04/18/23 2
Information Technology
Where are We Going?
• Self-service.
• Increased security and privacy protections
• Real-time.
• More open access to information.
• Mobility.
04/18/23 4
Information Technology
Architecture Purpose
• Create reliable, extendable, standards-based, maintainable infrastructure
• Distribute management and development• Speed deployment with increased reliability• Support necessary security and extensive
self-service applications
04/18/23 5
Information Technology
User Devices
Network
Servers
Data Management
Integration Middleware
Directories SecuritySystemsManagement
Financial, HR,SES, CMS
Identity, SSO,Messaging
Oracle, SQL
Win2003,UNIX, Linux
IP, VOIP,Wireless
Desktop,Mobile
CONDUITS,School NAS
Exp
ande
d A
rchi
tect
ural
M
odel
School/Department/Division Applications
Core Enterprise Systems
Pla
tfor
ms
Del
iver
y
Sys
tem
sA
ppli
cati
ons
04/18/23 6
Information Technology
User Devices• Situation
– Desktop, mobile, handheld units
• Current efforts– Purchasing guidelines; anti-virus license– Maintenance contracts; software site-licenses
• Future directions– Device independence through Web interfaces– Network backup services
04/18/23 7
Information Technology
Network• Situation
– state-of-the-art connectivity
• Current efforts– Access to National/International networks; on-campus
wireless; iCAIR R&D– Advancing applications of network
• Future directions– Voice services (VoIP); cellular-IP services– Role-based access and service levels
04/18/23 8
Information Technology
Servers• Situation
– Highly-available service platforms
• Current efforts– Redundant power and network paths– Narrowing supported systems to focus skills
• Future directions– Parallel/hot service site; flexible server management– Consolidation of server support
04/18/23 9
Information Technology
Data Management• Situation
– Holding and protecting University information
• Current efforts– Data stewards moving to common definitions
• Future efforts– Data warehousing for analysis and reporting– Near real-time access to data across systems– Standard reporting and data retrieval tools
04/18/23 10
Information Technology
Integration Middleware• Situation
– Delegated identity management and access control
• Current efforts– Improve identity management processes– Deploy and leverage standard technology
• Future directions– Define standard inter-application work flows– Role-based portal to integrate presentation
04/18/23 11
Information Technology
Core Enterprise Systems• Situation
– Two major systems replaced in past 6 years
• Current efforts– Leverage abilities of newer systems (HRIS, SES)– Implement new financial and research systems
• Future directions– Integrate cross-system transactions– Open data to near real-time secure queries
04/18/23 12
Information Technology
School/Department/Division Applications
• Situation– Local systems holding institutional information– Procurements often isolated from IT planning
• Current efforts– Identify systems and data
• Future directions– Procurements must meet integration plans– Eliminate data replication; enforce security model
04/18/23 13
Information Technology
Systems Management
• Ensure service availability• Current efforts
– Automatic monitoring of central network and central servers
• Future directions– Monitor all network devices– Monitor enterprise applications
04/18/23 14
Information Technology
Directories
• Authenticate and authorize• Current efforts
– Widely-used identifier (NetID)– Deploy standard infrastructure
• Future directions– Web single sign-on– Unified identity management for all
applications– Enterprise portal roles
04/18/23 15
Information Technology
Security
• Prevent intrusion or disruption• Current efforts
– Installing network firewalls– Installing intrusion detection
• Future directions– Network-wide anti-virus– Continuous vulnerability scanning
04/18/23 16
Information Technology
User Devices
Network
Servers
Data Management
Integration Middleware
Directories SecuritySystemsManagement
Financial, HR,SES, CMS
Identity, SSO,Messaging
Oracle, SQL
Win2003,UNIX, Linux
IP, VOIP,Wireless
Desktop,Mobile
CONDUITS,School NAS
Exp
ande
d A
rchi
tect
ural
M
odel
School/Department/Division Applications
Core Enterprise Systems
Pla
tfor
ms
Del
iver
y
Sys
tem
sA
ppli
cati
ons
04/18/23 17
Information Technology
Integration Middleware
• Identity management, Web SSO
• System integration via Web Services (XML, SOAP, WSDL, SAML)
04/18/23 18
Information Technology
Web Single Sign-On
Application
Web Server
Authentication
Application
Web Server
Browser
Web SSOWeb SSO
Token
04/18/23 19
Information Technology
System IntegrationIntegrated enterprise systems can reduce the time to complete services across the University, eliminate manual steps (and errors), and create auditable transaction records.
