Multi-Factor Authentication

Similar documents
Project Name: Oracle Identity Manager 11gR2 Upgrade

Multi-Factor Authentication

The Research Foundation for The State University of New York Campus Security Administrator Handbook

INTEGRATING PING IDENTITY SOLUTIONS WITH GOOGLE IDENTITY SERVICES

Building an IAM Program at Portland State University. Polling URL:...

IAM Operations Transition CIO Council Review. January 23, 2016 Monday Smith Center 561 2:30 pm - 3:30 pm

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Interagency Advisory Board Meeting Agenda, May 27, 2010

SafeNet Authentication Service:

TIER Release One A Community Milestone, Why It's Important and What's Next

CIO Council Meeting May 21, 2015 River Falls, WI

BUYER S GUIDE: MFA BUYER S GUIDE. Evaluating and getting started with modern MFA solutions

Identity Brandeis University. #NERCOMPIdM bit.ly/nercomp_identitymgmt

Emory University Case Study I2 Day Camp

OSS TENDER PORTAL MANAGEMENT SYSTEM (ASP.NET)

BUYER S GUIDE: MFA BUYER S GUIDE. Evaluating and getting started with modern MFA solutions

Baseline Expectations for Trust in Federation: Increasing Trust and Interoperability in InCommon

Frequently Asked Questions (FAQs):

Enabling Cross-University Collaboration with Harvard IAM: TIER, InCommon, and Grouper. IT Summit 2015 June 4, 2015 Thursday 1:10-2:00 p.m.

IAM Task Force Update. April 3, 2015

Identity and Access Management. Mike Noel, Brandon Mills, Chris Pruess. Kris Halter

Digital Demand Capture Integration Guide

University of Wisconsin - Madison Project Charter Endpoint Management & Security Rationalization, Phases 1, 2 & 3

How to add pre-built workflows to my Nintex Workflow Cloud tenant USER GUIDE

Starfish Associates Playbook for Partners Cisco

CIO Council Project Completion Report. University Identity and Access Management (UIAM)

Starfish Associates Playbook for Partners Cisco

Citi Pay App Frequently Asked Questions

IAM Online Thursday, April 8, 2010

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

The Hybrid Enterprise: Working Across On-premises, IaaS, PaaS and SaaS

Identity and Access Management

INCOMMON TRUST FEDERATION

CIO Council Meeting Notes

CLOUD ACCESS CONTROL 6 REASONS WHY IT S A MUST FOR YOUR COMPANY

Usher. Security, analytics & productivity all in a single solution

Tivoli Identity Manager at the Commonwealth Bank. Presenter: Jon Davies 3 August 2006

FAQs for bm Wallet. You can access bm Wallet app on all IOS and Android devices having good internet connectivity.

UW System CIO Council

Cloud & DevOps Program Big Group Update. Jan. 30, 2015 Friday 2:00-3:00 p.m. Lamont Library Forum Room

Onboarding Wizard. Delivered by

BUYER S GUIDE: CUSTOMER IDENTITY & ACCESS MANAGEMENT (CIAM)

Yes, You DO Need Visual IVR Frequently Asked Questions

IAM Committee Meeting Notes 3/13/2017

Extending Identity and Access Management to ios Mobile Devices

Project Initiation Document (PO003)

COPYRIGHTED MATERIAL WHAT S IN THIS CHAPTER?

Deltek Touch for Maconomy. Touch 2.2 User Guide

BUYER S GUIDE: MFA BUYER S GUIDE. Evaluating and Getting Started with Multi-factor Authentication Solutions

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On-Premise Software

Named User Deployment Migration Guide A Project Management Guide to taking full advantage of Adobe Creative Cloud for enterprise and Document Cloud

OSS CRM & SERVICE FULFILLMENT MANANGEMENT SYSTEM (ASP.NET) APPLICATION SPECIFICATIONS, FEATURES, DESCRIPTIONS AND & SCREEN SHOTS

IAM Online InCommon Technical Advisory Committee 2017 Work Plan

Solicitation # Account Provisioning and SSO Solutions Addendum #1 dated 2/14/2017

benefitsconnect USER MANUAL

IT Briefing. March 15, 2012 Psychology Building PAIS-290

Fraud and identity verification consulting case study maximize bookings and reduce operational costs by using the right data

USERS GUIDE. Change Management. Service Management and ServiceNow SERVICE EXCELLENCE SUITE

CIO Council Meeting Minutes

System and Software Architecture Description (SSAD)

Qlik Sense Seminar. An introduction to Qlik Sense. COPYRIGHT 2014 RESULT DATA - All Rights Reserved SLIDE 1

More than Mobile Forms Halliburton s Implementation of an End to End Solution

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

UCD IT Services. Project Initiation Document. Version February Version History

EMV and Apple Pay. The world of credit cards is on the move.

