- Schools take steps to tighten security - "...a virtual security guard that grants or denies people access to the building based on whether they are registered sex offenders."
- Efficiency, high-tech tools mark new year - "'e' is not just for effort, but also for efficiency."
- Carnegie Mellon System Thwarts Internet Eavesdropping - "A user who thinks he is linked to an airport or coffee shop 'hot spot,' for instance, might actually be linked to a laptop of someone just a few seats away."
- Cleveland school security connect to police dispatch - "Officers in zone cars can listen and respond immediately to a school."
- New security measures in place in Manchester Local Schools - "He was impersonating a sheriff deputy at the (local) McDonalds prior to this..."
- Homeland Integrated Security Systems Expects Sales Boom Following Passage of House Resolution 3179 - “Being added to the GSA Schedule and GSA Advantage has really opened a lot of doors for our company.”
9.02.2008
School's starting again; how's your security?
With the new school year starting up, various articles and blog posts have shown up on the radar indicating that 2008 may be the year of the security-conscious campus. The stories are linked below:
8.26.2008
Metro St. Louis Procures Onboard Surveillance Cams
From TMCnet.com
August 22, 2008
Metro St. Louis Procures Onboard Surveillance Cams
By Raju Shanbhag
TMCnet Contributing Editor
Raju Shanbhag is a contributing editor for TMCnet. To read more of Raju's articles, please visit his columnist page.
Edited by Eve Sullivan
August 22, 2008
Metro St. Louis Procures Onboard Surveillance Cams
By Raju Shanbhag
TMCnet Contributing Editor
Looking to install onboard surveillance camera systems on 50 new Call-A-Ride paratransit vans, the Metro transit agency in St. Louis, Missouri has awarded an approximately $250,000 sole-source contract to Safety Vision, a provider of mobile digital video solutions. Eligible riders in the St. Louis area will now get curb-to-curb public transportation from the agency’s Call-A-Ride program.
The new contract was approved by the agency in June 2008 and was partially funded by a Department of Homeland Security Grant. Installation is scheduled to occur in two shifts: the first 25 vehicles this month, the second 25 in October. For 11 years, Safety Vision, a 16-year veteran of the mobile surveillance industry, has supported Metro’s transit security efforts.
Each new Call-A-Ride vehicle will be outfitted with four mobile-rated security cameras, including microphones, impact sensors, and the Safety Vision RoadRecorder 6000 PRO mobile digital video recorder (MDVR). Apart from recording video, audio, and system health data in a secure, encrypted MPEG4 format, the MDVR also supports up to 10 interior and exterior cameras. The PRO features more camera frames per second, tripled storage capacity, wireless connectivity, and streamlined data management and builds on earlier generations in the RoadRecorder series.
The Safety Vision onboard camera systems are also being used by transit authorities in other major metropolitan areas including Washington, D.C., Chicago, Illinois, and Portland, Oregon to increase operator safety, enhance public security, mitigate transit authorities’ risk, and strengthen criminal prosecutors’ cases.
Safety Vision Account Executive John Major says, “We’ve installed camera systems on hundreds of Metro’s transit buses and light-rail vehicles. As we move into the paratransit vans, we’re extending our mobile safety net to encompass all of Metro’s ridership, driver/operators, and rolling assets. This project is also of note as one of our largest installations of security cameras in a paratransit fleet.”
He continued, “Along with Broward County Transit in Florida, St. Louis Metro is one of our oldest transit customers. We’ve shared their longstanding commitment to improving the safety and security of their personnel and the public, and we’ve learned together over the years. The Safety Vision team takes pains to ask the right questions of these and other transit customers, and to listen carefully to their answers. Our in-house engineering staff then designs solutions according to customer input, yielding the most technologically advanced yet user friendly systems available today and into the future.”
Raju Shanbhag is a contributing editor for TMCnet. To read more of Raju's articles, please visit his columnist page.
Edited by Eve Sullivan
Utah schools more 'security conscious'
Article Last Updated: 08/24/2008 02:27:59 AM MDT
Last school year, a Jordan School District student approached another student with a gun and threatened to blow off his head unless the kid gave him gum.
The weapon was only a realistic-looking squirt gun, but the "armed" student was suspended for 45 days, said Larry Urry, a Jordan staff assistant in the office of compliance and special programs.
"Something like that puts kids in fear of their lives," Urry said. "You don't do that kind of thing."
It's the kind of thing, however, that happens more often than some might think in Utah schools. That's why some of the state's largest school districts, which resume classes this week, are working this year on both old and new security measures - ranging from door-locking systems, to cameras, to police officers - to keep schools safe.
Utah schools reported 654 incidents of weapon possession and 1,400 incidents of drug and alcohol abuse during the 2006-07 school year, the latest year for which numbers are available.
Granite and Jordan district officials said the weapons are often knives and fake guns. The drugs are largely alcohol, tobacco and marijuana.
Most students don't want to be around such things at school, said Clay Pearce, Granite assistant director of student services.
"They want their schools to be safe and places to learn," Pearce said.
"It's just the world we live in," Thomas said. "Everybody's being more security conscious."
Granite expects to have card access systems in all elementary schools by early 2009, said Randy Johnson, chief of the Granite School District Police Department. All the district's high schools and junior highs have video monitors, and several elementary schools have them, Johnson said. Salt Lake City School District's schools already have video cameras, said Jason OlsenÂ, district spokesman.
