Title: The Mechanics of Electronic Technology _____
1The Mechanics of Electronic Technology_____
- Tim Bornholtz, FSA
- Michael Sessa, PESC
- Doug Jabbour, ELM Resources
- Matthew Sessa, AES
- Kim Shiflette, USA Funds
2Welcome and Introductions_____
3Todays Agenda
- Introduction to Authentication and FSA
- Authentication Standards
- ELM and Authentication
- Pin-less Electronic Signatures
- CRC, DTS and Authentication
- Meteor and Mapping Your Future
- Questions and Wrap-up
4Introduction to Authentication and FSA
Initiatives_____
5Terms and Definitions
- Authentication Who is this person?
- Authorization What is this person allowed to
do? - Accounting What did this person do while logged
in to the system?
6Delegated Administration
- Enables organizations to assign individuals with
specific security management tasks and duties - These individuals may be non-IT employees within
the organization or they may be members of
partner organizations
7Transitive Trust
- The practice of accepting a third-party
identification based on mutual consent between
two direct parties. - A trusts B
- B trusts C
- so
- A trusts C
8Does your workstation look like this?
9Today
10Future
11Why Are We All Working on These Issuesour
Business Reasons
1 Meets customers expectations for simplified
web access 2 Improves the security / privacy of
student aid data with fewer IDs and simpler
management 3 Reduces costs to FSA, schools, etc
12Moving to Self Service Access
Delegated Administration
Centralized Administration
FSA SYSTEMS
School B
School A
School B
School A
13Transitive Trust / Federated Identity
1 Transitive Trust and Federated Identitythe
practice of accepting a third-party identity
based on mutual consent between two direct
parties.
3 FSA does not plan to be a leader in this
spacewe will participate
14In Summary FSA is
1 moving forward with the Access Management
Team. 2 testing Tivoli Identity Manager (TIM)
and Tivoli Access Manager (TAM) as security
products. 3 moving toward a Delegated
Administration model. 4 participating in the
Transitive Trust discussionsnot leading.
15Questions?
- Tim Bornholtz
- tim.bornholtz_at_ed.gov
- Phone (202) 377-3465
16Authentication Standards_____
17PESCs Role
- Track and communicate current events and
happenings - Educate community on issues
- Facilitate identification of business problems
and potential solutions - Promote best practices, prototypes, reference
implementations, and community progression - Collaborate with influential organizations
(Federal Government, EAP, Liberty Alliance,
Internet 2)
18Federal Government
- The Federal Perspective www.CIO.gov/eAuthenticatio
n - OMB Guidance December 16, 2003 (M-0404) for
Government Paperwork Elimination Act of 1998 and
E-Government Act. - Assists agencies in determining their
authentication needs for electronic transactions. - Directs agencies to conduct e-authentication risk
assessments on electronic transactions to ensure
that there is a consistent approach across
government. - Provides the public with clearly understood
criteria for access to Federal government
services online.
19Federal Government
Four Assurance Levels Level 1 Little or no
confidence in the asserted identitys
validity. Level 2 Some confidence in the asserted
identitys validity. Level 3 High confidence in
the asserted identitys validity. Level 4 Very
high confidence in the asserted identitys
validity.
20Federal Government
- NIST Special Publication 800-63 January 2004
states specific technical requirements for each
of the four levels of assurance - Identity proofing, registration, and delivery of
credentials. - Tokens for proving identity.
- Remote authentication mechanisms (credentials,
tokens, and protocols used to establish that a
claimant is in fact the subscriber claimed to
be). - Assertion mechanisms used to communicate the
results of a remote authentication to other
parties.
21Federal Government
- Burton Group Report
- An independent program review of technical
architecture, interoperability, and trust
characteristics - EAP
- Available through www.CIO.gov/eAuthentication
22EAP
- EAP www.EAPartnership.com
- Formed by CSIS, OMB, and GSA.
- EAP is the multi-industry partnership working on
the vital task of enabling interoperability among
public and private electronic authentication
systems. - Goal is to create a free-standing non-profit
organization that will manage Authentication
similarly to how the networks for direct deposit
and ATMs are managed. - Bylaws finalized September 2004.