PROJECT CONTROL DOCUMENT

T U T O R I A L Creating a Temporary Stipend Job Description using OACIS

Aegle. Department of Computer Science and Engineering The University of Texas at Arlington. Outreach Inventory System

FRCS VMS PKI - PKI Disclosure Statements Version 1.0 FRCS VMS PKI. PKI Disclosure Statements. Effective Date: 27 Dec Version: 1.0.

OSS ENTERPRISE E-PRODUCUREMENT MANANGEMENT SYSTEM (ASP.NET) Version: ASP.NET (3) Updated: 4Q/2007, v:g/1 Reference: Core Application 0103/88

The due date for return of RFP responses has been extended to July 11, 2017 at 2:00 p.m. CST due to the large volume of questions we have received.

Microsoft 365 Migration

InCommon and edugain: Joining the International Federation Community

CUSTOMER: LOCATION: INDUSTRY: OVERVIEW:

TABLE OF CONTENTS. 1. What is online enrollment? 2. Why online enrollment? 3. How online enrollment works. 4. Online enrollment technology

CMMS Expert Series. Part 3: Three Types of CMMS Setup. A helpful guide brought to you by Hippo CMMS Software Experts

Turning PSD2 Challenges into Business Opportunities.

OE Project Charter Template

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

CHOOSE THE RIGHT IDENTITY & ACCESS MANAGEMENT SOLUTION

HR Forum. April 3, 2013

Identity & Access Management IAM Lifecycle Committee. Feb. 29, 2016 Monday 10:00-11:30 a.m. 561 Smith Center

COMPLETING AN ELECTRONIC I-9 FOR A NEW HIRE HR MANAGER INSTRUCTIONS

SPE Tech Projects - Status Update Jason Brahms. SPE Technologies - Status Update 9/15/11

Ohio Environmental Protection Agency Operator Certification Update. March 23, 2017 Tanushree Courlas

Guardian Location Manager Interface: Electronic I-9

Aegis Therapies - Workday (WD)Employee Toolkit

DROIDRUSH Problem Statements. (B.Tech 2 nd and 3 rd year, MCA 1 st and 2 nd year)

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

Why Enroll Online? 148x40

Justification to Carryover Prior Fiscal Year POs User Guide

November 2016 Poynt Reseller Portal and Merchant Onboarding Activation

Oracle PaaS and IaaS Universal Credits Service Descriptions

Identity Management Services

Infor Risk and Compliance for CDM Phase 2: Automate, integrate, manage, and report across your enterprise

STRATEGIC AREAS

Do More with Complete Mobile-Cloud Security from MobileIron Access

Sympa HR implementation description

Cloud Transformation Program Cloud Change Champions September 20, 2017

TOP 20 QUESTIONS TO ASK BEFORE SELECTING AN ENTERPRISE IAM VENDOR

Transcription:

Executive Summary Done: 1. Based on the team s initial assessment, the team recommends that we use Symantec s product. Unless the team identify serious issues during proof of concept (target completion date: July 31), we expect that we ll choose Symantec s product as our multi-factor authentication solution. The final purchasing decision will not be made until after we complete the proof of concept. 2. Major decisions made: a. Services that need to be delivered: i. Authentication (IAM): first day of pilot ii. Provisioning (UW Digital ID): first day of pilot iii. Contingency access (UW Digital ID): first day of pilot 1. Self-service (100% functional) 2. Help desk iv. De-provisioning (UW Digital ID): first day of pilot 1. The functionality needs to be there whether it is done manually or automatically v. Reporting/auditing (UW Digital ID, IAM, HRS Security): TBD b. Contingency access options: i. Challenge questions: available and will be recommended to users ii. SMS: available iii. Voice: available c. Authentication method: campus credential + token (OTP): no pin will be required 3. The project s wiki site (https://wiki.doit.wisc.edu/confluence/display/sfauth/multi- Factor+Authentication+Home) has been reorganized so that project stakeholders have a clear way to obtain official project information. The main page contains two main sections: i. Official Documents: everything that is listed under this section is official information. Only project managers and project leads should be allowed to post information under this section. ii. Working area: ideas, thoughts, unfinished documents the information is not official. Any team member can use this section to share their ideas and thoughts. 4. An FAQ page (Attachment A, https://wiki.doit.wisc.edu/confluence/pages/doeditpage.action?pageid=78780842) has been created to provide answers to some of the frequently asked project questions. As more decisions are made and more information is available, this page will be updated with new decisions and information. 1

