1 / 15

Replacement SSN (RSN)

Replacement SSN (RSN). Overview July 21, 2008. Presentation Overview. Part I -The Problem What problem is being addressed? How does the service solve the problem? Part II - How to use the RSN Service Convert your database Invoke the RSN Service as a Web Service

lexiss
Télécharger la présentation

Replacement SSN (RSN)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Replacement SSN (RSN) Overview July 21, 2008

  2. Presentation Overview • Part I -The Problem • What problem is being addressed? • How does the service solve the problem? • Part II - How to use the RSN Service • Convert your database • Invoke the RSN Service as a Web Service • Invoke the RSN Service via an MVS batch subroutine • How the RSN Service Works • Apply for access at your campus • Current Status of RSN Service Development • Questions

  3. Part I The Problem

  4. The Problem True SSNs are maintained by UC in: • Operational Systems, e.g., PPS • Data Warehouse systems, e.g., CPS • Interface files between systems Recent Security Breaches have demonstrated that it’s “when” not “if” one of these systems are compromised. Many interface files contain full campus rosters of PII.

  5. Proposed Solution Overview • Replace SSNs with a Replacement SSN. • Replacement SSN (RSN) is randomly generated. It is not an algorithm or a hash. • RSN-SSN correspondence is maintained in the “SSN Vault” at UCOP. • For ease of implementation, RSN is also a 9-digit number. • Web services (SOA) will be provided to exchange RSNs and SSNs. • Implementation is University-wide, beginning with Payroll going downstream (UCRS, etc.)

  6. Intended Use • SSNs are replaced upon initial entry into any application, e.g., PPS • RSNs are stored in application databases • RSNs are used in interface files, e.g., PPS to UCRS, PPS to CPS, etc. • SSNs are obtained from the “vault” using RSNs when needed for external purposes (e.g., W-2 files, user display) • The services only provide one RSN-SSN exchange at a time.

  7. What Will We Provide? • One Web Service to convert an SSN to RSN • One Web Service to convert a RSN to SSN • A utility which calls the service to convert existing files (or unloaded tables) to RSN • A pair of services and database design that can be used at a campus that is coordinated with the UCOP services • Activity Logging • A strategy for re-mapping SSNs to new RSNs in case of a breach

  8. Part II How to use the RSN Service

  9. Convert your database

  10. Invoke the RSN Service as a Web Service

  11. Invoke the RSN Service via an MVS batch subroutine

  12. How the RSN Service Works RACF provides the authorization ID associated with the certificate presented by the requester RSN / SSN mapping is encrypted at rest A request for SSN lookup using RSN that is not found results in +100 return code and a strike against the requester. Once a requester exceeds his allotted number of strikes further access to denied. All Web Service requests use SSL. The LUW server or CICS region hosting the requesting application must have an X.509 certificate. RACF authorization ID of batch job submitter is the userid under which the RSN Service CICS transaction runs. The requester passes an application key (which identifies the application) with the request. Once authenticated all requests for an RSN lookup using SSN are honored.

  13. Apply for access at your campus • Requires CIO approval • Provide as appropriate • Userids • IP addresses • Application key name • CSR • We will provide • Certificate • Authorization to use • WSDL

  14. Current Status of RSN Service Development • Coding and development testing nearly complete • Vetting process underway • UCOP Internal Audit • External Technical Review • Vulnerability assessment • Production rollout date not yet known

  15. Questions • We will answer as many as possible until time runs out • Anyone who still has questions after the presentation should feel free to ask us later

More Related