andrea beesing karen schultz thomas black. 2 cornell case study: student identity life cycle andrea...
TRANSCRIPT
Andrea BeesingKaren SchultzThomas Black
2
Cornell Case Study: Student Identity Life Cycle
Andrea Beesing
Assistant Director, IT Security
Cornell University
3
The Cornell student context
• > 100,000 applicants• About 20,000 students enrolled• Around-the-world sites – Ithaca, NY; New
York City, and Washington, D.C. Doha, Qatar, Singapore, Beijing; Paris, France; Rome, Italy; Seville, Spain; London, England; Dublin, Ireland; and Geneva, Switzerland and Geneva, NY, and others
4
Student Services and Identity Management Shared Goals
• Provide access for the right people to the right information, at the right time, from any place
• Replace paper-based, manual processes with online self-service options
• Improve user experience when accessing services, regardless of who hosts service
• Protect security and privacy
5
Student identity life cycle
Prospect
Applicant
AcceptedApplicant
New Student
Alumnus
1
2
3
4
6
Time
Student5
6
Focus on challenges at this phase
Applicant
AcceptedApplicant
New Student
2
3
4
•Authentication required•Short timeline•Remote locations•Volume of applicants
Time
7
Undergraduate Applicant Communications
What When How
ApplicantID and activation code
Upon processing of application
Email or letter
Status of application, missing items
Through application deadline
Online using ApplicantID
Admission decision March Outsourced to ApplyYourself
8
Accepted Applicants Communications
What When How
Class of 20xx End of March Class of site using ApplicantID
Cornell Bound End of March Cornell Bound site using Applicant ID
Housing information
End of March Online using ApplicantID
Financial Aid award info
End of March By letter – This takes too long!
9
New Student Communications
What When How
NetID and activation code
Early April through early August
By letter – This takes too long!
IT policy
Copyright awareness
At NetID activation
Online using Manage Your NetID
Health History
Cornell Card
Dining Plan
Early April through August
Online using NetID
10
Current Challenge for Cornell
• ApplicantID is low assurance (bronze) credential– Issued via email with attendant exposure– Is financial aid information too sensitive to release solely
on the basis of this credential?
• NetID is higher assurance (silver) credential– Releasing this information solely on the basis of
successful authentication with the ApplicantID reduces it to bronze
– How can we balance customer needs with security and strategic goals?
11
Addressing the Challenge
• Exploring use of cell phone and telephone number of record for communicating temporary password
• Considering what additional confirmation of identity can used in conjunction with the ApplicantID to release financial aid data– Capture secret with common app supplement– Tie the use of the ApplicantID to a financial
transaction
12
Guidelines for IdM practice
• InCommon Identity Assurance Profiles
http://www.incommonfederation.com/• NIST Electronic Authentication Guide
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
Karen SchultzUniversity Registrar
Penn State UniversityCAMP, February 4 – 6, 2009
Why do students leave?Why do students leave?
GraduateWithdrawLeave of absenceStop out temporarilyTransfer to another institutionDismissed for academic or
disciplinary reasons
Former students need services tooFormer students need services tooTranscriptsVerification of enrollment and/or
degreeReporting CE credits to state Dept of
Ed for teacher certificationLoan billing and repaymentPayment of delinquent balancesAccess to 1098T tax informationAid exit counseling
Transcript serviceTranscript service
FERPA requires signatureCurrent students can authenticate
with userid and password; electronic signature permits online ordering
How to provide this service to students not in attendance
Former students’ accountsFormer students’ accountsFormer student with active account
Account expires 6 months after graduation or 45 days after failure to enroll
Former student who had account at one timeForgotten userid and passwordAccount expired
Former student who never had account
No account . . . No service?No account . . . No service?Must former students order
transcripts on paper?People expect online servicesOnline services reduce workloadCan we establish mechanism to
provide account which satisfies electronic signature requirement?
How it works nowHow it works nowFormer student without still-active
account must create new accountSeparate account system New userid and password
How do we ensure that account qualifies as electronic signature?
Former student not on campus, cannot provide photo ID
How it works nowHow it works now
Former student must complete form and sign, then fax to us
When signed form is received, we activate account and notify former student
Former student can use account to visit web site and place order
Better solutionBetter solutionStudent leaves universityRetains userid and passwordAccess to
Transcript requestEnrollment/degree verificationFinancial recordsLoan repaymentAid exit counseling
In a perfect world . . . In a perfect world . . . Student has one account for lifeAccount remains active but access
to services varies based on student status
Account migration seamless for student
Provides access to appropriate services at appropriate time
In a more perfect world . . .In a more perfect world . . .Single account established as
prospect/applicantAdmitted students use account to
access pre-enrollment services (AlcoholEdu), registration
Enrolled students have access to all services
Former students order transcript
Are we there yet?Are we there yet?
Penn State has launched IdM project
Beginning with student lifecycleFirst step is mapping
Thomas BlackUniversity RegistrarStanford University
CAMP, February 4 – 6, 2009
Three Use CasesThree Use CasesFederation Model:
standards compliant, predefined trust relationship, and no separate arrangement
A.S.P.s
Admissions Service Providers
Authorization of identity in perpetuity
A.S.P.s A.S.P.s (Application Service Providers)(Application Service Providers)CollegeNet: What Do You Think?
On-line Course Evaluation SystemStudents and Faculty Access Surveys and Compiled Reports
National Student ClearinghouseOn-line Enrollment Certification & Degree
VerificationStudents and Staff AccessStudent Data
W.D.Y.T. W.D.Y.T. (course evaluations)(course evaluations)
Point of Dependency: File Exchanges
Participants must be introduced to the system in advance of launching the site each term.
Enrollment and Instructor data must be current at the 11th hour...
Data File ExchangesData File ExchangesMust send files to CollegeNet to
“prime” W.D.Y.T.
Portal Log-inPortal Log-in
Local AuthenticationLocal Authentication
Navigate to CoursesNavigate to Courses
Vendor’s ServiceVendor’s Service
N.S.C.N.S.C.Manual Account Setup and Active
Account Problem:
Institutional contact faxes the identity information to NSC to set up accounts.
Institutional contact is charged with notifying NSC if an account should be removed
LSAC & AMCASLSAC & AMCASLocal authentication and authorization…
for transcripts
Students,Graduate
sStanford
University
AMCAS /LSDAS /
any school
add info request document
electronicrequest & response
identity data
request
elect. doc. xmision
Ongoing Identity ServicesOngoing Identity ServicesPermanently Active Authorization Services
School to School: transcripts & certifications
Out-of-Boundary?Vendors: music; videos, cars; tech
components; journal clearinghousesServices: insurance