Federal Student Aid Technical Architecture Initiatives

1
Federal Student Aid Technical Architecture
Initiatives
Session T-03

• James McMahon
• Ganesh Reddy
• U.S. Department of Education

2
Person Record Management System and PIN
Re-engineering
James McMahon
3
Gathering and Using Person Data
Aid Awareness and Application
Aid Delivery
Servicing/ Consolidation

• (DL, FFEL and
• Perkins)

• Create or
• Update

• Create Or Update

• Create or
• Update

CPS

• Create or
• Update

PIN
4
Why Person Data Management?

• No single version of the truth for a customer
  account
• Disparate systems developed with duplicative and
  conflicting information about applicants and
  recipients
• Different system keys for identifying individuals
• Use of the SSN in authentication and customer
  identification

5
Why Person Data Management? (contd)

• Difficulty in developing single picture of
  customer data
• Comingling of authentication and demographic
  functions
• Lack of integration with enterprise security
  architecture
• No flexibility in interfacing with authenticated
  and unauthenticated users

6
What will Person Data Management do?

• Deploy a new paradigm for person data management
  via a shared service at the enterprise level that
  all business applications can use
• Improve data quality for person data throughout
  the Student Aid Lifecycle
• Enable increased tracking and reporting
  capabilities for program integrity and program
  oversight
• Enable the Integrated Student View, Single
  Sign-On, and additional streamlining initiatives
• Provide infrastructure to allow for elimination
  of use of SSN as key identifier in Federal
  Student Aid systems

7
What is the Person Data Management Program?

• Person Data Management (PDM) is primarily
  comprised of two major projects
• The Person Record Management Service (PRMS)
• A re-engineering of the current PIN solution

8
What is PRMS?

• PRMS will be the master record for Federal
  Student Aid of an applicant or recipients
  demographic information
• PRMS will be an enterprise shared service using a
  publish and subscribe model following
  Service-Oriented Architecture principles
• Legacy applications will transition to use of the
  PRMS in a phased manner

9
What is PRMS? (contd)

• Will provide an enterprise account number (FAN
  FSA Account Number) for persons
• Creates a unique identifier as the enterprise
  identifier
• Protects the persons identity
• Passes the new identifier to other systems
• Allows people interacting with Federal Student
  Aid systems to not use personal identifying
  information to access detailed information
• Helps in resolving data quality issues
• Maintains history of person data
• Acts as the master source/location of person data
  where it is maintained and shared with other
  internal systems

10
Conceptual Diagram of PRMS
Conceptual Depiction
10
11
What is PIN Re-engineering?

• A re-engineered PIN solution will
• Separate person demographic and authentication
  information and the functions associated
• Introduce an enterprise approach to use of user
  ID and password
• Strengthen the authentication credential (PIN)
• Integrate the authentication function with
  Federal Student Aid s enterprise security
  architecture solution

12
Conceptual Diagram of Re-engineered PIN
13
PDM Solution(s) Conceptual Architecture
The PDM solution includes two databases Person
Data Hub and the Person Directory
Person Data Hub will be the new master data
management solution for person data for identity
(e.g., SSN, name, DOB) and demographic data
(e.g., address, email address) Person Directory
will store a copy of authentication information.
14
Questions?
15

• Tactical Improvements to IT Security
• Virtual Keyboard, Two Factor Authentication,
• Active Confirmation and
• FAA Access to CPS Online
• Ganesh Reddy

16
Tactical Improvements to IT Security

• Quick fixes and high impact improvements that
  can be implemented in a short timeframe to
  enhance the IT security
• Virtual Keyboard
• Implement technologies appropriate for Federal
  Student Aid that evade potential "key logging"
• Two-Factor Authentication (T-FA)
• Implement Two-Factor Authentication solution for
  privileged users to access National Student Loan
  Data System (NSLDS) from internet
• Active Confirmation
• Assess current state of access controls for
  partners and deploy an active confirmation
  process
• FAA Access to CPS Online Login
• Enhance current state of access to limit use of
  Personal Identifying Information (PII)

17

• Virtual Keyboard

18
Keylogging Virtual Keyboard

• Keylogging (Keystroke logging) is a method of
  capturing and recording user keystrokes. Some of
  the common technologies used to evade keylogging
  include
• Anti-spyware
• Monitoring what programs are running
• Firewall
• Network Monitors
• Automatic form filler programs
• Alternative keyboard layouts
• One-time passwords
• Smartcards
• Virtual keyboards
• Virtual keyboards are provided on the application
  login page and do not require end users acquire
  additional software

19
Keylogging Virtual Keyboard
20
Keylogging Virtual Keyboard
21
Virtual Keyboard at Federal Student Aid
22
Federal Student Aid Virtual Keyboard Features

• Virtual keyboards are provided on the Security
  Architecture (SA) login page and do not require
  end users acquire additional software. Some of
  the features of Federal Student Aid Virtual
  Keyboard include
• Highly effective in evading Key Logging
• Widely used by many financial institutions
• Least expensive technology to deploy (even for 50
  million users)
• Does not require any new hardware or software on
  client machines
• Does not require any changes to the applications
• Available to all applications that use SA
• Works in conjunction with the existing keyboard
• Usage is optional but can be made mandatory based
  on security policy
• Keys can entered by mouse click or by leaving
  mouse on the key for 2 seconds
• Virtual keyboard randomly shifts on the screen
• Supports multiple keyboard layouts (US and Dvork)

