University Management Systems
University of Colorado System
 
* CU System Home

  * Home  
  * Help Line  
  * UMS Overview   
  Active Page: Access & Security
   
  *  
  *  
 *  
  *  
  *  
  *  
  *  
  *  
  *  
  *  
 
  * Production Services  
 * SIS Development  
  * HR & Financial Systems Development  
  * System Availability  
  * Advanced Technology  
  * Operations & Infrastructure  
  * LAN & Desktop Services  
  * UMS Staff Information  
     
office of the president
explore the cu system
system services
news and events




Access & Security - UMS Security Direction
November, 1997

Introduction

The mission of the UMS security program is to provide access to administrative systems and data stored and operated by UMS, while protecting those resources from unauthorized use, destruction, disclosure, or modification. To fulfill this mission, UMS must continually update its security strategy to make use of new security technologies to secure new kinds of systems and data against new threats. At the same time, it must continue to provide the high quality security for which it has been known in the mainframe environment. This document states the current direction for development of UMS security for an open systems environment.

Service Level Objective

Requests for new access, change to existing access, or deletion of access will be processed within 48 hours of receipt at UMS if all required information and authorization is correct and complete.

Components of Security

UMS is concerned about nine aspects of security:

  • Authentication - The user is who they say they are;
  • Authorization - The user can access only those resources they have been authorized to access;
  • Confidentiality - Data requested by the user or submitted by the user (including logon and password data) is available only to authorized people;
  • Auditability - It is possible for authorized people to trace the source of significant actions;
  • Integrity - Unauthorized or incorrect modifications can be prevented, detected, and corrected;
  • Availability - The systems and data are available for use during all published times;
  • Recoverability - Systems and data that are damaged or destroyed can be restored to a correct and reasonably current state;
  • Non-repudiation - This takes two forms: the system knows who sent each action, the sender knows the system received each action.
  • Manageability - The security program can be implemented and managed with an acceptable level of resources.

UMS assists system and data managers in determining the degree to which each of these services should be provided in light of the cost of the policies, procedures, personnel, and technology needed to provide them.

UMS Computing Environment

The UMS computing environment is very complex with every indication that the complexity will continue to increase. UMS has to secure a range of platforms from mainframe through mid-range to desktop workstations. Those platforms are used for a variety of services including online transaction processing, terminal access to data via "third party" tools - some of which use client/server design, access to systems and data on web servers and use of web applications to reach data and systems on other servers, and access via voice response systems. People seek to use those services via networks that include the University's four campus network, departmental LANS, and the Internet. Many of those networks are not under UMS control and may create risks against which UMS must take reasonable precautions.

Security Direction

UMS is committed to continuing to provide the high level of protection that has historically been achieved for mainframe systems and data on all the platforms for which it is responsible. UMS is especially intent on mitigating the additional exposures that exist in the open systems environment. At the same time, UMS is working to develop a new approach to security that has the following features and characteristics:

Network Level Security Services

  • A single authentication mechanism for a variety of entities (people, computer resources, documents, objects, organizations) for a variety of systems (web, client/server, legacy, workflow)
  • Provides a single repository for authorization information for a variety of resources

Strong Security

  • Two factor authentication
  • Eliminates clear text passwords on the network
  • Encrypts sensitive data during transmission for privacy
  • Strong encryption keys
  • Strong protection for high threat points (e.g., CA server)

Functions in a Heterogeneous Environment

  • Works with technology from different vendors: web servers, web browsers, applications, databases, TP monitors.
  • Interoperates with campus security solutions, is reusable by the campuses.
  • Works with external partners (vendors of goods and services, governments, parents and remote students).

Minimizes User Impact

  • Minimizes the number of IDs and passwords users must remember.
  • Minimizes requests for presentation of passwords, thus moving toward single signon.
  • Uses simple, familiar interfaces wherever possible.

Manageable

  • Good tools exist for management
  • Uses few management interfaces, few databases
  • Can be used by a distributed set of security managers.
  • Can be managed remotely.
  • Can be implemented incrementally.
  • Can reuse data from systems of record.

Robust

  • Uses commercial, off-the-shelf products wherever possible.
  • Conforms to open, published standards wherever possible.
  • Provides redundant, fail-over capability for time-sensitive transaction processing.
  • Is scalable to the anticipated CU volume.
  • Structured to avoid processing bottlenecks.
  • Requires no expensive, dedicated resources.

UMS is currently investigating the use of public key based certificates to provide authentication and LDAP for storage of both certificates and authorization information. Those mechanisms are most mature for controlling access to web applications and data but offer significant promise of controlling other applications and data as well. We will continue to monitor campus security developments and work to interoperate with their mechanisms wherever possible.

 


 
       
Boulder Campus Colorado Springs Campus Denver Campus Health Sciences Center Campus CU System Home Contact Us A to Z Search