Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Technology Information Systems Architecture What’s new. What’s happening.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Technology Information Systems Architecture What’s new. What’s happening."— Presentation transcript:

1 Information Technology Information Systems Architecture What’s new. What’s happening.

2 Information Technology 6/4/20152 Where are We Going? Self-service. Increased security and privacy protections Real-time. More open access to information. Mobility.

3 Information Technology University System Architecture

4 Information Technology 6/4/20154 Architecture Purpose Create reliable, extendable, standards- based, maintainable infrastructure Distribute management and development Speed deployment with increased reliability Support necessary security and extensive self-service applications

5 Information Technology 6/4/20155 User Devices Network Servers Data Management Integration Middleware DirectoriesSecurity Systems Management Financial, HR, SES, CMS Identity, SSO, Messaging Oracle, SQL Win2003, UNIX, Linux IP, VOIP, Wireless Desktop, Mobile CONDUITS, School NAS Expanded Architectural Model School/Department/Division Applications Core Enterprise Systems Platforms Delivery Systems Applications

6 Information Technology 6/4/20156 User Devices Situation –Desktop, mobile, handheld units Current efforts –Purchasing guidelines; anti-virus license –Maintenance contracts; software site-licenses Future directions –Device independence through Web interfaces –Network backup services

7 Information Technology 6/4/20157 Network Situation –state-of-the-art connectivity Current efforts –Access to National/International networks; on- campus wireless; iCAIR R&D –Advancing applications of network Future directions –Voice services (VoIP); cellular-IP services –Role-based access and service levels

8 Information Technology 6/4/20158 Servers Situation –Highly-available service platforms Current efforts –Redundant power and network paths –Narrowing supported systems to focus skills Future directions –Parallel/hot service site; flexible server management –Consolidation of server support

9 Information Technology 6/4/20159 Data Management Situation –Holding and protecting University information Current efforts –Data stewards moving to common definitions Future efforts –Data warehousing for analysis and reporting –Near real-time access to data across systems –Standard reporting and data retrieval tools

10 Information Technology 6/4/201510 Integration Middleware Situation –Delegated identity management and access control Current efforts –Improve identity management processes –Deploy and leverage standard technology Future directions –Define standard inter-application work flows –Role-based portal to integrate presentation

11 Information Technology 6/4/201511 Core Enterprise Systems Situation –Two major systems replaced in past 6 years Current efforts –Leverage abilities of newer systems (HRIS, SES) –Implement new financial and research systems Future directions –Integrate cross-system transactions –Open data to near real-time secure queries

12 Information Technology 6/4/201512 School/Department/Division Applications Situation –Local systems holding institutional information –Procurements often isolated from IT planning Current efforts –Identify systems and data Future directions –Procurements must meet integration plans –Eliminate data replication; enforce security model

13 Information Technology 6/4/201513 Systems Management Ensure service availability Current efforts –Automatic monitoring of central network and central servers Future directions –Monitor all network devices –Monitor enterprise applications

14 Information Technology 6/4/201514 Directories Authenticate and authorize Current efforts –Widely-used identifier (NetID) –Deploy standard infrastructure Future directions –Web single sign-on –Unified identity management for all applications –Enterprise portal roles

15 Information Technology 6/4/201515 Security Prevent intrusion or disruption Current efforts –Installing network firewalls –Installing intrusion detection Future directions –Network-wide anti-virus –Continuous vulnerability scanning

16 Information Technology 6/4/201516 User Devices Network Servers Data Management Integration Middleware DirectoriesSecurity Systems Management Financial, HR, SES, CMS Identity, SSO, Messaging Oracle, SQL Win2003, UNIX, Linux IP, VOIP, Wireless Desktop, Mobile CONDUITS, School NAS Expanded Architectural Model School/Department/Division Applications Core Enterprise Systems Platforms Delivery Systems Applications

