business process to use an alternate method for identification other than SSN. (immediately for servers that have SSNs and that could be compromised) OTI can assist in technological solutions to be researched and developed to lessen the impact on business practices (card swipes of FSUCard for FSUCard SSN mapping, customized FSUID helpdesk lookup utility, etc.)
Proposals Students systems, with the dominance of SSNs on CICS “green screens”, printed forms and other business processes require the largest effort to replace SSNs. Proposed that $200K for 3 years in time-limited E&G positions be established to convert existing mainframe- based student systems that use SSN as primary key. Note that movement to Oracle/PeopleSoft student systems will solve the SSN problem, but will be more expensive to implement.