- Business Rules and Processes October 2004.
- Interoperability Report October 2004.
23 EAP
EAP Governance
Technical Interoperability
Accreditation Certification
Credential Assessment Criteria
Business Rules Processes
Assurance Levels
- Standards Body?
- Federated Infrastructure Provider?
- Both?
24Liberty Alliance
- Liberty Alliance www.ProjectLiberty.org
- Formed 9/2001, led by Sun Microsystems, and
includes American Express, Computer Associates,
GM, HP, Nokia, Novell, PingID, RSA Security, SAP,
Vodafone, IBM, Adobe, AOL, Fidelity, Intel, Bank
of America, Deloitte Touche, Oracle, Sony,
Verisign, US Department of Defense, US GSA, and
others (150 total) - Goal is to establish an open standard for
federated network identity by developing
technical specifications that support a broad
range of identity-based products and network
devices.
25Liberty Alliance
- Vision is to enable a networked world in which
individuals and businesses can more easily
conduct transactions while protecting the privacy
and security of identity information to create
the flexible, secure and open infrastructure that
is required to support and manage these online
services and transactions. - Includes specifications, conformance and
certification, product endorsement
26Internet 2
- Internet 2 www.Internet2.edu
- Shibboleth http//shibboleth.internet2.edu
- Launched 2/2000, it is an initiative to develop
an open, standards-based solution to meet the
needs for organizations to exchange information
about their users in a secure, and
privacy-preserving manner. The initiative is
facilitated by Internet2 and a group of leading
campus middleware architects from member schools
and corporate partners. - The purpose of the exchange is typically to
determine if a person using a web browser has the
permissions to access a resource at a target
resource based on information such as being a
member of an institution or a particular class.
27Questions?
- Michael Sessa
- sessa_at_pesc.org
- (202) 293-7383
28ELM and Authentication_____
- Doug Jabbour, ELM Resources
29What is ELM Resources?
- Mutual benefit corporation
- Alliance of lenders, guarantors, and servicers
- Cooperative venture, open to all
- Non-profit company
- Provider neutral
- Free services to schools
- Single point of data exchange
- Technology bridge
30ELM Is Open
- ELM members represent over 90 of FFEL volume
- All guarantors interfaced
- Provider neutral
- 1,200 schools using ELM
- Choice of lenders, guarantors, servicers
- Choice of providers based on service
- Control over loan process
- Supports all standard application flows
31What Does ELM Do?
- Loan delivery
- Central database
- Reports
- Inquiries
- National disbursement service
32(No Transcript)
33ELM NDN
- ELM NDN participants
- 982 schools for disbursements
- 272 schools use refund automation
- In 2003
- 3.65 million disbursements
- 7.9 billion - 44 v 2003
- In 2004
- Volume up approx. 40 YTD
- Est. 11 Billion
34ELM Growth In 10 Years
35ELM User Access
- Schools 5,372
- Lenders 1,386
- Guarantors 200
- Borrowers 110,060
36(No Transcript)
37ELM User Authentication
- Primary ELM focus is authentication for loan
processing - 1,200 plus schools 5,300 authorized school
users - School users are authorized to
- Inquire
- Update
- Exchange files
38ELM User Authentication
- Each school has an ELM-recognized security person
- This person authorizes each user at that school
- This person is responsible for notifying ELM of
staff changes
39ELM Security Enhancements
- Increasing the strength of the ELM password
- Size, construction
- Only the user knows the password
- Self-service password resets
- Reset every 90 days or sooner
40ELM User Authentication
- Future focus will be on students accessing ELMNet
via the school SIS - Behinds the scenes access to lenders, servicers,
and guarantors - Reliance upon the School for identification and
authentication - Schools are already moving in this direction
41ELM Authentication Issues
- Competing Demands
- Ease of use
- Privacy
- Security
- Accountability
- Federal Laws
- State Laws
42ELM Authentication Issues
- Diversity of ELM Members
- Federally Chartered Banks
- Credit Unions
- Guarantors
- Servicers
- Schools
43ELM Authentication Issues
- Diversity of Schools
- Large schools with sophisticated SIS
- Medium size schools
- Relatively small schools
- Schools that want to control all student/borrower
contact - Schools that want ELM or ELM Members to interact
with the student/borrower
44ELMNet Going Forward
- Looking to industry standards
- Looking to technology changes
- Trying to meet competing demands
- Ease of use
- Security and privacy
- Regulatory
- Federal and state laws
45How Do We work On It?
