MNA and AD accounts are merging

1
MNA and ADaccounts are merging

• Your MNA or AD password may have to change.
• For a good cause youll only have to remember
  one password that is good for both MNA and AD
  (LYNX and WebApps).
• MNAAD NetID

2
NetID project
3
How and Why?

• How? - Implementing Sun Java Identity Manager
• Why do we need an Identity and Access Management
  System?

4
What is Identity and Access Management?
5
What is Authorization?

• Example The Hospital Authoritys Information
  Assurance Compliance Officer notices that a user
  who logged in as morrisom edited a patients
  record. The IACO may have several questions
• How was morrisom granted access to edit the
  patients record?morrisom has a login_id and
  password in OACISs user table.
• Who authorized morrisom to have access to
  OACIS?Bill Rust, her supervisor.
• Should morrisom still be authorized to have
  access to OACIS?
• The authorization layer is not enough.

6
What is Authentication?

• More of the IACOs questions
• How can I be sure morrisom actually edited the
  patients record?morrisom successfully used a
  password that matched OACISs user table.
• Can morrisom reasonably deny that they were the
  one who edited the patients record?
• How was morrisom given her login_id and
  password?
• The middle layer involves distributing login_ids
  and passwords.
• The authentication layer is not enough.

7
What is Registration?

• More of the IACOs questions
• Who is morrisom?morrisom was registered to
  Mitchelle Morrison.She is an active contract
  employee in the OCIO-IS department, employeed by
  Quovadx.
• Did morrisom receive a background check?
• The foundation (bottom layer) involves checking a
  persons paper credentials (social security card,
  etc.)
• It also involves determining whether the person
  was previously registered.

8
Identity and Access Management
9
What is a NetID?

• The NetID is the account that will grant a user
  access to the MUSC network. As soon as a user
  activates their account they will be provisioned
  in each supported authentication resource. In
  practical terms, the NetID is a merging of the
  MNA and AD accounts.
• All current MNA and AD authentication mechanisms
  will continue to work as they do today.

10
Whats wrong with MNA and AD accounts?

• An AD account provides Microsoft Active Directory
  as an authentication mechanism for LYNX managed
  workstations and for WebApps
• Among other things, MNA provides etc/passwd and
  authLDAP as authentication mechanisms.
• Rather than focus on the authentication
  mechanism, we chose to focus on identity
  management and centrally provision as many
  authentication mechanisms as needed.
• Thus standards regarding passwords and account
  names can be consistently implemented and
  audited.

11
What are the NetID standards?

• http//www.musc.edu/iams/Standards_and_Guidelines/
  NetID.html

12
What do the NetID standards address?

• Namespace
• Password Complexity
• Password Distribution
• Registration

13
Namespace

• The NetID for new users will consist of the
  users initials with digits added as necessary
  for uniqueness.
• New users will receive an email alias based on
  their name, using the same algorithm currently
  used to generate MNA or AD accounts.
• The email alias can be changed upon request.

14
Namespace Example

• Robert Jackson Smith could receive rjs5 as his
  NetID and smithrj as his email alias
• Robert Jackson Smith would then login to the
  network as rjs5 and smithrj would be
  published in the Online directory.
• He logs into his email system as rjs5.
• His email system will be configured to publish
  his outgoing mail as coming from smithrj.

15
Password Complexity

• Passwords must be between 6 and 10 characters
  long.
• The characters must contain of 3 of the
  following a numeric character, an uppercase
  character, a lowercase character, or a special
  character.
• Must not contain the username
• Must not contain the first name, preferred name
  or the last name
• Must not be in the Identity Management dictionary

16
Password Distribution

• Users must pick up their NetID username and a
  temporary password at a designated security
  station
• The user must then activate their NetID within 60
  days.
• The activation process entails
• Agreeing to the Computer Use Policy and Security
  and Confidentiality Agreement
• Establishing 3 shared secrets
• Changing their password.

17
Password Changing

• As long as the password adheres to the password
  policy, password changing will not be required.
• The NetID password may be changed by going to the
  Identity Manager website.
• NetID password changes will automatically change
  the MNA and AD passwords.
• When a user forgets her password, she will be
  encouraged to utilize the self-service website.
  The user will be required to answer 2 shared
  secrets.
• Passwords may be manually reset by going to a
  designated security station.

18
Registration Standards

• Prior to granting a password reset request, the
  user will be required to have an active
  registration.
• Thus, in preparation for implementing Sun Java
  Identity Manager, we will be working with the
  various HR personnel to establish enough
  Registration Authorities.

19
How will the NetID standards be applied to
existing users?

• Existing MNA and AD accounts will be provisioned
  with NetID in Sun Java Identity Manager
• Existing users will be given 60 days to activate
  their NetID
• Activation will require the user to
• Login with an existing MNA or AD account
• Have an active registration (i.e. sponsorship)
• Agree to the Computer Use Policy and the Security
  and Confidentiality Agreement
• Establish 3 shared secrets
• Change their password, if it doesnt conform to
  the new complexity standards

20
What is the NetId project timeline?

• NetID - July 06
• Implement Sun Java Identity Manager
• Begin new processes with new users.
• Existing users will have 60 days to activate
  their NetID and thus synchronize their MNA and AD
  accounts.
• After sufficient warning, users who fail to
  activate their NetID, will have their NetID (and
  consequently their MNA and AD) account disabled.
• Evaluate priority of other Identity Management
  projects - Sept 06

21
Other Questions?