SGHE Summit – Banner Enterprise Identity Management (BEIS) – Dan Sterling and Mark B

Definitions (Identity Management in Action)

• Provisioning (Create IDs)
• Authentication (AuthN) – is the user allowed to access the system
• Authorization (AuthZ) – is the user allowed to access services within the system

Identity Mgmt in Banner ODC

• Standardization
• Banner Database Components
• Middle Tier Components
• Provisioning Support and Architecture
• Authentication Architecture
• Authorization Architecture

IDM Goals

• adopt a standard UDC Identity definition with UDC Identitfier (GUID for SGHE apps)
• support user provisioning from Banner
• support user provisioning to SGHE apps

Common Identity Definition

• foundation of BEIS architecture is common
  • using W3C XML Schema – using SPML and HR XML standard
    UDCIdentity some of the data can be mapped to eduPerson attributes
• if you license any Banner product you can download, install and use BEIS without any licensing

Software Prerequisites

• Banner General 8, Intcomp 7.3.0.1, Oracle 10gR2 DB and App Server
• Data mining via Oracle Streams and Advance Queuing
• Banner Streams Capture and Apply API – gp_streams_utils
• Banner Streams Metadata Form – guasadm
• Banner General Rules Form – gorrsql
• CAS 3.2.1.1 and 3.3.1.1

Identity Data Export Utilities

• UDCIdentifier Assigner
• UDCIdentifier Extractor
• LDIF Generator
• SPML LDAP Adapter

Authentication Support

• local native authn
• ldap authn
• claims based authn – applications are configured to not authn and accept an assertion (CAS is an example)

Supported are INB, BSS, Travel & Expense, BDMS

Session 11 Patrick Hevesi, Enterprise Technology Architect, WW CATM Security Lead

Microsoft Forefront – Business Ready Security Solutions

Evolving Threats

• 2 axes – threat and person
• Threats = Curiosity, Personal Fame, Personal Gain, National Interest
• Person = Script-Kiddy, Undergraduate, Expert, Specialist
• Results: Vandal (largest area by volume), Author, Trespasser, Thief (largest area by $ lost and fastest growing segment), Spy(largest amount of gov’t IT security $ spent)

Evolving Threat Landscape

• huge improvements in bandwidth of networks
• botnets leveraging peer to peer
• 88% of attacks are on applications – top 3 applications attacked: #1 Adobe Reader, #2 iTunes, #3 Quicktime
• the explosion of social networks introduce hugely naive users to places where they voluntarily give up their personal data
• Malware sites #1 Game Cheats #2 Pornography #3 Music Lyric #4 Gossip sites
• http://www.microsoft.com/sir – security intelligence report (free report – updated every 6 months)

Core Infrastructure Optimization Solutions (optimized desktop, optimized datacenter, business ready security)

• best protection is to run Windows NOT as administrator especially when surfing the web
• Microsoft worked with Intel and Dell to build security into hardware and software (OS working with the hardware – 64 bit)
• Network Access Protection – 2 certificates (IPSEC) issued – one for the machine and one for the user enforces machine health
• http://microsoft.com/optimization – self service questions to see where your organization is on a maturity scale – Dynamic IT
• Dynamic IT scale – basic (cost centre), standardized (cost efficiency), rationalized (business enabler), dymanic (strategic asset)

Business Ready Security – help securely enable business by managing risk and empowering people

• Identity Protection, Identity Access, Identity Management

Forefront – Endpoint Protection, Protection for Exchange, Identity Manager, ISA Server Edge Security (client, server, mobile, cloud)  Read more...

• Defense in Depth – 64 bit hardware, 64 bit Windows 7 and Mobile, Windows Server Core, Network Access Protection (NAP)
• Services – Forefront Online Protection for Exchange
• Edge – Intelligent Gateway Application, Internet Security & Accleration Server
• Server – Forefront Security for SharePoint, Security for Exchange Server, Security for OCS
• Client and Server OS – Forefront Client Security
• Forefront has 5 built in virus scan engines working together
• Microsoft Security Essentials – free tool, next generation of Forefront Client Security
• Windows Rights Management Services – BitLocker, Encryption File System (EFS), information protection

Session 9 Kevin Lan, Senior Program Manager, Windows Server Division

Windows Server Release History – every 2 to 3 years for a new release

Technology Investment Areas

• virtualization – Hyper-V with Live Migration
• management – PowerShell scripting
• web – ASP .Net and WebDAV, IIS 7.5 component install
• scalability and reliability – 256 core support, componentization, boot from SAN or VHD, support solid-state devices, file classification infrastructure
• better together with Windows 7 – DirectAccess, BranchCache

Scalability

• designed for groups of 64 processors
• SQLServer can take advantage of 256 logical processors

R2 Power Management

• reduce power consumption by only powering cores that are working – Core Parking
• Power AQ program – 10% savings in power from CPU utilization all managed from Group Policies
• V4.0 ACPI spec supports this to allow power metering

Server Core Changes

• 64 bit delivery only
• minimal installation option for window server (no GUI shell, command line interface), excellent for Read Only Domain Controllers and for Hyper-V virtualization
• types of servers:  Web, Standard, Enterprise, Datacenter
• reduces patch burden due to fewer components by approx 40%
• additions of .NET Framework subsets, subsets for ASP.NET support for IIS, PowerShell, WoW64 installed by default for 32 bit drivers
• this is a huge plus to reduce your surface area for malicious attacks – +security
• see Virtualization session notes for more on Server R2

Hyper-V 2.0

• logical processor support
• hot add/remove storage
• second level translation (SLAT)
• Boot from VHD
• Live Migration improvements requires System Center Virtual Machine Manager

Interoperability – Citrix, VMware, RedHat, Novell guest OS

Extensive Unified Management – using System Center suite

Remote Desktop Services – virtual desktop using a service broker, RemoteApp, roaming profiles, folder redirection

Streamline Management – using PowerShell, run Server Manager from Windows 7 (best practice analyzer embedded), easier migration of roles and core server settings when migrating to Windows Server 2008 R2

Active Directory Domain Services – added recycle bin for AD (Windows 2008 R2 Forest Functional Mode) to recover deleted objects, PowerShell integration, improved process for offline domain join, managed service accounts, authentication assurance for AD federated services

Key changes to IIS 7.5 in R2 – componentize IIS, config tracing and logging to see what happenned, secure ftp, remote manage IIS  Read more...