"It would be nice if elementary schools were really open to the public, but times have changed," Johnson said.
Johnson, who heads Granite's 17-member full-time force, said his department will stay busy this year. He said it will likely get more than 10,000 calls for service this year.
The Granite police respond to everything from theft to out-of-control students to weapons and look-alike weapons complaints. They also monitor schools at night to deter would-be vandals and other criminals.
"Our job is to locate, identify and mitigate any problems during the middle of the night so the kids never have to show up and go, 'Oh my gosh, this place of safety and refuge is not really a place of safety and refuge,' " Johnson said.
The district also works with local police departments who station police officers - also known as school resource officers - at schools. The Jordan and Salt Lake districts also have police officers in many of their schools.
"It shows students from an early age that police really are there as a service and an asset to our community," Thomas said. "They're not scary people."
Students who break the law at school might not only face legal repercussions, but they also could face school consequences.
Any student caught with a gun at school can't come back to school for a year, according to the federal Gun-Free Schools Act. But depending on the situation, students and parents can often appeal to district committees, as happened in the case of the boy who brought the squirt gun to school.
"We try to look at the intent," Pearce said.
For example, when a student made threats with a real gun and a real knife at a Jordan School District high school last school year, that student was suspended for the full 180 days, Urry said.
But Granite and Jordan officials said that type of incident is relatively rare.
"I don't know if there's a way to ever really completely bulletproof a school from everything," Thomas said. "But [it's important] to be proactive and protect the public and create a sense of responsibility among everybody."
lschencker@sltrib.com
The weapon was only a realistic-looking squirt gun, but the "armed" student was suspended for 45 days, said Larry Urry, a Jordan staff assistant in the office of compliance and special programs.
"Something like that puts kids in fear of their lives," Urry said. "You don't do that kind of thing."
It's the kind of thing, however, that happens more often than some might think in Utah schools. That's why some of the state's largest school districts, which resume classes this week, are working this year on both old and new security measures - ranging from door-locking systems, to cameras, to police officers - to keep schools safe.
Utah schools reported 654 incidents of weapon possession and 1,400 incidents of drug and alcohol abuse during the 2006-07 school year, the latest year for which numbers are available.
Granite and Jordan district officials said the weapons are often knives and fake guns. The drugs are largely alcohol, tobacco and marijuana.
Most students don't want to be around such things at school, said Clay Pearce, Granite assistant director of student services.
"They want their schools to be safe and places to learn," Pearce said.
To make their schools safer, Jordan and Granite are improving security.
Jordan expects to finish installing card-access systems - where certain doors can only be opened with security cards - in all of its schools by the start of 2009. That means all school visitors will have to enter through front entrances. All other school doors will be permanently locked from the outside except for some accessible only with the security cards, said Scott Thomas, a Jordan auxiliary services staff assistant. Jordan also will have video cameras monitoring all schools' front entrances. The cameras will feed into monitors set up in schools' front offices, Thomas said."It's just the world we live in," Thomas said. "Everybody's being more security conscious."
Granite expects to have card access systems in all elementary schools by early 2009, said Randy Johnson, chief of the Granite School District Police Department. All the district's high schools and junior highs have video monitors, and several elementary schools have them, Johnson said. Salt Lake City School District's schools already have video cameras, said Jason OlsenÂ, district spokesman.
"It would be nice if elementary schools were really open to the public, but times have changed," Johnson said.
Johnson, who heads Granite's 17-member full-time force, said his department will stay busy this year. He said it will likely get more than 10,000 calls for service this year.
The Granite police respond to everything from theft to out-of-control students to weapons and look-alike weapons complaints. They also monitor schools at night to deter would-be vandals and other criminals.
"Our job is to locate, identify and mitigate any problems during the middle of the night so the kids never have to show up and go, 'Oh my gosh, this place of safety and refuge is not really a place of safety and refuge,' " Johnson said.
The district also works with local police departments who station police officers - also known as school resource officers - at schools. The Jordan and Salt Lake districts also have police officers in many of their schools.
"It shows students from an early age that police really are there as a service and an asset to our community," Thomas said. "They're not scary people."
Students who break the law at school might not only face legal repercussions, but they also could face school consequences.
Any student caught with a gun at school can't come back to school for a year, according to the federal Gun-Free Schools Act. But depending on the situation, students and parents can often appeal to district committees, as happened in the case of the boy who brought the squirt gun to school.
"We try to look at the intent," Pearce said.
For example, when a student made threats with a real gun and a real knife at a Jordan School District high school last school year, that student was suspended for the full 180 days, Urry said.
But Granite and Jordan officials said that type of incident is relatively rare.
"I don't know if there's a way to ever really completely bulletproof a school from everything," Thomas said. "But [it's important] to be proactive and protect the public and create a sense of responsibility among everybody."
lschencker@sltrib.com
GE Security Explosives Detection Systems Help Protect Homeward-Bound Olympic Athletes and Visitors Using Beijing Capital International Airport
Twelve GE Security CTX 9000 DSi Inline Checked Bag Screening Systems Now Operating at BCIA's Terminal Three in Time for Departing Beijing 2008 Olympic Games Visitors, Athletes
 |
 |
BEIJING, Aug 22, 2008 (BUSINESS WIRE) -- GE Security, Inc., a business of GE Enterprise Solutions today announced its Homeland Protection business installed twelve GE Security CTX 9000 DSi advanced baggage screening systems at Beijing Capital International Airport's (BCIA) Terminal Three as part of the city's infrastructure investment for the Beijing 2008 Olympic Games.
