150 likes | 260 Views
The SSN Problem. SSN is used as a method for authenticating students and employees via web and in-person challengesMandates to protect
E N D
1. Protecting Identities at FSU Principles of SSN replacement
Jeff Bauer
Florida State University
http://fsuid.fsu.edu/admin
2. The SSN Problem SSN is used as a method for authenticating students and employees via web and in-person challenges
Mandates to protect & hide SSN abound
SSN is still required for certain business processes (HR, external identity of students to Feds, etc.)
3. The Proposal (2003) This proposal was an attempt to combine identity terms and solve the SSN/multiple identity problem
Proposal:
FSUID = new public “login name”/password
FSUSN = new “SSN-like” private number
A combined directory will manage this information
4. FSU Identifier (FSUID) Unique public identifier
First part of a person’s email address (for the most part)
Easy to remember (even student ones)
Rarely changes
Log in for key systems (OMNI, Bb, VPN, etc.)
Everybody gets one as soon as officially associated with the University
6. FSU Security Number (FSUSN) Unique private identifier (nobody should know this but the owner)
9 characters long (same as SSN), with letters thrown in to distinguish from a real SSN
A little more difficult to remember, but not impossible
Will never change (unlike some SSNs)
Everybody gets one as soon as officially associated with the University
Currently ONLY used by instructors as a secondary challenge for on-line grade submission
10. Moving Away from SSN use Two categories of SSN use:
Appropriate/required: IRS purposes for employees, external agency identification for students (Financial Aid)
Inappropriate: Any use as an identifier where the information can be easily compromised or
Undesired: An alternate unique identifier could be used instead (SSNs in person, email, printouts; SSNs on web forms that aren’t SSL’d nor blocked, etc.)
11. Appropriate use of SSN example Web registration for classes
12. Current State of Affairs Acknowledge that many student systems still use SSNs in a variety of ways (Admissions, Registration, Fee Payments, Housing, etc.).
Acknowledge that new development in student systems have a desire to try and not use SSNs (difficult to do though).
Realize that the cost of replacing SSNs with FSUSNs in student systems will take time and money (not unlike the Y2K time & expense problem seven years ago). ** resource intensive ** (currently unfunded)
13. OTI Proposal FSU should mandate that all computer systems & business processes move away from inappropriate use of SSNs to a suitable SSN replacement.
FSU should mandate that customers of identity information from now on obtain Vice President approval for providing SSNs.
14. Proposals All FSU offices (Admissions & Registrar, Orientation, Financial Aid, Student Financial Services, F&A, etc.) do an internal audit to discover inappropriate uses of SSNs in normal business practices.
Any inappropriate use in these offices should change their business process to use an alternate method for identification other than SSN. (immediately for servers that have SSNs and that could be compromised)
OTI can assist in technological solutions to be researched and developed to lessen the impact on business practices (card swipes of FSUCard for FSUCard <--> SSN mapping, customized FSUID helpdesk lookup utility, etc.)
15. Proposals Students systems, with the dominance of SSNs on CICS “green screens”, printed forms and other business processes require the largest effort to replace SSNs.
Proposed that $200K for 3 years in time-limited E&G positions be established to convert existing mainframe-based student systems that use SSN as primary key.
Note that movement to Oracle/PeopleSoft student systems will solve the SSN problem, but will be more expensive to implement.