A hiring event can trigger financial and service actions. Some actions could be immediate and others queued for review by service administrators before fulfillment.
Later events, such as completed training, can be promoted back into the HR record for the employee.
Human Resources System
Hiring Event
ProvisionNetID
ProvisionWildcard
Encumber salaryand benefits
Provisionaccess
Scheduletraining
ProvisionETES
Notifysupervisor
Subscribe toemail lists
Queue toERP
Notifysupervisor
Provisiondirectory
Provisioncalendar
Provisionlocal services
Scheduletraining
Subscribe toemail lists
Queue to
school
Notifysupervisor
Notify unitfundsmgr
EmployeeRecord
04/18/23 20
Information Technology
The Challenge – Application SilosApplication silos develop naturally around business systems and software under standard architectural planning and funding. Each business unit invents user management, tracks authorizations, and builds interfaces to other systems.
Silos limit views of institutional data, fragment security, require manual re-entry of data and detract from the user’s “integrated system” experience.
D atab as e
P r o c es s in g R ep o r tin g
Bu s in es s R u les
I n te r f ac es
I d en tity M an ag em en t an dAu th en tic a tio n
Au th o r iza tio nUs er s
BusinessUnit
IT
04/18/23 21
Information Technology
R ep o r tin g
R o le- Bas ed Bu s in es s R u les
T r an s ac tio n Bu s
I d en tity M an ag em en t an d Au th en tic a tio n
W ar eh o u s e
D atab as e
Ap p lic a tio nBu s in es s R u les
D atab as e
Ap p lic a tio nBu s in es s R u les
D atab as e
Ap p lic a tio nBu s in es s R u les
D atab as e
Ap p lic a tio nBu s in es s R u les
D atab as e
Ap p lic a tio nBu s in es s R u les
Us er s
P r o c es s in g
The FutureIT IdM &
Portal
IT Services
and Facilities
Business Unit Focus
04/18/23 23
Information Technology
Importance of Identity Management• Without robust Identity Management, we can
never be confident of our security• Without confidence in security, data stewards
will not be willing to expose information• Without current information, responsible
decisions are difficult – hence shadow systems• The University should change its culture to make
information available to those with proper authorization by default
04/18/23 24
Information Technology
Fundamental Concepts1. Service providers must have confidence in
Identification and Authentication services.2. Service providers determine the authentication
strength required for their applications and data.3. Application software must recognize central
identity and support definition of local entitlements and access rules.
4. Digital identities should be derived from authoritative sources.
04/18/23 25
Information Technology
HR I SS E SM an u al
S N AP
M an u al
M an u al
Ad m is s io n s
S E SAu th _ z
M an u al
HR I SAu th _ z
M an u al
C UF SAu th _ z
M an u al
Ker b er o sAc tiv eD ir ec to r yS y n c h r o n iza tio n
S tu d en t S E SAu th _ z
E - m ailM eetin g M ak er
VP N /M o d em s
D ep ar tm en t S er v er s( N T 4 )
C o u r s e M g m tE T E S
N o v ellS er v er s
M an u al
W in d o w sS er v er s
M an u al
D ep ar tm en t f ile &p r in t s e r v ic es
W in d o w s2 0 0 0 /0 3
Current IdM Structure
04/18/23 26
Information Technology
Current Practice Issues• Separate identity databases lead to multiple
usernames and passwords for each principal. This increases security risk.
• Without ties to authoritative sources, changes in the status of a principal have delayed effect on authorizations.
• Disjoint systems make common role/rule authorizations impossible
04/18/23 27
Information Technology
Future Requirements• School/Division/Department system administration must
be linked to central identity services• Systems with secure information must be themselves
secure• Maintenance of authentication will be more distributed and
less convenient for higher-security systems• University must define business rules for when the status
of an individual changes.