- Work with our Members
- School user meetings
- School Advisory Council
- National efforts
- NCHELP
- PESC
- CBA
46Questions?
- Doug Jabbour
- djabbour_at_elmresources.com
47Pin-less Authentication_____
48Agenda
- Emergence of Authentication Choices
- PIN vs. PINless
- On the horizon
- The role of standards
49Todays Choices
- PIN
- Student Authentication Network (STAN)
- PINless
- Credit Vendor
- Data match
- Out-of-wallet
- First Party plus school certification
50Decisions, decisions...
- STAN
- Right
- STAFFORD, Perkins, sometime PLUS and
Consolidation - Not Right
- State Grants, Alternative, sometimes PLUS and
Consolidation
51Decisions, decisions
- PINless - Data match with credit vendor
- Right
- No federal affiliation, relatively low-risk form
- Not Right
- High risk forms
- PINless - Out-of-wallet with credit vendor
- Right
- No federal affiliation, older demographic, high
risk - Not right
- young demographic and/or low risk
52AES has decided to offer the consumer part of the
choice
- AES will present choices based on risk and cost,
among other variables, including lender
participation - STAN where it makes sense and where it is
permitted - PINless if STAN is prohibited or consumer does
not have PIN - Where both authentication solutions are
appropriate, the consumer will have a choice
53Issues arising from offering choices
- Need to track the authentication method used for
each electronic signature - Counsel will have to defend multiple
authentication processes - Interoperability
54Why choices are necessary today
- STAN has built in restrictions
- Managing cost
- Even first party authentication and school
certification does not work where the borrower is
not certified (i.e. PLUS and some alternative
loans)
55Questions?
- Matthew Sessa
- msessa_at_aessuccess.org
- (717) 720-2248
56Common Record CommonLine, Data Transport
Standard and Authentication_____
57Session Objectives
- CRC Overview
- Convergence/Benefits
- Key Differences from CommonLine
- CRC Process
- Whats the same, Whats new
- Implementation Schedules
- Reference Information
- DTS Overview
58CRC Defined
- Common Record CommonLine (CRC)
- The new XML-based electronic data exchange
standard for FFELP and alternative loan
origination and disbursement processing - XML - In ordinary English, definitions related to
Schema include - A diagrammatic presentation
- The disposition of constituents in a pattern or
according to a scheme - A scheme or systematic arrangement
- XML terms describe and constrain the content and
sequence of content of XML documents
59Convergence Historical Perspective
- FFELP was pursuing implementation of CommonLine
5.0 - Flat and XML - At the same time SIS and FAMS vendors were
implementing FSAs new COD Common Record XML
requirements - Collaboration
- Created a Common Data Dictionary across higher
education - Developed similar XML schemas
- Similar processing concepts where appropriate and
possible
60Benefits of XML and CRC
- Allows schools to use one Record structure
between disparate databases or different systems - COD, CL, Meteor, Transcripts, etc.
