Transcription

OREGON STATEWIDE LONGITUDINAL DATASYSTEM P-20W PROJECTJanuary 31, 2017Version 1.5OR-SLDS P-20W SECURITY OVERVIEW

TABLE OF CONTENTS1.DEFINITION . 32.SECURITY OVERVIEW . 33.DATA SECURITY . 44.SOFTWARE SECURITY . 65.DATA IN TRANSIT . 76.DATA AT REST . 87.SECURITY REQUIREMENTS . 8OR-SLDS P-20W Security Overview Document v1.5Page 1 of 14

Revision ument InitiationD. Domagala10/3/20161.1Content Enhancements, still indraft formD. Domagala10/10/20161.2SecurityupdatescolumnD. Domagala10/20/20161.3Revisions made to all documentM. Rebar11/21/20161.4Revisions made to documentT. Brown1/30/20161.5Revisions made to documentM. RebarRequirements sectionto include tManagerOR-SLDS P-20W Security Overview Document v1.5Page 2 of 14

OR-SLDS P-20W SECURITY OVERVIEW DOCUMENT1. DEFINITIONThe Security Overview Document outlines functions and features to protect thePersonally Identifiable Information (PII) contained within the OR-SLDS system. Thisdocument is intended to provide a non-technical overview of security features andsafeguards. Security methods and procedures are described, along with the plannedapproach to fully meet and exceed security requirements for the OR-SLDS system.2. SECURITY OVERVIEWThe Oregon Statewide Longitudinal Data System project team (OR-SLDS) will ensurefederal statues such as HIPAA and FERPA, and federal standards (such as thosepublished by NIST and FIPS) protections are enforced and personally identifiableinformation is protected at rest and in transit. Access will only be granted to authorizedand authenticated personnel.Where applicable, as directed by the Chief Education Office (CEdO) and in accordancewith FERPA, HIPAA and other legal requirements, database encryption will be appliedto protect confidentiality of data at rest. Database access and administration privilegeswill be restricted to only those explicitly approved by the Chief Education office usingrole-base authorization and password authentication.Firewalls, anti-virus software, monitoring tools, and other existing security protectionswill be fully unitized, or installed as needed to meet the security guidelines establishedby the Chief Education Office. The OR-SLDS system will abide by all applicable securitystandards as outlined in Oregon’s Enterprise Information Technology Policies.All data handled by contracted personnel will be handled securely and confidentially, inaccordance with federal, state, CEdO, ODE, HECC, and Oregon Enterprise InformationTechnology Policies.OR-SLDS P-20W Security Overview Document v1.5Page 3 of 14

3. DATA SECURITYCAPTUREODEK-12HECCDirect DataPullsPROVIDECEdOApprovedResearcherAccessMatch Rules,CaseManagement175 Flat mMATCHAnalyticUsers(Browser,Full chEngineOR-SLDSP-20Data d access)Data and System SecurityThe above diagram depicts the initial data flow for the OR-SLDS system. Over time, adirect connection is anticipated between all source systems and the OR-SLDS OperationalData Store (ODS). Until that time, flat files will be generated by ODE and HECC, andsecurely provided to the OR-SLDS team for loading into the ODS. The OR-SLDS systemshall integrate with data fed from Agency and Partner Agencies’ source systems in predefined XML and flat file formats, provide identity resolution and management, providegranular storage of longitudinal data (e.g., Operational Data Store), and provide a datawarehouse for periodic data snapshots to be exposed in a rich presentation/visualizationlayer.CAPTUREThe primary data flow objective within the ‘Capture’ phase is to securely move data fromsource systems to an Operational Data Store (ODS). For PK-12 data, the sole source isthe Oregon Department of Education (ODE). Eventually, a direct-access route will becommissioned to securely and systematically pull data from ODE systems into the CEdOOperational Data Store. In the interim, numerous flat files will be generated by ODE andsecurely delivered to an authorized staging area within the CEdO OR-SLDS environment.These ‘raw’ flat files are then validated and loaded (via Informatica ETL routines) to predefined database tables within the Operational Data Store.OR-SLDS P-20W Security Overview Document v1.5Page 4 of 14