17 Information Technology 6/4/201517 Integration Middleware Identity management, Web SSO System integration via Web Services (XML, SOAP, WSDL, SAML)

18 Information Technology 6/4/201518 Web Single Sign-On Application Web Server Authentication Application Web Server Browser Web SSO Token

19 Information Technology 6/4/201519 System Integration Integrated enterprise systems can reduce the time to complete services across the University, eliminate manual steps (and errors), and create auditable transaction records. A hiring event can trigger financial and service actions. Some actions could be immediate and others queued for review by service administrators before fulfillment. Later events, such as completed training, can be promoted back into the HR record for the employee. Human Resources System Hiring Event Provision NetID Provision Wildcard Encumber salary and benefits Provision access Schedule training Provision ETES Notify supervisor Subscribe to email lists Queue to ERP Notify supervisor Provision directory Provision calendar Provision local services Schedule training Subscribe to email lists Queue to school Notify supervisor Notify unit fundsmgr Employee Record

20 Information Technology 6/4/201520 The Challenge – Application Silos Application silos develop naturally around business systems and software under standard architectural planning and funding. Each business unit invents user management, tracks authorizations, and builds interfaces to other systems. Silos limit views of institutional data, fragment security, require manual re-entry of data and detract from the user’s “integrated system” experience. Business Unit IT

21 Information Technology 6/4/201521 The Future IT IdM & Portal IT Services and Facilities Business Unit Focus

22 Information Technology Authentication & Authorization

23 Information Technology 6/4/201523 Importance of Identity Management Without robust Identity Management, we can never be confident of our security Without confidence in security, data stewards will not be willing to expose information Without current information, responsible decisions are difficult – hence shadow systems The University should change its culture to make information available to those with proper authorization by default

24 Information Technology 6/4/201524 Fundamental Concepts 1.Service providers must have confidence in Identification and Authentication services. 2.Service providers determine the authentication strength required for their applications and data. 3.Application software must recognize central identity and support definition of local entitlements and access rules. 4.Digital identities should be derived from authoritative sources.

25 Information Technology 6/4/201525 Current IdM Structure

26 Information Technology 6/4/201526 Current Practice Issues Separate identity databases lead to multiple usernames and passwords for each principal. This increases security risk. Without ties to authoritative sources, changes in the status of a principal have delayed effect on authorizations. Disjoint systems make common role/rule authorizations impossible

27 Information Technology 6/4/201527 Future Requirements School/Division/Department system administration must be linked to central identity services Systems with secure information must be themselves secure Maintenance of authentication will be more distributed and less convenient for higher-security systems University must define business rules for when the status of an individual changes.

28 Information Technology 6/4/201528 Future IdM Structure

29 Information Technology 6/4/201529 LDAP Cluster SESHRIS Load balancing Load balancing Replication registry.northwestern.edudirectory.northwestern.edu IT Computing Services Extraction Replication SNAP RegistryWhite Pages Note: schematic – not an engineering representation

30 Information Technology 6/4/201530 Registry (LDAP) Enterprise forest School A School B Division Z AD / eDirectory Structure

31 Information Technology 6/4/201531 LDAP Access to Data Items Access is controlled in four ways: –Anonymous bind to registry is reserved to known e-mail hosts –User binding restricted by IP address –Attribute retrieval protected by application credentialing and Access Control Lists –White pages is an extract of registry data

32 Information Technology 6/4/201532 Anonymous Binding Appropriate for white pages lookup Fast – no encryption Program binds, then queries by indexed attribute Return is defined by ACL Eudora Outlook Relay LDAP Service ??