04/18/23 28
Information Technology
Future IdM Structure
HR I SS ESM an u al
S N AP
M an u al
M an u al
Ad m is s io n s
L D APR eg is tr y
W e b S ingle S ign-O nE -m ail
M e e ting M ake rC o urs e M gm t
E TE SSE S
H R ISFinanc ials
D ep ar tm en t f ile &p r in t s er v ic es
Ac tiv eD ir ec to r y
N e two rkVP N
R e s e arc h
M an u al
B us ine s sP ar tne r s
Ac ade m icP ar tne r s
N o v e lle dir e c t o r y
04/18/23 29
Information TechnologyLDAP Cluster
SES HRIS
Loadbalancing
Loadbalancing
Replication
registry.northwestern.edudirectory.northwestern.edu
IT Computing Services
Extraction
Replication
SNAP
RegistryWhite Pages
Note: schematic – not an engineeringrepresentation
04/18/23 30
Information Technology
Registry(LDAP)
Enterpriseforest School
ASchool
BDivision
Z
AD / eDirectory Structure
04/18/23 31
Information Technology
LDAP Access to Data Items
• Access is controlled in four ways:– Anonymous bind to registry is reserved to
known e-mail hosts– User binding restricted by IP address– Attribute retrieval protected by application
credentialing and Access Control Lists– White pages is an extract of registry data
04/18/23 32
Information Technology
Anonymous Binding
• Appropriate for white pages lookup
• Fast – no encryption• Program binds, then
queries by indexed attribute
• Return is defined by ACL
Eudora
Outlook
Relay
LDAPService
??
04/18/23 33
Information Technology
User Binding
• The only means to check username and password validity
• Restricted by IP address to avoid brute-force attacks
• Encrypted via SSL• Will eventually be isolated
from the application by SSO
• Return is defined by ACL
SES
SNAP
Hecky
LDAPService
04/18/23 34
Information Technology
Attribute Retrieval Binding
• Application presents assigned credentials to bind as itself
• Queries and receives return defined by unique ACL
• Encrypted via SSL• Ex: from NetID get
DN and jpegphoto
NUTV
VPN
Course Mgmt
LDAPService
04/18/23 35
Information Technology
IP Address Restrictions
• Restriction of LDAP protocols by IP address is performed by ITCS firewall
• Request-specific ACL limits exposure of data items
ACLs
RegistryDataLDAP
Registry
04/18/23 36
Information Technology
Typical Three-Step Scenario
• Binding with DN and password is IP-restricted and isolated from application coding
• Binding as an application presents credentials defining returned attributes
LDAPPlug-
in
Web Server
LDAPPlug-
in
Application Server
Registry
3. Bind as applicationKey: NetIDReturn: attributes
Transaction data including NetID
1. Bind as web server, search by NetID for DN, then
2. Bind by DN to validate password
(SSL) (SSL)
(SSL)
04/18/23 37
Information Technology
How is Registry Access Governed?
• Due to the protections in place, access must be requested through NUIT.
• Requests must be approved by the custodian(s) of the data.
• NUIT then assigns the appropriate ACL to restrict access to only the approved data items.
04/18/23 39
Information Technology
Trends: Web-Based Access
• Web should be the primary tool for user access to applications
• Anticipates Web SSO
• Anticipates portal interfaces
• Minimizes platform dependencies
04/18/23 40
Information Technology
Trends: Data Security
• Custodians will grant access to data for specific purposes, not general use. Use may be audited.
• Limit information retained locally to what is unique to the application.
• Obtain general information as needed from the Registry, given performance requirements
04/18/23 41
Information Technology
Trends: Authentication and User Management
• NetID will become the universal identifier.• Web SSO will be deployed.• Password security concerns will limit some
user management flexibility.• Stronger authentication may be justified for
some applications – but it is costly.
04/18/23 42
Information Technology
Trends: Web Services
• Exposure of central data will move to WS.
• Applications will use XML to expose data to portals.
• Real-time transaction systems will use WS to relay changes to other systems
04/18/23 43
Information Technology
Do’s and Don’ts
• Adopt NetID as your local identifier
• Migrate to NetID passwords
• Use two-step authentication binding to LDAP
• Stay on Windows NT• Authenticate against Ph• Assume you can construct
a DN• Write applications that see
user passwords in clear text
Do… Don’t…
04/18/23 44
Information Technology
More Advice…
• Learn about XML and Web Services• Develop applications for the Web• Involve NUIT early in planning and
especially software acquisition• Learn about data privacy regulations• Think globally while acting locally