GE Security's CTX 9000 advanced technology explosives detection systems are helping BCIA better protect visitors and athletes returning home after the Olympic Games. They are configured to optimally accommodate the 43 million air passengers and 170,000 flights per year for which the terminal was designed and also serve as a model for inline baggage screening systems throughout the country and region.
"GE Security is pleased to be the provider of this reliable and advanced security technology for this state of the art airport terminal that is currently supporting travelers returning home from the world's premiere sporting event," said Dennis Cooke, president and CEO, GE Security's Homeland Protection business. "This deployment of advanced explosives detection capability to Beijing Capital International Airport underscores our commitment to providing integrated, real-world security solutions that are helping protect and secure Beijing 2008 Olympic Games athletes and visitors as well as all air travelers."
"Our investment in GE's aviation security solutions is helping to make our security operations more effective, more efficient and more convenient for our passengers," said Mr. Yuan, vice president, BCIA expansion headquarters.
The GE CTX 9000 line of CT-based inline explosives detection baggage screening solutions is designed to integrate with airport baggage handling systems (BHS). The CTX 9000 system is TSA-certified and is often well suited for fast-paced airport environments.
With construction of the new Terminal Three beginning in 2004, China has invested approximately $2 billion USD to develop it as a modern gateway to accommodate increased international visitation to the Chinese capitol. The terminal's development is part of an unprecedented $40 billion USD infrastructure investment ahead of the 2008 Olympic Games, which host city Beijing anticipates to be among the most profitable and well attended of recent Games.
Designed for ease of operation and service, with multiplexing capabilities and a low false alarm rate, the CTX 9000 system can be an excellent investment for high-volume airports. Its advanced technology can assist customers to efficiently and accurately identify the most challenging threat substances.
The new Terminal Three opened to the public earlier this year. It consists of three concourses with a combined total area of some 1,000,000 square meters. Concourse C accommodates domestic and international check-in, domestic departures, and domestic and international baggage claim. Concourse D is temporarily dedicated to charter flights during the Olympic and the Paralympics Games. Concourse E is for international departures and arrivals.
About Beijing Capital International Airport
The Beijing Capital International Airport terminal officially opened on October 1, 1999, marking the 50th anniversary of Chinese Communist rule. This new, bright and airy terminal, built at a cost of $1.1 billion, is a welcome replacement for the former facility, which started operating in the 1950s, and has become increasingly cramped and dingy with the rise in the number of passengers visiting China.
The new four-story terminal (including basement level) covers an area of 336,000 square meters -- three times the size of the former terminal -- and puts much more emphasis on passenger comfort. The complex also includes a large-scale public parking building and a cargo station.
When this state-of-the-art terminal goes into full operation, it will be able to handle 190,000 flights, 35 million passengers, and 780,000 tons of cargo a year. The building has 51 elevators, 63 escalators, and 26 moving sidewalks to make moving around the airport easy.
Beijing is served by international carriers such as Northwest, United, Canadian Airlines, Lufthansa, SAS, Dragon Air, Japan Airlines, ANA, British Airways, Malaysian Air, Austrian Airlines, Air France, Alitalia, Korean Air, Pakistan Airlines, Singapore Airlines, Thai International, Air China, China Southern and China Northern.
About GE's Security Business
GE Security, Inc., a wholly owned indirect subsidiary of the General Electric Company is a leading supplier of security and life safety technologies, with operations in more than 35 countries and $1.8 billion in annual sales. GE Security offers one of the industry's broadest product portfolios, including access control, explosives detection, fire detection, intrusion, key management and surveillance. GE Security's products are used to protect people and property across a wide range of industries, including aviation, banking and finance, education, government and military, healthcare, law enforcement, residential, retail, stadiums and event venues, and transportation.
GE Security was honored with Frost & Sullivan's 2008 North American Video Surveillance Solutions Company of the Year Award for its industry leading video portfolio and integration strategy vision and execution. For more information about GE Security, please visit www.gesecurity.com.
GE Security, making the world safer.
About GE and the Olympic Games
GE is the exclusive provider of a wide range of innovative products and services that are integral to staging a successful Olympic Games. GE works closely with host countries, cities and organizing committees to provide infrastructure solutions for Olympic venues including power, lighting, water treatment, transportation and security, and to supply hospitals with ultrasound and MRI equipment to help doctors treat athletes. In addition, NBC Universal, a division of GE, is the exclusive U.S. media partner of the Olympic Games, with its partnership also extending through 2012. For more information, visit www.ge.com/olympicgames.
SOURCE: GE Security, Inc.
Edelman for GE SecurityCopyright Business Wire 2008
Niamh Grano, +1-202-312-8256
niamh.grano@edelman.com
or
GE Security
Steve Hill, +1-510-857-1132
steve.hill1@ge.com
First Biometric Facial Recognition Security System Using RFID Technology Eyes Canadian Market
[08/22/08] @ MoreRFID.com
RFID ProSolutions, Canadian leaders in RFID technology consulting and engineering, and American RFID Solutions, an industry-recognized leading manufacturer and solution provider, have announced a strategic reseller agreement for the distribution of TES, Trusted eSentry Security, a new, innovative biometric facial recognition system in Canada.
TES is a biometric/RFID security system that allows for the automatic identification of individuals using a combination of facial recognition and HF or UHF RFID technology (access cards).