33 Information Technology 6/4/201533 User Binding The only means to check username and password validity Restricted by IP address to avoid brute-force attacks Encrypted via SSL Will eventually be isolated from the application by SSO Return is defined by ACL SES SNAP Hecky LDAP Service

34 Information Technology 6/4/201534 Attribute Retrieval Binding Application presents assigned credentials to bind as itself Queries and receives return defined by unique ACL Encrypted via SSL Ex: from NetID get DN and jpegphoto NUTV VPN Course Mgmt LDAP Service

35 Information Technology 6/4/201535 IP Address Restrictions Restriction of LDAP protocols by IP address is performed by ITCS firewall Request-specific ACL limits exposure of data items ACLs Registry Data LDAP Registry

36 Information Technology 6/4/201536 Typical Three-Step Scenario Binding with DN and password is IP-restricted and isolated from application coding Binding as an application presents credentials defining returned attributes LDAP Plug-in Web Server LDAP Plug-in Application Server Registry 3. Bind as application Key: NetID Return: attributes Transaction data including NetID 1.Bind as web server, search by NetID for DN, then 2.Bind by DN to validate password (SSL)

37 Information Technology 6/4/201537 How is Registry Access Governed? Due to the protections in place, access must be requested through NUIT. Requests must be approved by the custodian(s) of the data. NUIT then assigns the appropriate ACL to restrict access to only the approved data items.

38 Information Technology Anticipating the Future Getting ahead of the changes

39 Information Technology 6/4/201539 Trends: Web-Based Access Web should be the primary tool for user access to applications Anticipates Web SSO Anticipates portal interfaces Minimizes platform dependencies

40 Information Technology 6/4/201540 Trends: Data Security Custodians will grant access to data for specific purposes, not general use. Use may be audited. Limit information retained locally to what is unique to the application. Obtain general information as needed from the Registry, given performance requirements

41 Information Technology 6/4/201541 Trends: Authentication and User Management NetID will become the universal identifier. Web SSO will be deployed. Password security concerns will limit some user management flexibility. Stronger authentication may be justified for some applications – but it is costly.

42 Information Technology 6/4/201542 Trends: Web Services Exposure of central data will move to WS. Applications will use XML to expose data to portals. Real-time transaction systems will use WS to relay changes to other systems

43 Information Technology 6/4/201543 Do’s and Don’ts Adopt NetID as your local identifier Migrate to NetID passwords Use two-step authentication binding to LDAP Stay on Windows NT Authenticate against Ph Assume you can construct a DN Write applications that see user passwords in clear text Do… Don’t…

44 Information Technology 6/4/201544 More Advice… Learn about XML and Web Services Develop applications for the Web Involve NUIT early in planning and especially software acquisition Learn about data privacy regulations Think globally while acting locally

45 Information Technology Questions? http://www.it.northwestern.edu/isa/

Download ppt "Information Technology Information Systems Architecture What’s new. What’s happening."

Similar presentations

Unified Communications Bill Palmer ADNET Technologies, Inc.

Unified Communications Bill Palmer ADNET Technologies, Inc.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.

User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim.

Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim.
Information Technology Registry Services Security LDAP-based Attributes and Authentication.

Information Technology Registry Services Security LDAP-based Attributes and Authentication.
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
Oracle Beehive Vivek Pavle Orabyte LLC www.orabyte.com Orabyte.

Oracle Beehive Vivek Pavle Orabyte LLC Orabyte.
1 Identity Management and Access Control Status UNITS Forum, June 2006 Tom Board, NUIT Info Systems Architecture.

1 Identity Management and Access Control Status UNITS Forum, June 2006 Tom Board, NUIT Info Systems Architecture.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.

Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Directory Architecture Plans and Status UNITS Meeting Feb 2005 Tom Board, Director, ISA.

Directory Architecture Plans and Status UNITS Meeting Feb 2005 Tom Board, Director, ISA.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
SIMI: ISO Perspective Al ISO CSU Northridge

SIMI: ISO Perspective Al ISO CSU Northridge
User Authentication for Enterprise Applications - The Future in Transitions.

User Authentication for Enterprise Applications - The Future in Transitions.
Identity and Access Management

Identity and Access Management

Similar presentations

Ads by Google