To Do: 1. Campus communication a. LRA b. Help Desk c. Identify Managers d. HR Directors e. Core Users 2. Decisions need to be made (by Project Leads or Project Sponsors) on the following decision points by July 12 th in order for the team to meet the December 15 th deadline: a. Deploying multiple instances or a single instance of the service (Appendix A) b. How will we authorize OTP users in the UWDID application? c. How often may a user request a static OTP? d. When a credential is reported lost or stolen, should it be immediately revoked? (Recommendation: Yes, lost means permanently lost, not I forgot it at home). e. Does the user have to be credentialed when being issued subsequent tokens after the initial token? (Software or hardware)? f. How many and what type of challenge questions will be required for contingency access? g. There is a gap regarding EMP direct database and Interactive reporting access. Must this gap be addressed by December 15 or is this an item that we can address after the December date? Tentative High-level Timeframe Absolute deadline for HRS implementation (all campuses) is December 15, 2013. Any activities between now and December 15 have flexible target dates: Requirements Verification: April 30 Integration Design Option April 30 Proof of concept including Target Date: July 31 Design Review and Approval (User) Development Purchasing decision Target Date: August 5th Integration/Development: Target Date: August 31 Testing: Target Date: September 14 Pilot Target Date: September 15 to October 1 We need to be sensitive to campus s LRA s workload at the beginning of the semester. Staggered Deployment: Target Date: October 1 to December 15 2

Project Management Project management is responsible for identifying and tracking project tasks; identifying potential dependencies that impact the deliverables; communicate project status and manage project documentation (charter, requirements, plans etc.) Completed Activities Reorganized project wiki page Created an FAQ (https://wiki.doit.wisc.edu/confluence/pages/doeditpage.action?pageid=78780842 ) page Scheduled Symantec conference call (06/18) Scheduled RSA conference call (06/19) Ongoing/Upcoming Activities Continue working on the FAQ page Identify campus Help Desk managers Identify pilot campuses Application Integration and Deployment This tier is responsible for developing and reviewing processes, verifying requirements, testing and support during pilot and deployment phases. Completed Activities IAM-TAG presented the Integration Scenarios for OTP vendors Ongoing/Upcoming Activities Participate with vendor reviews UW-Digital ID UW-Digital ID is responsible for designing, documenting and providing training on issuance, maintenance and support of Tokens. Completed Activities Tested the Symantec Web API (Part of Proof of Concept) with the following functions: o Adding a user o Updating a user o Deleting a user o Adding a credential o Updating a credential o Removing a credential o Authenticating a credential (for testing purposes only) o Setting a temporary OTP o Sending temp OTP via SMS 3

o Sending temp OTP via Voice o Clearing a temp OTP Completed the first draft of issuance procedure Ongoing/Upcoming Activities Continue proof of concept with Symantec o Identify and document issuance and reissuance processes (the initial draft is completed; the process may need to be modified depending on the findings from the proof of concept) o Identify and document contingency access process (the initial draft is completed; the process may need to be modified depending on the findings from the proof of concept) o Develop self-service function for contingency access o Work with IAM and Security teams on reporting/auditing function Help identifying campus LRAs (start a list) Initiate communication to campus LRAs Middleware / IAM Middleware is responsible for building the agreed upon business solution once approved by the Multi-Factor Authentication governing bodies. Completed Activities Started proof of concept o Can authenticate users Ongoing/Upcoming Activities Continue working on proof of concept o Work with UW Digital ID and Security teams on reporting/auditing function (Proof of concept) o Work on authentication shim Work with UW Digital ID team on standard audit log o Work on building interface to Shibboleth o Work with HRS security to identify a way to automatically generate core user information o Work with Identity Management Team on adding additional Shibboleth attribute to identify core users Identify OTP integration strategy Continue working on technical requirements this won t be clear until we work on proof of concept with the vendor Help identifying campus Identify Managers Help identifying campus LDAP contacts Project Dependencies 4

Purchasing an OTP solution Solution functionality on providing a temporary form-factor for contingency access Customer s participation in communication process 5