For Higher Education data, the Higher Education Coordinating Commission (HECC) willprovide secure direct access to data in the Student Centralized Administrative ReportingFile (SCARF) format. An automated set of routines will pull data into the ODS on ascheduled basis, with the ability to run ad hoc pulls as needed. Data pulls take placeover an internal, secure network supported by Oregon Enterprise Technology Services(ETS).Only authorized system administrators, as determined by CEdO, have access to the datafiles, the loading routines, and the ODS data structures. Enterprise Technology Services(ETS) administers the secure network used to transmit the data and files. PersonallyIdentifiable Information from ODE and HECC students is securely housed within theOperational Data Store, in order to longitudinally match those students across statesystems.MATCHThe Operational Data Store (ODS) securely houses personally identifiable student datafrom ODE and HECC. This data is processed through a match engine (powered byInformatica software) using pre-defined match rules. Most matches are systemicallyconfirmed, but some will require manual review by a Case Manager. A Case Manager isauthorized by CEdO to review student demographic information and make adetermination whether there is a longitudinal match.Once a match is determined, all state data for that matched student is de-identified andassigned to a “surrogate key” as it is loaded into a secure PK-20 longitudinal database.This de-identified student-level data then forms the basis for researcher analysis andaggregated reporting for Oregon educational outcomes.PROVIDEDe-identified records for Oregon students are stored in a secure Data Warehouse, onphysical servers within the State Data Center. Only authorized personnel from theOregon Enterprise Technology Services team have physical access to the DataWarehouse servers. Only authorized administrators from the CEdO have system accessto the Data Warehouse. And only CEdO authorized researchers and analysts haveaccess to the longitudinal information contained within the Data Warehouse.A visual analytic tool, IBM Cognos, is utilized by these authorized researchers andanalysts to study the information and produce insights into educational achievement andoutcomes.CEdO carefully reviews and explicitly approves any longitudinal reports that are madepublicly available. Public reports are aggregated or suppressed at a cell-level to avoidOR-SLDS P-20W Security Overview Document v1.5Page 5 of 14

potential identification of individual students. Suppression guidelines and other securitybest practices published by the U.S. Department of Education’s Privacy TechnicalAssistance Center (PTAC) are consistently applied and administered by the OR-SLDSproject.4. SOFTWARE SECURITYThis section describes the enabled and configured security features of the two primarysoftware tools for the OR-SLDS system, Informatica and Cognos.INFORMATICA ROLE SECURITY (Req# 2.6, 2.7, 2.10)The Informatica Domain utilizes the concept of Security Domains to access content andservices. A domain can either be defined with an LDAP (Lightweight Directory AccessProtocol) directory or by using the native Informatica domain. These domains arecollections of users and groups of users who have been given access the various serviceseither directly or through the use of predefined roles. These configurable roles include,for example,-AdministratorPowerCenter DeveloperBusiness Glossary ConsumerAccount management within the Informatica domain allows for configuration of MaximumLogin Attempts and locking out individual users (including users with the Administratorrole).MDM ROLE SECURITY (Req# 2.6, 2.7, 2.10)Role security Master Data Management (MDM) is established by configuring users withinthe MDM Hub Master Database or by synchronizing groups with an LDAP service. Theseusers or groups are then granted permissions directly or by role to various objects andservices within an Operational Reference Store (ORS) using the Security AccessManager (SAM).Permissions within the SAM can be set on any object within the ORS as Read, Write,Update, Delete, Merge, and Execute.Integration of the ActiveVOS to Informatica Data Director (IDD) requires the creation ofthree MDM roles: DataSteward, Manager, and SrManager. These roles are used tomanage IDD application task approvals through the ActiveVOS Business ProcessManager (BPM). Access to the IDD application is provided as a separate object withinthe SAM.OR-SLDS P-20W Security Overview Document v1.5Page 6 of 14