- designed to meet the needs of the Schools and
FAMS Vendors - Converts Change Processes from Transaction-based
to End Result-based - Streamlines Application and Disbursement
Processes - support batch and real-time data exchange
- XML lets you send only the data needed for the
process being performed - Converts Change Processes from Transaction-based
to End Result-based
61Collaborative Business Requirements
- Reengineering required collaboration between
organizations FSA, NCHELP, PESC - Outcome - Maintain current CommonLine 5 functionality
- Maintain flexibility of FFELP processing for our
School customers - Emulate CRCOD where applicable - structure,
process and naming convention - Create a cross-industry data dictionary
62CRC Key Differences
- New formats, new names
- Loan Period Begin and End dates are now referred
to as ltFinancialAwardBeginDategt and
ltFinancialAwardEndDategt - Words are used when possible to represent
information. For example, US Citizen value (1) is
now Citizen - One student - multiple requests in same document
Originate, Change, etc. - Records sorted by attending school
- Support School Assigned ID for student and or
borrower
63CRC Document Structure
64CRC XML Structure
- ltCommonRecordgt
- ltDocumentInformationgtlt/DocumentInformationgt
- ltAttendedSchoolgt
- ltStudentgt
- ltLoangtlt/Loangt
- ltAwardgtlt/Awardgt
- ltDisbursementgtlt/Disbursementgt
- lt/Studentgt
- lt/AttendedSchoolgt
- lt/CommonRecordgt
65CRC Supported Processes
- Loan Requests
- Loan Reprint Requests
- Loan Termination Requests
- Loan Certification Requests
- Pre-guarantee Correction Requests
- Post-guarantee Change Requests
- Response Processing
- Disbursement Processing
66CRC Fun Facts
- Disbursement Day Override Indicator
- Ability to pass Credit Status data
- Minimal data for Pre-guarantee Corrections,
Reprint and Terminates - Only send corrected/changed data
- Disbursement Amounts can be passed for Stafford
and PLUS requests - New Response Formats and indicator
- Snapshot - everything
- Full what was sent
- Standard only indicates accept or reject
67Documentation
- CRC Implementation Guide 1.05 October 2004
- Rule, Layout, Examples, crosswalks
- Schema 1.01 October 2004
- Instance documents and structure
- Testing Tool 1.05 October 2004
- Verifies format, content and provide cross field
validation - Registry and Repository October 2004
- Schema and data element storage and management
68Implementation Schedule
- FAMS
- All are in various stages of analysis
- forecasting production implementations between
Fall 04 and Spring 05. - Sigma is looking for testing partners in Summer
04. - Stay in touch with your Vender
- HGS access documentation
- Service Providers
- planning schedules parallel to the vendor
timelines. - Phased and full implementation
- Most looking at spring 05
69Information Sources
- NCHELP - The CRC Implementation Guide is
available at www.nchelp.org - IFAP COD news, technical documentation,
updates, etc. at www.ifap.ed.gov - PESC XML Technical Specifications, Data
Dictionaries, Schemas, assistance and approvals,
etc. at www.pesc.org - Additional training TBD for 2005
70DTS - Data Transport Standard - A Standard for
Transmitting Data
- Chapter 1 In the beginning
- Need
- Vision and Collaboration
- Chapter 2 Getting there.
- Direction
- Requirements
- Chapter 3 Build it and they will come.
- Process
- Flow
- Potential Uses
- Chapter 4 Make it happen ....
- Workgroup structure and responsibility
- Implementation
71Chapter 1, In the beginning
72Need
- The concept of DTS began in 2003, when NCHELP
recognized a need to develop a transport process
to support the CRC initiative. - Specifically,
- real-time requests - no existing standard
- batched requests larger payloads w/ XML
format - consolidate support fewer exchange methods
- improve key management, guaranteed delivery,
etc. - single solution - new exchange participants
73DTS Vision and Collaboration
- Vision - A single standard for the real-time
transport to support - any data, any business process, any process
expectation (immediate, deferred, other), - any system and any time
- Collaboration - NCHELP members requested DTS be
developed in a collaborative manner - FSA, schools, lenders, guarantors and Financial
Aid Management System vendors - Representing various business sectors of the
higher education industry FFEL, DL, Admissions
and Registrars, MYF, Meteor, etc.
74Chapter 2, Getting there
Did she say something
Did I turn the stove off?
DTS is a standard...
Our first Industry Meeting
75Direction and Requirements
- Created Business team to evalulate
- the feasibility for a new standard,
- defined existing transport issues,
- defined business requirements
- and reviewed proposed transport options.
- Business Requirements
- Secure Data Transport and guaranteed Delivery
- Support payload types (routing) and process
expectations (immediate or deferred) - Support any Business Process
- Ensure Cost and Technology not a barrier to
adoption or use, Utilize Open Standards - Support Interoperability between disparite
systems- Computing Platform Independent
76Chapter 3 Build it and they will come.