Project Governance Structure Executive Committee Project Sponsor Lorie Docken John Krogman Project Lead Chris Liechty Stefan Wahe Project Manager Ching-tzu Chien Al Crist Julie Gordan Larry Henderson Customer Key Stakeholders CIO Council (Lorie Docken) HRS Functional Support (Larry Henderson, Mike Gollmar, Brad Bruegger, Rachel Holmquist) SFS Controlers (Julie Gordon) UW-TISC (Chris Liechty) UW-MIST (Stefan Wahe) ISIS MMT (Ilene Seltzer) OCIS (Jim Lowe) ITLP Project Team (Jeff Savoy, Mike Gollmar) IAM Steering Committee (Elena Pokot) Purchasiing Ruth Ginzberg End User HRS, SFS, and other potential common system users Vendor Team Lead Stefan Wahe John Kotolski Nick Davis Josh Campbell Team Lead SFS Josh Campbell John Kotolski Stefan Wahe Team Lead HRS Service Center John Kotolski Brad Krause Derrian Jones Mike Gollmar Team Lead Ty Letto Mike Roszkowski Bob Stenson Jeremy Scott Ryan Larscheidt Mark Weber Team Lead Joe Tarter Nick Davis Chris Spencer Andrew Hoffmann Other Support Training Communication HRS(Tim Miller, John Kotolski, Diane BlaskowSki) SFS (Ben Integration Design Team IAM Technical Advisory Team (Tom Jordan) IAM Support Team (Ty Letto) UW-Digital ID (Chris Spencer) Service Owner UW-Digital ID (Joe Tarter) DoIT Security Application Support/Security IAM Project Team UW-Digital ID Other Project Documentation All project documentation (project plan, status report, meeting notes, etc) is stored in the project s wiki site (https://wiki.doit.wisc.edu/confluence/display/sfauth/multi- Factor+Authentication+Home). The site serves as the official source of project information. All project stakeholders except for those who do not have wiki accounts have been granted site access. These individuals need to login to https://wiki.doit.wisc.edu/ at least once to have their wiki account created. Project Charter: https://wiki.doit.wisc.edu/confluence/display/sfauth/charter 6

Communication Plan: https://wiki.doit.wisc.edu/confluence/display/sfauth/communication+plan Appendix A: Decision Document 1. Deploying multiple instances (one per campus) or a single instance of the service Symantec s solution (VIP Manager) requires us to set up 16 instances (one for each campus). The July 16 th new release may allow us to only set up one account. However, if the team has to wait until July 16 th to decide on the integration approach, there s a huge possibility that we will not be able to meet the December 15th deadline. IAM-TAG presented the Options for One-Time Password Integration with HRS diagram (Attachment B) back in April 2013. The team decided that we would start with option 1 (OTP as a Wisconsin Federation Service) as a short term solution and then move to option 2 (OTP as a Campus Login) as the long-term solution (with the transition plan). We also don t want to preclude vendors that provide option 4 (OTP at the Network). The current version of VIP Manager does not allow us to implement option 1 and will force us to implement option 2 right away (if we cannot wait for its July 16 th new release which may allow us to only set up one instance). A decision needs to be made on whether we want to deploy multiple instances now for the HRS phase. Option 1: Deploying Single Instance Advantages: 1. Can be implemented in timeframe requested 2. Can be extended to SFS 3. Allows campus-by-campus migration to performing OTP 4. authentication for campus applications in the future 5. Does not require a change to the login interface for anyone other than HRS professional users. Risks: 1. Will work only for Wisconsin Federation apps will not work for local campus applications unless the application is integrated into the Federation. 2. Will not work for InCommon Federation apps 3. It is not available with Symantec s product until July 16, 2013 this may cause us not to meet our December deadline. Option 2: Deploying Multiple Instances Now 7

Advantages: 1. Provides long-term flexibility: is extensible to campus application as well 2. Can be used for InCommon or other external federation applications Risks: 1. Requires a change to each campus login server 2. OTP login option would be visible to all campus IdP users, not just HRS professionals 3. Creates service complexity and thus supportability UW Digital ID was designed with the goal of providing a -consistent- service experience across all system campuses. That consistent experience has the additional benefit of simplifying the service design, documentation, and supportability. In addition, the team needs to stay focus on implementing multi-factor authentication for HRS by December 15, 2013. With it stands, UW Digital ID team is not clear how that is possible with the multi-le service instance model. 8

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback