Site Search

Roadmap - Home PDF Version Executive Summary 1. Concepts/Terms 2. The Need for Change2.1. The Change Itself 3. Develop your Plan for Change 3.1. Define the Problem 3.2. Define the Guiding Principles3.3. Inventory your Campus 3.4. Develop your Direction 4. Implement Change 4.1. Policy, Business Process and Technology4.2. Develop Policy Framework 4.3. Develop Business Processes 4.4. Develop Technology Infrastructure 4.5. Migrate to Production 5. Resources

<< previous | next >>

4.4. Develop Technology Infrastructure

• Assemble Existing Constraints and Map Business Requirements to Technology Requirements
• Decide on Mechanisms and Processes
• Perform Initial System Integration(s) in the Test Environment

A critical part of the design or architecture of your infrastructure is ensuring that it supports the business and policy requirements to a sufficient degree. If unacceptable gaps exist, the technology leads must work with the policy and process colleagues to achieve consensus on how to proceed. For example, the authentication technology requirements of a library providing access to resources for all state residents will tend to be very different from the authentication requirements necessary to secure an organization’s payroll and accounts payable operations.

At this stage, there are several basics tasks to be completed. (A more complete description of each of these tasks can be found in the design phase of the Enterprise Directory Implementation Roadmap).

Case Study (PDF) —Tom Barton from the University of Chicago discusses their authentication architecture.

The central authentication service will most likely consist of or be dependent on a set of central services, such as:

• LDAP directory,
• central web sign-on service,
• password activation and re-set site, and/or
• person registry tracking affiliation status of community members.

These in turn will be used by the applications integrated in the course of the overall project.

Assemble Existing Constraints and Map Business Requirements to Technology Requirements

In addition to identifying the components required, whether existing or new, consider any technology and staffing or organizational constraints and determine what you can and can't easily change. At this point, it's best to understand the spectrum of the business requirements and how they impact your available authentication (and identity management) technology choices before you wade off into making specific product decisions. Consider walking through the following issues:

• Applications - Determine what authentication mechanisms/protocols are supported by your target applications and environments (such as network operating system, if that is one of the items.) Do they support multiple authentication technologies? What do your legacy applications require?
• Authentication Service - What does your existing authentication architecture support and how secure and flexible is it now? Are you passing credentials in the clear — if so, for which applications and what are the associated risks ? What are the operational and development issues? If you are considering implementing a web single sign-on system, which applications will be easy to connect in and which won't be? Identify the authentication service operational and management requirements, such as service uptimes.
• Source Systems - How often is the authentication system updated and from where? Is the information associated with all the identified populations available in the current source systems? Do the new requirements have time targets or constraints?
• Credential Management - Review existing credential strength, assignment and reassignment processes, as well as passing, management, and reset methods.
• Identity and Account Management - Review the types of identifiers, role and affiliation attributes, and where they are stored. Determine the range of accounts, such as guest, contractor etc. that were identified as supported users. Determine the creation, change, and deletion requirements for identity and subsequent account management. Are there constraints or changes to note? What are the time requirements for account creation and deletion? How will the service be provisioned and what is the anticipated frequency or requests? How will the credential be linked to the information in the identity management system?
• Security Management - Identify the security-related requirements and their impact on the architecture and current strategies.What is the LoA(s) to be supported? You should be able to map these to the technical requirements as listed in the NIST Electronic Authentication Guideline Special Publication 800-63. Are multiple authentication systems required because of the specific needs of your legacy systems and/or security? Will you be implementing a single sign-on or reduced sign-on system? How strong do your passwords need to be?
• Personnel and Resources - What are your existing staff skills? Does your staff have the expertise and time to support more than one authentication methodology? Will you require outside consultants, and if so, for what specific tasks? Can you solve an existing operations problem by consolidating services and thus free up sufficient staff time?

Decide on Mechanisms and Products

Given the technical requirements identified above, there are a number of vendor and open-source solutions to consider. At this stage, you are deciding on your protocols and products to support. Common mechanisms include:

• Kerberos - Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well (e.g., Microsoft's Active Directory).
• LDAP Authentication - Lightweight Directory Access protocol is used to communicate with directory servers and defines how a client can authenticate to the directory server. Many web-based applications include a form where the user enters a userid and password; the application then attempts to "bind" to a local LDAP server with the user's credentials. The success or failure of the bind operation determines the success or failure of the user's authentication to the application. The basic implementation of this approach requires storing the user's password as an attribute of the user object, which is usually stored in a hashed form rather than plaintext. Plug-ins exist for several LDAP servers that can bypass password attribute search and instead attempt a login to an external service (usually Kerberos). This plug-in approach allows sites to deploy applications that only support LDAP-style authentication and to still avoid storing user passwords in the LDAP directory.
• Passwords over SSL/TLS - Current expected practice (it’s no longer merely best practice) is for web-based applications to create an SSL/TLS tunnel to the browser user whenever a user is asked to enter a password into a web form.
• Public Key Infrastructure (PKI) - PKI is based on the exchange of electronic credentials called certificates. With public key cryptography, institutions can provide the following:
  • highly reliable digital credentials supporting authentication and leading to scalable and flexible authorization;
  • strong encryption supporting data security in transit and storage;
  • true digital signatures supporting auditable transaction validation;
  • document integrity through the use of digital signature mechanisms.

For more information on these and other methodologies and common practices, refer to the further resources below.

• Check the EDUCAUSE Identity Management Working Group list for threads on this and other related topics.
• The IETF (Internet Engineering Task Force) is a standards organization responsible for many of the most widely used protocols on the Internet. The Security Area working groups have responsibility for Kerberos and many protocols related to public key technologies. Information about working groups in the security area is available here.
• The National Institute of Standards and Technology's Computer Security Division publishes a number of Practices, Checklists and Implementation Guides.
• The SANS (SysAdmin, Audit, Network, Security) Institute is a cooperative research and education organization. It maintains a large archive of relevant documents.
• Kerberos information
  MIT
  Microsoft
  IETF: RFC 1510
  KX.509 information - University of Michigan's distribution site for their Kerberos-to-PKI credential conversion software.
  PKINIT - University of Michigan's PKINIT site, the Kerberos Version 5 extension that provides for the use of public key cryptography.

• PKI Information
  Higher Education PKI Technical Activities Group (HEPKI-TAG)
  EDUCAUSE Identity Management Services Program
  

A Request for Information (RFI) from vendors of interest could be done at this stage for either a broader identity management package or authentication system. However, while purchasing an integrated vendor solution will impact the technical work, it does not reduce the identity-related policy and business process work associated with the identification and credentialing functions.

Case Study (PDF) – University of California Riverside Andrew Tristan explains the authentication approach at UC-Riverside.

Case Study (PDF) – Brandeis University William Goedicke discusses Brandeis University's identifier practices.

 

Perform Initial System Integration(s) in the Test Environment

Consider any dependencies that have emerged, which must first be acquired or upgraded before another implementation step can occur. These may include:

• Hardware acquisition
• Software acquisition
• Service acquisition
• Internal software development or upgrade
• Technical staff training
• End-user, support staff, and staff training (help desk, users {self service})
• Scheduling of on-site vendor participation
  

Run the initial implementation as a limited non-production pilot long enough to fully exercise all initial system capabilities and uncover unexpected wrinkles. Do extensive scaling and load testing. Modify system configuration and documentation as necessary. Make sure logs and related analysis tools are useful and events can truly be parsed, tracked, and audited. And finally, review the utility of documentation and the handling of unusual cases such as de-provisioning those users who, through malfeasance, lose the privilege to access services.

During the [next] stage, you'll work with the application stewards to set a trial run of all the processes and technology components to ensure things are running smoothly before you migrate to production.

<< previous | next >>