"The ID cards are already used to control access to restricted areas but by adding a second reading of distinctive authenticity through biometric recognition; we've taken security to new heights," said Harold Clampitt, CEO & Founder of American RFID Solutions. "And this is the level of protection confidential information, valuable goods and sensitive environments require."
"The beauty of the system is that there is no central data base that can cause accusations of copying or stealing information," stated Andre Lacaille, President of RFID ProSolutions. "Systems that require prints are known for leaving evidence behind because of the physical contact that is required and therefore the information can be copied."
The system was recognized earlier this year as a Best in Show finalist for the RFID Journal Awards in Las Vegas and has a read rate of 99.999999% which makes this system one of the most secure in the world. The system works independently or through a network to interface with existing systems to form an increased secured perimeter.
"We are extremely excited about introducing this system to Canadian organizations and security integrators; this is an important addition to our portfolio of solutions" says Jebb Nucci, Vice President of Operations for RFID ProSolutions.
About RFID ProSolutions
RFID ProSolutions, a division of ProAction Management Group, offers their services in needs analysis, process design, solution selection and development, implementation and change management support. Specialized in RFID technology, RFID ProSolutions is a project management and solution-driven firm that focuses entirely on bringing the best possible products and the most innovative solutions to meet their customer's business needs.
About American RFID Solutions
American RFID Solutions is the developer of the Trusted eSentry Security System, TrackStar and eDOTS, and offers turnkey solutions, consulting and products in the areas of active, passive, RTLS, near field and far field RFID technologies. http://americanRFIDsolutions.com
RFID ProSolutions, Canadian leaders in RFID technology consulting and engineering, and American RFID Solutions, an industry-recognized leading manufacturer and solution provider, have announced a strategic reseller agreement for the distribution of TES, Trusted eSentry Security, a new, innovative biometric facial recognition system in Canada.
TES is a biometric/RFID security system that allows for the automatic identification of individuals using a combination of facial recognition and HF or UHF RFID technology (access cards).
 |
"The beauty of the system is that there is no central data base that can cause accusations of copying or stealing information," stated Andre Lacaille, President of RFID ProSolutions. "Systems that require prints are known for leaving evidence behind because of the physical contact that is required and therefore the information can be copied."
The system was recognized earlier this year as a Best in Show finalist for the RFID Journal Awards in Las Vegas and has a read rate of 99.999999% which makes this system one of the most secure in the world. The system works independently or through a network to interface with existing systems to form an increased secured perimeter.
"We are extremely excited about introducing this system to Canadian organizations and security integrators; this is an important addition to our portfolio of solutions" says Jebb Nucci, Vice President of Operations for RFID ProSolutions.
About RFID ProSolutions
RFID ProSolutions, a division of ProAction Management Group, offers their services in needs analysis, process design, solution selection and development, implementation and change management support. Specialized in RFID technology, RFID ProSolutions is a project management and solution-driven firm that focuses entirely on bringing the best possible products and the most innovative solutions to meet their customer's business needs.
About American RFID Solutions
American RFID Solutions is the developer of the Trusted eSentry Security System, TrackStar and eDOTS, and offers turnkey solutions, consulting and products in the areas of active, passive, RTLS, near field and far field RFID technologies. http://americanRFIDsolutions.com
Back to School Fire Safety
Posted by NTX Security on MerchantCircle.com
Every year college and university students experience a growing number of fire-related emergencies. There are several causes for these fires, however most are due to a general lack of knowledge about fire safety and prevention.Safety Precautions
Every year college and university students experience a growing number of fire-related emergencies. There are several causes for these fires, however most are due to a general lack of knowledge about fire safety and prevention.
The Cause
Many factors contribute to the problem of dormitory housing fires.
- Improper use of 911 notification systems delays emergency response.
- Student apathy is prevalent. Many are unaware that fire is a risk or threat in the environment.
- Evacuation efforts are hindered since fire alarms are often ignored.
- Building evacuations are delayed due to lack of preparation and preplanning.
- Vandalized and improperly maintained smoke alarms and fire alarm systems inhibit early detection of fires.
- Misuse of cooking appliances, overloaded electrical circuits and extension cords increase the risk of fires.
Safety Precautions
- Provide students with a program for fire safety and prevention.
- Teach students how to properly notify the fire department using the 911 system.
- Install smoke alarms in every dormitory room and every level of housing facilities.
- Maintain and regularly test smoke alarms and fire alarm systems. Replace smoke alarm batteries every semester.
- Regularly inspect rooms and buildings for fire hazards. Ask your local fire department for assistance.
- Inspect exit doors and windows and make sure they are working properly.
- Create and update detailed floor plans of buildings, and make them available to emergency personnel, resident advisors and students.
- Conduct fire drills and practice escape routes and evacuation plans. Urge students to take each alarm seriously.
- Do not overload electrical outlets and make sure extension cords are used properly.
- Learn to properly use and maintain heating and cooking appliances.
- Consult a security and alarm system professional to evaluate your home or dormatory.
8.22.2008
Corralling Identity Management
From Security Products Online's Campus Technology ezine
William Schneider, identity management team lead, said the purpose of his group is to manage the identity and access infrastructure, which consists of multiple ID management systems, many of the enterprise directories, and the Center's public key infrastructure.
Individuals within the HSC community, which includes about 3,775 students and a staff and faculty of nearly 4,440 in eight different schools, may go through multiple roles during their time with the Center. A student, for example, may achieve an MD, then transition into a residency and perhaps eventually become a member of the faculty. Often the same person may be an employee, faculty member, and student simultaneously.
"The identity management system ties all that together," said Schneider. "It makes it such that you could have the same e-mail, password, and inbox throughout that entire lifecycle."
The Center has five "systems of record": the human resources system, which resides in PeopleSoft; the student information system, maintained in a DB2 database running a mainframe emulator on the front end; a resident system, called Graduate Medical Education Information System (GMEIS), basically, an HR system that does evaluations, duty hours, and rotations and scheduling; an HR system for the Faculty Practice Plan for the Center's physicians; and a guest database for anybody not in any of the other four categories.
A First Attempt at Identity Management
In the past, that wealth of data from multiple sources posed several challenges. There was no simple way to know which data store to use when a person was maintained in more than one. Likewise, it was hard to reconcile those five systems in order to do a match to determine if an individual in one was the same as the individual in another.
University of Texas guidelines mandate that the Center assign a persistently unique identifier to a single individual forever, explained Schneider. Yet those same guidelines say that a social security number can't be used--unless it's collected for another purpose, such as employment. So those linkages needed to be created in some other way.
About eight years ago, the Center's academic computing group developed an application called Integrated Directory Service (InDiS). Each day, InDiS did a daily feed from each of the five data stores, performed a reconciliation, and fed it into an Oracle database, referred to as the "Person Registry," which populated a single LDAP-based Sun enterprise directory. This was and continues to be based on Internet2's Enterprise Directory design guidelines.
Few other applications at the Center used the directory, and none of the desktops actually logged into it for authentication.
Choosing Novell Identity Manager
Then four or five years ago, Schneider said, there was a move afoot to consolidate mail systems across the Center from about a dozen to a single one: Microsoft Exchange. That also meant extending the Active Directory deployment to a much larger scale. So the IT team needed to figure out a way to take the data from that Sun directory and recreate it in Active Directory, plus integrate an e-directory that had been in use at the University of Texas for about 15 years.
"We looked at that and said, 'OK, we can take the existing application and extend it and write custom code. Or we can look at commercial applications," Schneider recalled. "When it came down to it, maintaining our own code base wasn't where we wanted to go, if we could avoid it. We're a health science center, not a software development house. We decided pretty quickly to look at a commercial solution if it would meet the needs."
Contenders included Microsoft Identity Integration Server (now called Identity Lifecycle Manager), Sun Identity Manager, and Novell Identity Manager (formerly known as DirXML). Microsoft was knocked out because, Schneider said, it worked more in batch mode than real time and "required everything to be reconciled into a SQL database, which may or may not have been advantageous."
The Sun product required that "you had to write Java classes to do anything, and it was based on a virtual directory structure. You wouldn't actually synchronize the data," he said. "We wanted these directories to stand on their own if something got knocked off in between."
The Novell solution met the criteria for being an event-based, real-time identity management system. With about 20 different drivers, the integration capabilities were extensive, and configuration was based more on setting up business rules than on writing code.
Schneider and his colleagues focused on figuring out how well the Novell product could carry that Person Registry into Exchange. Prior to the initial deployment of Novell's ID Manager, the IT organization had been creating accounts manually in both Active Directory and the legacy e-directory.
Administrators had to terminate accounts manually and only had valid data for employees. InDiS would populate a new e-directory, which then synchronized users to Active Directory and other directories. That movement of data (with certain attributes) into Active Directory causes Exchange to provision an account as well. They ran it like this for about three years. The drawback was that it was run in batch mode. The data on new users arrived once a day, and any changes took 24 hours to complete. But, said Schneider, "This was infinitely better than manual provisioning and deprovisioning."
By replacing InDiS with the ID Manager software, Schneider and his colleagues hoped to move closer to an end-to-end, real-time, event-based system, what he calls the "holy grail."
"This means that on your first day of employment or classes you are provisioned with everything you need and you don't have to go hunting for access or spawn more processes that are out of band," he explained.
Schneider and a co-worker spent six months setting up connectors between each of those systems--PeopleSoft, DB2, and the others--to connect directly via ID Manager drivers to Novell's eDirectory, which was to become the Person Registry. Another ID Manager driver moves the data into the enterprise directory service, called Identity Vault and composed of a number of different directories and applications, including Active Directory, Tivoli, and others.
"Right now, if I'm a student and I go to register in the registrar's office, within 30 seconds of the registrar saying, 'Yes, you're registered for classes,' I've got an e-mail account, VPN access, access into Blackboard--most of what I need to start the first day of class," said Schneider.
Achieving Agility
The Novell software has enabled the IT organization to become much more agile. As an example, the HR organization, which uses PeopleSoft, had stand-alone user names and passwords for that application. They wanted to move to single sign-on authentication. But a requirement of the request was that the IT department also go through annual disaster recovery testing at a third-party site, which would require hauling the ID management system to the test site in another state and then bringing the system back up within six hours. That surpassed the level of business continuity required for the whole ID Manager operation. So the IT group came back with an alternative suggestion: to set up a stand-alone directory directly on a PeopleSoft server, which gets backed up with the rest of the PeopleSoft application. During a disaster recovery scenario, the directory used by PeopleSoft for authentication is restored alongside everything else. "They don't have to involve five other people and reconstitute a bunch of directories," said Schneider.