77DTS Process
- DTS is a web service
- Client Backend System creates and processes
message/data to and from the DTS Client - DTS Client interfaces with client backend
system and DTS service to send/retrieve secure
message/data to and from the DTS Service - DTS Service verifies message/data is secure and
well formed from DTS client or DTS application - DTS Application interfaces with the DTS Service
and existing backend systems to send and respond
to message/data - A Backend System (s) creates, processes and or
generates message/data for the DTS application
78DTS Process Flow
- DTS Message DTS DTS Back
End - Client Data Service Application
System
Retrieve Interface Return
soap
Edit Acknowledge
Process return
Send Receive
soap
79DTS Potential Uses
- Deliver data only
- Immediate request immediate response
- Immediate request deferred response
- Deferred request - no immediate response
- Retrieve response for a specific deferred request
- Retrieve data
80Chapter 4 Make it happen ....
- Position Project to Succeed
- Industry Workgroup
- Industry Stakeholders
- Industry Solution
81PESC Workgroup Structure
- DTS Project - moved to PESC
- Chairperson Project oversight
- Community Spokesperson
- DTS Business Workgroup
- Identify stakeholders and requirements
- Oversight and approval for technical solutions
- DTS Technical Workgroup
- Develop technical solution, documentation, etc.
82Implementation, Documentation, Calls and Meetings
- Implementation
- Beta January 05
- Spring 05
- Web Site
- http//committees.nchelp.org/esc/eeat/default.aspx
- Select Data Transport Standard Project folder
- Working documents specs, project plans, process
flows, etc. - Technical Workgroup
- meets Tuesdays, at 1100 a.m. EST, and Thursday,
at 200 p.m. EST - Future Meetings
- EAC Las Vegas
- Additional workgroup meeting TBD
83Questions?
- Kim Shiflette
- kshiflet_at_usafunds.org
- (317) 806-1212
84Meteor and Mapping Your Future_____
85The Meteor Process
Access Providers
Data Providers
One
Financial Aid Professional or Student
Two
Index Providers
Three
86Enhancements
- NSC Loan locator is used to display the location
of the borrowers loans - Aggregate loan limit/underlying consolidation
loans - Consolidation Loans can be reported as
Subsidized, Unsubsidized, HEAL and Other
87Default Aversion Ideas
- Collaborations with Mapping Your Future
- Allow Skip-tracing staff to view contact
information from all providers (if they have a
relationship with the borrower) - Late Stage Delinquency Information
88Mapping Your Future
- Mapping Your Future is a public-service web site
(http//mapping-your-future.org) providing
career, college, financial aid, and financial
literacy information and services.
89Collaboration Discussion
- Mapping Your Future Meteor are collaborative
projects of the financial aid industry, both
with primary missions of serving schools,
students families. Sponsors volunteers of
both have expressed an interest in collaboration
between the two groups.
90Benefits of Projects
- Strengthens Meteor Mapping Your Futures
ability to provide financial aid information
services - Access OSLC Meteor data with one login
- Students receive loan information counseling in
one web visit, regardless of loan holder or
guarantor
91Benefits of Projects
- Default prevention
- Help schools meet regulatory requirement to
provide estimated repayment information - Provide more accurate up-to-date information to
students
92Proposed Projects
- Meteor school access
- Display Meteor data for students completing OSLC
- Pre-fill or display Meteor data for entry into
calculators
93Comparison Calculators
- MYF developing two calculators
- Demonstrate effects of various repayment plans
- Demonstrate interest capitalization
- Pre-fill or display Meteor data for entry into
calculators
94Questions?
- Adele Marsh, AES
- amarsh_at_aessuccess.org
- 717-720-2711
95Thank you for joining us!Please be sure to
complete your conference evaluation form!
- Tim Bornholtz, FSA
- Michael Sessa, PESC
- Doug Jabbour, ELM Resources
- Matthew Sessa, AES
- Kim Shiflette, USA Funds