23

• Two-Factor Authentication

24
T-FA Implementation Objectives

• Federal Student Aid is implementing Two-Factor
  Authentication (T-FA) for privileged users to
  access Federal Student Aid systems from the
  internet to enhance the security of its
  information systems

25
What is Two-Factor Authentication?

• Two-Factor Authentication (T-FA) uses two pieces
  of information and processes (two different
  methods) to authenticate a person's identity for
  security purposes.
• Authentication factors are generally classified
  into three categories
• Something the user has
• ID card, security token, software token, phone,
  or cell phone
• Something the user knows
• password, pass phrase, or personal identification
  number
• Something the user is
• fingerprint or retinal pattern, voice
  recognition, or another biometric identifier
• Two-Factor Authentication requires the use of
  solutions from two of the three categories of
  factors.

26
T-FA Technologies

• Some of the common technologies used as the
  second factor authentication in concert with User
  ID and Password include
• Hardware Tokens - generate a constantly changing
  one-time password to enable authentication.
• Software Tokens on PCs - enable authentication
  with computer as second factor authenticator.
• Software Tokens on Mobile Devices - allow
  authentication from smart phones and PDAs.
• Smart Cards - enable authentication as well as of
  physical access.
• USB Tokens - enable authentication without the
  need to key in a token code (can be plugged into
  a standard USB port).
• Biometric Devices - enable authentication
  according to the physical characteristics of a
  user (fingerprint and retina scans).

27
Federal Student Aid T-FA Features

• Two-Factor Authentication solution features
• Reliable, scalable, available, and meets
  sub-second performance standards
• Compatible and interoperable with Federal Student
  Aid Standards
• Integrates seamlessly with existing Federal
  Student Aid architectures
• Supports web applications and does not require
  client-side software
• Compliant with NIST, FIPS and other federal T-FA
  standards
• Has ongoing operations and maintenance product
  support
• Based on mature technology with a broad installed
  market base

28

• Active Confirmation

29
What is Active Confirmation?

• Active confirmation is the process of a
  Designated Point Administrator (DPA) reviewing
  users' access privileges on a establish time
  schedule and confirming these users' privileges.
  This will help ensure an updated and secure
  environment for system accessibility.
• The Federal Student Aid DPAs will be required to
  review their list of users who access Federal
  Student Aid systems and confirm that each
  individual continues to be a valid user. This
  will be done on a periodic basis.

30
Active Confirmation Process

• The DPA Roster
• Placed in all Primary TG Number mailboxes
• Provided a list of employees that currently
  possess TG numbers
• Requires validation or deletion of TG Numbers
  assigned to your organization in the SAIG
  Enrollment Web site
• The FAA Roster
• Placed in mailboxes of Primary TG Numbers of
  organizations
• Provided a list of employees at your organization
  who are currently enrolled for access to FAA
  Access to CPS Online services
• Requires validation or deletion of FAA Users
  assigned to your organization in the SAIG
  Enrollment Web site

31

• FAA Access to CPS Online

32
FAA Access to CPS Online Login

• Enhance current state of access to limit use of
  Personal Identifying Information (PII)
• New FAA Access to CPS Online Login
• First Time Registration
• Self Service Password Reset
• Implementation Schedule

33
Current FSA Web Enroll Site Login
Currently Enter SSN and DOB on the login page to
access the Student Aid Internet WebEnroll Site
34
Current FAA Access to CPS Online Login
Currently Enter SSN, first 2 letters of last
name, DOB, and PIN on the FAA Access to CPS
Online login page to access the application
35
New FAA Access to CPS Online Login
FAA Access to CPS Online Registration link can be
accessed from the FAA Access Login page
36
FSA SA Registration Confirm Identity
Confirm your identity by entering the FSA
provided Unique Identifier
37
SA Registration - E-mail Address
Confirm or update your current Email address Your
name retrieved from SAIG Participation Management
System cannot be updated
38
SA Registration - Select a Password
Select a password and choose any three Challenge
Response Questions and provide answers These
questions will be used to reset your password
39
SA Registration Confirm Role
Confirm the Role retrieved from SAIG
Participation Management enrollment system
40
SA Registration - Confirmation

• Confirm the registration information

41
SA Registration - Acknowledgement
System confirms successful Registration You
will receive your User ID in the email
42
Forgot Password
If you forget your password, the Forgot
Password link can be used to reset your
password. This link is located on the Login Page.
43
Forgot Password

• Provide your User ID to retrieve your challenge
  questions

44
Answer Challenge Question
You will be prompted to answer one of the
Challenge Response Questions to confirm your
identity
45
Enter New Password
Provide a new password - this will replace your
old password
46
New Password Confirmation
Your password has been changed
47
FAA Access to CPS Online Login
fafsa.ed.gov/FOTWWebApp/faa/faa.jsp
Enter User ID and password on the FAA Access to
CPS Online Login page to access the application
48
Password Policies

• Password Policy
• Expires every 90 days
• Complex alpha-numeric passwords
• Answer challenge questions to reset password
• Password Lockout
• 3 unsuccessful login attempts
• Can still use Forgot Password application
• Login disabled for 30 minutes

49

• Questions?

50
Contact Information

• We appreciate your feedback and comments. We can
  be reached at
• james.mcmahon_at_ed.gov
• ganesh.reddy_at_ed.gov