Delivering that took only seven days, he said, from original request, through scoping, through a test run, to production and deployment. Although Schneider said he believes other identity management products currently on the market would probably offer the same capabilities, "Could I do it that quickly with other products? Probably not."
Yet, ultimately, the current benefit of using Novell ID Manager is that nobody has to do daily administrative tasks, such as set up accounts, turn them off, or do password synchronization, he explained. The true value will come when the system can address real business needs.
As a health science center that gets a great deal of funding from federal sources, there's a big focus on compliance regulations including HIPAA and CFR 21 Part 11. "Right now, there's not a clear definition of it," he said. "If an auditor came in and said, 'What does this person have access to?' well, I know a lot of things they have access to, but I couldn't say 100 percent without a shadow of a doubt. I want to get to a point where I can say, 'This person has access to these 12 applications. They gained access on this date. They had access revoked on this date. Here they attested annually that they needed it.'"
Getting to that level of record-keeping, Schneider explained, requires a different approach to account provisioning. Currently, the overall system of user account management relies on data coming from multiple sources, sources that don't necessarily maintain the details about any given user's access. "The HR system was not designed to create e-mail accounts," Schneider said. "The registrar's job isn't to give students access to Blackboard. Their job is to register students and to hire and manage and retain employees."
That disconnect between the data maintained by different organizations at the Center and the data needed to manage users reared up a few years ago. A core Web server relied on HR data that used a particular department name for one of the IT organizations at the Center. That department name changed, so it changed in the HR system too, which then populated down through the directories. All of a sudden, none of the administrators could access the Web server. "HR had no idea that the department name affected people's access to a Web server. Nor should they have to have that knowledge," said Schneider.
The Next Phase in Managing the Digital Identities of Users
So the philosophy under which the identity management team will work is that although the data they have access to can help make decisions, it can't be relied upon 100 percent of the time. "There will always be exceptions, it'll always be somewhat inaccurate, and there will always be some degree of latency," he said.
That means the traditional approach of handing out access to services on the network based on the presence of a user within a given system of record, or having a given job title, role within the organization, or department must be eliminated. "Right now when you get provisioned, you get a lot of things by virtue of having an account," Schneider explained. "In our Windows Server team, there are three people who do Exchange management. Does everybody in that group need access to do Exchange management? No, but they all have the same title and work in the same department. Every bit and piece that we have says they're identical. But they don't need identical access."
In the new approach, access will be minimal, and users will need to have some way to identify additional network and application access they require.
"For instance," said Schneider, "if I'm an employee on day one, one [service] may be VPN access. Another might be an e-mail account. Because I'm an employee, I get both of those automatically. If I'm a student, I get an e-mail address. I can have VPN access if I go in and request it, and it'll be provisioned automatically. I need to go in and turn it on myself. If I'm a guest, I don't get an e-mail address. I don't get VPN access. I can request them. But that [request] will initiate a workflow to be approved by the person who approved my guest account and maybe some secondary person."
Beyond that the permissions issuance can get even more granular. The researcher with a large grant from the Department of Defense, for example, needs to know that the only people with access to a given database or application are the ones he or she has approved for access.
Getting Buyer-side Buy-in
That level of service delivery, Schneider said, will result in "business-side buy-in" from the administrators, researchers, and department heads at HSC for the changes his team will be introducing. "Most of the time, the way you get that buy-in, we've found, is to show the value they're going to get back. When a registrar can look at that student and say, 'When I finish registering you, you'll be able to log in at that kiosk and send an e-mail to your professor,' there's a value there. That's why they'll want to tie into this infrastructure."
But he's quick to add that he doesn't expect to modify the processes those individual groups follow in performing their core activities. "We've tried very hard to integrate to existing processes and to be secondary to them. From the technical perspective, the identity management software really allows us to do that because the integration occurs at a level that's transparent to these systems."
For now, the new identity management team is picking off high level items--VPN and e-mail addresses--and getting that infrastructure in place to do automated workflow and provisioning. From there, they expect to start seeing more attention paid on the part of the business users to how more specialized services are provisioned from the time they're envisioned. It'll become "part of your RFP process for your new application," he said. "You're going to have to answer, how do you address this aspect of the IT side of whatever you're buying?'
"Once you start going down this road, it gains a critical mass," said Schneider. "You don't have to go out and seek out these applications to add in because the customers are seeking you out."
Corralling Identity Management
8/22/2008
The University of Texas Health Science Center at Houston recently reconstituted its IT organization to include a new team focused solely on identity management. In the course of its work the team may end up becoming a model for how identity management can help deliver business value beyond standard IT duties, such as adding new users to the network.William Schneider, identity management team lead, said the purpose of his group is to manage the identity and access infrastructure, which consists of multiple ID management systems, many of the enterprise directories, and the Center's public key infrastructure.
Individuals within the HSC community, which includes about 3,775 students and a staff and faculty of nearly 4,440 in eight different schools, may go through multiple roles during their time with the Center. A student, for example, may achieve an MD, then transition into a residency and perhaps eventually become a member of the faculty. Often the same person may be an employee, faculty member, and student simultaneously.
"The identity management system ties all that together," said Schneider. "It makes it such that you could have the same e-mail, password, and inbox throughout that entire lifecycle."