Account management within MDM is accomplished using a Global Password Policywhere a maximum number of failed logins is configured.COGNOS ROLE SECURITY (Req# 2.6, 2.7, 2.10)Cognos leverages Active Directory for authentication. Cognos Role based security isdescribed as user-level security which focuses on the logical role of a user rather thanthe user’s individual identity. The IBM Cognos security model allows you to manageusers as member of roles and groups. These groups and roles can be used in Securitypolicies such as access permission for each object within the IBM Cognos portal.LDAP AUTHENTICATION (Req# 2.5)LDAP (Active Directory) configuration will be administered by the CEdO. Groupsconfigured within the LDAP service will correspond to the required roles defined withinthe Cognos, Informatica, and MDM. Synchronizing of Informatica groups with thosedefined in the LDAP service occurs at a defined time every 24 hours. Manual (on demand)synchronization will be implemented.5. DATA IN TRANSITINFORMATICA (Req# 2.8, 2.9, 2.12)All data in transit within the Informatica domain is encrypted using the SSL/TLS protocolusing 512-bit RSA encryption. Data in transit includes the following data communicationpathways between:-Service Manager and all services running in the domainData Integration Services and associated Model Repository ServicesData Integration Services and workflow processes (Data Quality)PowerCenter Integration Services and PowerCenter Repository ServicesDomain services and the Informatica client tools and command line programsData in transit from CEdO users accessing Informatica web application services isencrypted using the SSL/TLS protocol using 512 bit RSA encryption and accessible onspecific ports. These services include:-Analyst ServiceWeb Services Hub Console ServiceMetadata Manager ServiceData in transit from remote agencies including ODE and HECC will utilize securedatabase connections over the SSL/TLS protocol using 512 bit RSA encryption. Data intransit from local (CEdO) databases including the various Informatica domainrepositories, ODS, and data warehouse does not use secure database connections, butOR-SLDS P-20W Security Overview Document v1.5Page 7 of 14

travels only within a secure internal network maintained and monitored by the Oregonstate data center.MDM (Req# 2.8, 2.9, 2.12)Data in transit within the MDM services is encrypted using the SSL/TLS protocol using512 bit RSA encryption. Data in transit includes communication between the MDM HubService, Process Server, and ActiveVOS BPM (Business Process Manager) server.Data in transit from local (CEdO) databases including the Hub master database, the ORSdatabases, and the ActiveVOS database as well as the ODS and data warehousedatabases does not use secure database connections.Data in transit from web accessible IDD application services is encrypted using theSSL/TLS protocol using 512 bit RSA encryption and accessible on specific port.COGNOS (Req# 2.8, 2.9, 2.12)Data in transit from client to web server is secured via SSL certificate in IIS. Data intransit between Cognos processes is encrypted using SSL.6. DATA AT RESTTDE – TRANSPARENT DATA ENCRYPTION (Req# 2.1)All databases running within the local (CEdO) network will have Transparent DataEncryption (TDE) enabled or other robust encryption for data at rest. These databasesinclude the various Informatica domain repositories, MDM ORS and service repositories,Cognos content store, ODS and data warehouse. CEdO configures and administers TDEon the local SQL Server databases.UNIT RECORD AUDITING (Req# 2.4)Unit record auditing is configured on all databases holding or potentially housingpersonally identifiable information (PII). CEdO configures and administers unit recordauditing on the local SQL Server databases to determine when a record was last updated,and by whom.7. SECURITY REQUIREMENTSThe comprehensive list of contractual business requirements can be found in Contract#DASPS-1416-16, Exhibit J. Security-specific requirements have been culled from the fulllist and provided here for reference.Data and System SECURITY RequirementsOR-SLDS P-20W Security Overview Document v1.5Page 8 of 14