The Center has five "systems of record": the human resources system, which resides in PeopleSoft; the student information system, maintained in a DB2 database running a mainframe emulator on the front end; a resident system, called Graduate Medical Education Information System (GMEIS), basically, an HR system that does evaluations, duty hours, and rotations and scheduling; an HR system for the Faculty Practice Plan for the Center's physicians; and a guest database for anybody not in any of the other four categories.
A First Attempt at Identity Management
In the past, that wealth of data from multiple sources posed several challenges. There was no simple way to know which data store to use when a person was maintained in more than one. Likewise, it was hard to reconcile those five systems in order to do a match to determine if an individual in one was the same as the individual in another.
University of Texas guidelines mandate that the Center assign a persistently unique identifier to a single individual forever, explained Schneider. Yet those same guidelines say that a social security number can't be used--unless it's collected for another purpose, such as employment. So those linkages needed to be created in some other way.
About eight years ago, the Center's academic computing group developed an application called Integrated Directory Service (InDiS). Each day, InDiS did a daily feed from each of the five data stores, performed a reconciliation, and fed it into an Oracle database, referred to as the "Person Registry," which populated a single LDAP-based Sun enterprise directory. This was and continues to be based on Internet2's Enterprise Directory design guidelines.
Few other applications at the Center used the directory, and none of the desktops actually logged into it for authentication.
Choosing Novell Identity Manager
Then four or five years ago, Schneider said, there was a move afoot to consolidate mail systems across the Center from about a dozen to a single one: Microsoft Exchange. That also meant extending the Active Directory deployment to a much larger scale. So the IT team needed to figure out a way to take the data from that Sun directory and recreate it in Active Directory, plus integrate an e-directory that had been in use at the University of Texas for about 15 years.
"We looked at that and said, 'OK, we can take the existing application and extend it and write custom code. Or we can look at commercial applications," Schneider recalled. "When it came down to it, maintaining our own code base wasn't where we wanted to go, if we could avoid it. We're a health science center, not a software development house. We decided pretty quickly to look at a commercial solution if it would meet the needs."
Contenders included Microsoft Identity Integration Server (now called Identity Lifecycle Manager), Sun Identity Manager, and Novell Identity Manager (formerly known as DirXML). Microsoft was knocked out because, Schneider said, it worked more in batch mode than real time and "required everything to be reconciled into a SQL database, which may or may not have been advantageous."
The Sun product required that "you had to write Java classes to do anything, and it was based on a virtual directory structure. You wouldn't actually synchronize the data," he said. "We wanted these directories to stand on their own if something got knocked off in between."
The Novell solution met the criteria for being an event-based, real-time identity management system. With about 20 different drivers, the integration capabilities were extensive, and configuration was based more on setting up business rules than on writing code.
Schneider and his colleagues focused on figuring out how well the Novell product could carry that Person Registry into Exchange. Prior to the initial deployment of Novell's ID Manager, the IT organization had been creating accounts manually in both Active Directory and the legacy e-directory.
Administrators had to terminate accounts manually and only had valid data for employees. InDiS would populate a new e-directory, which then synchronized users to Active Directory and other directories. That movement of data (with certain attributes) into Active Directory causes Exchange to provision an account as well. They ran it like this for about three years. The drawback was that it was run in batch mode. The data on new users arrived once a day, and any changes took 24 hours to complete. But, said Schneider, "This was infinitely better than manual provisioning and deprovisioning."
By replacing InDiS with the ID Manager software, Schneider and his colleagues hoped to move closer to an end-to-end, real-time, event-based system, what he calls the "holy grail."
"This means that on your first day of employment or classes you are provisioned with everything you need and you don't have to go hunting for access or spawn more processes that are out of band," he explained.
Schneider and a co-worker spent six months setting up connectors between each of those systems--PeopleSoft, DB2, and the others--to connect directly via ID Manager drivers to Novell's eDirectory, which was to become the Person Registry. Another ID Manager driver moves the data into the enterprise directory service, called Identity Vault and composed of a number of different directories and applications, including Active Directory, Tivoli, and others.
"Right now, if I'm a student and I go to register in the registrar's office, within 30 seconds of the registrar saying, 'Yes, you're registered for classes,' I've got an e-mail account, VPN access, access into Blackboard--most of what I need to start the first day of class," said Schneider.
Achieving Agility
The Novell software has enabled the IT organization to become much more agile. As an example, the HR organization, which uses PeopleSoft, had stand-alone user names and passwords for that application. They wanted to move to single sign-on authentication. But a requirement of the request was that the IT department also go through annual disaster recovery testing at a third-party site, which would require hauling the ID management system to the test site in another state and then bringing the system back up within six hours. That surpassed the level of business continuity required for the whole ID Manager operation. So the IT group came back with an alternative suggestion: to set up a stand-alone directory directly on a PeopleSoft server, which gets backed up with the rest of the PeopleSoft application. During a disaster recovery scenario, the directory used by PeopleSoft for authentication is restored alongside everything else. "They don't have to involve five other people and reconstitute a bunch of directories," said Schneider.
Delivering that took only seven days, he said, from original request, through scoping, through a test run, to production and deployment. Although Schneider said he believes other identity management products currently on the market would probably offer the same capabilities, "Could I do it that quickly with other products? Probably not."
Yet, ultimately, the current benefit of using Novell ID Manager is that nobody has to do daily administrative tasks, such as set up accounts, turn them off, or do password synchronization, he explained. The true value will come when the system can address real business needs.
As a health science center that gets a great deal of funding from federal sources, there's a big focus on compliance regulations including HIPAA and CFR 21 Part 11. "Right now, there's not a clear definition of it," he said. "If an auditor came in and said, 'What does this person have access to?' well, I know a lot of things they have access to, but I couldn't say 100 percent without a shadow of a doubt. I want to get to a point where I can say, 'This person has access to these 12 applications. They gained access on this date. They had access revoked on this date. Here they attested annually that they needed it.'"
Getting to that level of record-keeping, Schneider explained, requires a different approach to account provisioning. Currently, the overall system of user account management relies on data coming from multiple sources, sources that don't necessarily maintain the details about any given user's access. "The HR system was not designed to create e-mail accounts," Schneider said. "The registrar's job isn't to give students access to Blackboard. Their job is to register students and to hire and manage and retain employees."
That disconnect between the data maintained by different organizations at the Center and the data needed to manage users reared up a few years ago. A core Web server relied on HR data that used a particular department name for one of the IT organizations at the Center. That department name changed, so it changed in the HR system too, which then populated down through the directories. All of a sudden, none of the administrators could access the Web server. "HR had no idea that the department name affected people's access to a Web server. Nor should they have to have that knowledge," said Schneider.
The Next Phase in Managing the Digital Identities of Users
So the philosophy under which the identity management team will work is that although the data they have access to can help make decisions, it can't be relied upon 100 percent of the time. "There will always be exceptions, it'll always be somewhat inaccurate, and there will always be some degree of latency," he said.
That means the traditional approach of handing out access to services on the network based on the presence of a user within a given system of record, or having a given job title, role within the organization, or department must be eliminated. "Right now when you get provisioned, you get a lot of things by virtue of having an account," Schneider explained. "In our Windows Server team, there are three people who do Exchange management. Does everybody in that group need access to do Exchange management? No, but they all have the same title and work in the same department. Every bit and piece that we have says they're identical. But they don't need identical access."
In the new approach, access will be minimal, and users will need to have some way to identify additional network and application access they require.
"For instance," said Schneider, "if I'm an employee on day one, one [service] may be VPN access. Another might be an e-mail account. Because I'm an employee, I get both of those automatically. If I'm a student, I get an e-mail address. I can have VPN access if I go in and request it, and it'll be provisioned automatically. I need to go in and turn it on myself. If I'm a guest, I don't get an e-mail address. I don't get VPN access. I can request them. But that [request] will initiate a workflow to be approved by the person who approved my guest account and maybe some secondary person."
Beyond that the permissions issuance can get even more granular. The researcher with a large grant from the Department of Defense, for example, needs to know that the only people with access to a given database or application are the ones he or she has approved for access.
Getting Buyer-side Buy-in
That level of service delivery, Schneider said, will result in "business-side buy-in" from the administrators, researchers, and department heads at HSC for the changes his team will be introducing. "Most of the time, the way you get that buy-in, we've found, is to show the value they're going to get back. When a registrar can look at that student and say, 'When I finish registering you, you'll be able to log in at that kiosk and send an e-mail to your professor,' there's a value there. That's why they'll want to tie into this infrastructure."
But he's quick to add that he doesn't expect to modify the processes those individual groups follow in performing their core activities. "We've tried very hard to integrate to existing processes and to be secondary to them. From the technical perspective, the identity management software really allows us to do that because the integration occurs at a level that's transparent to these systems."
For now, the new identity management team is picking off high level items--VPN and e-mail addresses--and getting that infrastructure in place to do automated workflow and provisioning. From there, they expect to start seeing more attention paid on the part of the business users to how more specialized services are provisioned from the time they're envisioned. It'll become "part of your RFP process for your new application," he said. "You're going to have to answer, how do you address this aspect of the IT side of whatever you're buying?'
"Once you start going down this road, it gains a critical mass," said Schneider. "You don't have to go out and seek out these applications to add in because the customers are seeking you out."
Dian Schaffhauser is a writer who covers technology and business. Send your higher education technology news to her at dian@dischaffhauser.com.
8.11.2008
The 9 Things You Should Know as a Security Director
Writer Christopher J. Wetzel and online magazine SecuritySolutions.com, part of Access Control & Security Systems, had an excellent article in their July 2008 print and web edition that details the nine major points any security director and/or integrator worth their salt should know about the industry.
http://securitysolutions.com/enduser/enterprisecorporate/rules_security_integration/
With rapidly changing trends and fundamentals, it's best to keep up with what you need to know as a security director for a firm, and with security and the company network becoming symbiotic and security becoming more important to all aspects of business and life, you don't want to waste time figuring it out. The 9 points bulleted are:
http://securitysolutions.com/enduser/enterprisecorporate/rules_security_integration/
With rapidly changing trends and fundamentals, it's best to keep up with what you need to know as a security director for a firm, and with security and the company network becoming symbiotic and security becoming more important to all aspects of business and life, you don't want to waste time figuring it out. The 9 points bulleted are:
- Get a security firm that is knowledgeable of computer networking.
- IT and security directors should understand each other's model.
- Let (or make) your IT director comfortable with security hardware.
- Security and IT directors should partner together.
- As an integrator, expect to compete with other ROI initiatives.
- Software is the new hardware.
- Physically test new designs and ideas.
- Don't depend solely on technology. Merge the physical and the tech.
- An integrator is an integrator, not 3 or 23.
Subscribe to:
Posts (Atom)