Req#DescriptionSolution2.1Robust encryption of data atrest (database, tables, files).Utilize Transparent Data Encryption (TDE) atthe SQL Server database level to encrypt data2.2Robust encryption of data intransit.Data in-transit processes can be controlled bythe security provided at the connection objectlevel. The Informatica Platform supportsadministrative authorities with a hierarchicalsecurity model with privileges and permissionsconfigurable at the user, folder, group, andrepository levels. It also provides integrationwith LDAP for authentication and FIPS 140-2certified encryption for securing data in flightthrough industry standard algorithms like AES,Base 64, CRC32, MD5, and RC5 for SSLbased encryption. This ensures that nounauthorized person can use a connectionobject created by someone else to pull outrestricted information in transit or otherwisefrom a data source. Use of OS Profiles allowsdifferent jobs to run under different OS useraccounts. In this way, the PowerCenter enginecan only access data as allowed by the OSprofile user account. The product is also DODcompliant and runs on NIPRNET, SPRNET,and JWICS. There are more than 130 projectsinstalled at DoD entities like Tricare, VAHospitals, Air Force Surgeon, Army MedicalServices, CMS, FDA, DLA, Army, Navy, andAir Force.IBM Cognos can be configured to encrypt datain transit at any point. Between the end userand the web server, it is securable andencrypted using standard SSL/HTTPSstandards and certificates. In addition, databeing transferred from application services toweb services can be encrypted using an IBMprovided, SSL-based KeyStore.2.3Support for two factorauthentication.OR-SLDS P-20W Security Overview Document v1.5IBM Cognos provides the ability to createcustom authentication providers (CJAPs) inJava. Using a CJAP, you can create a TrustedSignon Provider, which can be furtherextended to support a wide variety ofPage 9 of 14

Req#DescriptionSolutionauthentication/ authorization sources, includingintegrating with a two-factor authenticationsystem.The Informatica domain can use the followingtypes of authentication to authenticate users inthe Informatica domain: Native user authentication LDAP user authentication Kerberos network authenticationNative user accounts are stored in theInformatica domain and can only be usedwithin the Informatica domain. Kerberos andLDAP user accounts are stored in an LDAPdirectory service and are shared byapplications within the enterprise.2.4Support granular auditing ofaccess to unit records withpersonally identifiableinformation (ODS andidentified Warehouse).The IBM Cognos solution comes with acomplete audit database, which can beconfigured to provide access information at asession, object, and user level.2.5Supports LDAPauthentication via TLS andSSL and LDAP integration forpassword security (timeouts,account disabled, etc.).Provides simplified sign oncapability to users. Describein comments.Both Informatica and IBM Cognos can beconfigured to integrate with LDAP and can beimplemented with single sign-on so end userswho are already authenticated passseamlessly into their desired reports.2.6Provides pre-set role andcustom role-basedauthentication.Both products can utilize LDAP groups orconfigure their own internal groups and rolesto facilitate access restriction protocols.2.7Control access to applicationfunctions through user roles.Both products can utilize LDAP groups orconfigure their own internal groups and rolesto facilitate access restriction protocols.2.8Web applications useTLS/SSL/HTTPS for dataencryption and securehandshake.IBM Cognos provides support for thoseprotocols at all levels of the architecture.Standard SSL/HTTPS techniques are used tosecure the browser and application serverOR-SLDS P-20W Security Overview Document v1.5Page 10 of 14

Req#DescriptionSolutioncommunication. More can be read regardingthe TLS support at J10.2.0/com.ibm.swg.ba.cognos.vvm user guide.10.2.0.doc/c vv transportlayersecuritytls96539.html%23VV TransportLayerSecurityTLS 96539.You can enable options in the Informaticadomain to configure secure communicationbetween the components in the domain andbetween the domain and client components.Informatica uses the TCP/IP and HTTPprotocols to communicate betweencomponents in the domain. The domain usesSSL certificates to secure communicationbetween components.You can enable different options to securespecific components in the domain. You do nothave to secure all components in the domain.For example, you can secure thecommunication between the services in thedomain but not secure the connection betweenthe Model Repository Service and therepository database.When you install the Informatica services, youcan enable secure communication for theservices in the domain and for theAdministrator tool. After installation, you canconfigure secure communication in the domainfrom the Administrator tool or from thecommand line. You can set up securerepository databases and secure source andtarget databases. You can also secure theconnection between Informatica webapplication services and browsers.2.9Any additional webcomponents (e.g., webservice) are secured throughSSL.OR-SLDS P-20W Security Overview Document v1.5Within Cognos, SSL can be configured tosupport any internal connections, externalconnections, or bothPage 11 of 14

Req#DescriptionSolutionYou can enable options in the Informaticadomain to configure secure communicationbetween the components in the domain andbetween the domain and client components.Informatica uses the TCP/IP and HTTPprotocols to communicate betweencomponents in the domain. The domain usesSSL certificates to secure communicationbetween components.You can enable different options to securespecific components in the domain. You do nothave to secure all components in the domain.For example, you can secure thecommunication between the services in thedomain but not secure the connection betweenthe Model Repository Service and therepository database.When you install the Informatica services, youcan enable secure communication for theservices in the domain and for theAdministrator tool. After installation, you canconfigure secure communication in the domainfrom the Administrator tool or from thecommand line. You can set up securerepository databases and secure source andtarget databases. You can also secure theconnection between Informatica webapplication services and browsers.2.10Delivers security rules suchas maximum number ofincorrect login attempts,session timeout. Describe incomments.OR-SLDS P-20W Security Overview Document v1.5Cognos security rules are implemented atdifferent parts of the application depending onthe specific requirement. Between theauthentication provider (LDAP, ActiveDirectory, etc.) and IBM Cognos’sconfiguration, there are very few limitations. Inthe example provided, “maximum number ofincorrect login attempts” would be managed atthe authentication provider level, which isinherited and honored by IBM Cognos. The“session timeout” would be configured inCognos Configuration where the webPage 12 of 14

Req#DescriptionSolutionsession’s token is invalidated once the definedtimeout is reached.To improve security in the Informatica domain,an administrator can enforce lockout of domainuser accounts, including other administratorusers, after multiple failed logins. Theadministrator can specify the number of failedlogin attempts a user can make before theuser account is locked. If an account is lockedout, the administrator can unlock the accountin the Informatica domain.When the administrator unlocks a useraccount, the administrator can select the"Unlock user and reset password" option toreset the user password. The administratorcan send an email to the user to request thatthe user change the password before loggingback into the domain. To enable the domain tosend emails to users when their passwords arereset, configure the email server settings forthe domain.If the user is locked out of the Informaticadomain and the LDAP server, the Informaticaadministrator can unlock the user account inthe Informatica domain. The user cannot log into the Informatica domain until the LDAPadministrator also unlocks the user account inthe LDAP server.2.11Can provide a documentedpolicy for "hardening" theoperating system for web andother servers.OR-SLDS P-20W Security Overview Document v1.5There are several articles and whitepapersdescribing securing the application as well asthe operating system and services. Oneexample is y/cognos/security/cognos bi platform/page602.html.In general, IBM Cognos does not use portranges and supports the best practices usedfor the specific operating system (Windows,Linux, Unix, etc.) and web server (IIS, Apache,etc.).Page 13 of 14

Req#DescriptionSolution2.12Web applications useTLS/SSL/HTTPS for dataencryption and securehandshake. (duplicate of 2.8)Please see 2.8You can enable options in the Informaticadomain to configure secure communicationbetween the components in the domain andbetween the domain and client components.Informatica uses the TCP/IP and HTTPprotocols to communicate betweencomponents in the domain. The domain usesSSL certificates to secure communicationbetween components.You can enable different options to securespecific components in the domain. You do nothave to secure all components in the domain.For example, you can secure thecommunication between the services in thedomain but not secure the connection betweenthe Model Repository Service and therepository database.When you install the Informatica services, youcan enable secure communication for theservices in the domain and for theAdministrator tool. After installation, you canconfigure secure communication in the domainfrom the Administrator tool or from thecommand line. You can set up securerepository databases and secure source andtarget databases. You can also secure theconnection between Informatica webapplication services and browsers.OR-SLDS P-20W Security Overview Document v1.5Page 14 of 14

- Domain services and the Informatica client tools and command line programs Data in transit from CEdO users accessing Informatica web application services is encrypted using the SSL/TLS protocol using 512 bit RSA encryption and accessible on specific ports. These services include: - Analyst Service - Web Services Hub Console Service