Csd6059
0 likes301 views
Two Factor Authentication (TFA) is being implemented by the Federal Student Aid office to improve security of student data and comply with government mandates. TFA requires users to verify their identity with two independent factors, such as a password and physical token, reducing the risk of unauthorized access through keyloggers. Over 96,000 federal employees and school administrators will be issued tokens to access the FSA systems containing over 80 million student records. The rollout of TFA will occur between Fall 2011 and Fall 2012 across all participating schools and administrative systems.
Csd6059
- 1. Two Factor Authentication (TFA) Has It On Lock Down The information age is upon us, and with new technologies there are ever increasing amounts of data being collected and stored across the cyber community. This data must be protected to ensure program integrity and safeguard taxpayers’ interests. The postsecondary school ecosystem has grown significantly over the past few years with multiple touch points to enable the delivery of Title IV Aid and to accommodate the needs of the students Federal Student Aid (FSA) and our schools serve. In 2007 FSA distributed $80 billion in financial aid to approximately 8 million borrowers. FSA distributed more than $135 billion in Federal Aid this past year to 14 million students and families. Since 2007, the number of borrowers has grown from 8 million to 23 million borrowers in 2010/2011. These figures are expected to grow to the tune of about 10% over the next five years. FSA hosts at least 80 million records - all currently unprotected in accordance with industry best practices and Office of Management and Budget (OMB) / Department of Homeland (DHS) mandates. At a high level, the FSA ecosystem consists of more than 90,000 users accessing the following primary FSA systems: National Student Loan Data System (NSLDS), Central Processing System (CPS), Common Origination and Disbursement (COD), Access and Identity Management System (AIMS), Participation Management (PM), Financial Management System (FMS), and Student Aid Internet Gateway (SAIG). The FSA ecosystem has over 10,000 unique entities including over 6,500 postsecondary schools in 35 countries that interface directly with FSA. This population is supported by 3,200 financial partners including Guaranty Agencies, Title IV Additional Servicers (TIVAs) and other financial institutions. The U.S. continues to be the top country targeted in web-based attacks and the government sector is the most popular target. The type of information FSA hosts is often the target of hackers and may be accessed through malicious software such as keyloggers. Keyloggers can be devices or software used by cybercriminals to covertly capture and record key strokes on a computer. Their target is often log-in names, passwords, and other sensitive information that can be sold for illegitimate purposes. The cost of a data breach is based upon the data captured. According to industry experts, the cost of a customer record compromised in a data breach is $200-$2141 . Compromised records 1 The Ponemon Institute 2010 U.S. Cost of a Data Breach http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon&om_ext_cid=biz_socmed_twitter_faceboo k_marketwire_linkedin_2011Mar_worldwide_costofdatabreach
- 2. containing bank account information are in the range of $300-$350. With this dynamic environment, there is a need to improve the overall security posture of the ecosystem. Without fortifying the infrastructure, existing leak points across FSA systems could be compromised, exposing FSA to appreciably large financial burdens. Protecting data is a shared responsibility of those facilitating the support of Title IV Aid financial aid across the postsecondary school ecosystem. One of the many activities FSA is undertaking to improve data security is the implementation of Two Factor Authentication (TFA). The objective of the TFA initiative is to provide safe and secure access to FSA network services. To comply with the White House through the United States Office of Management and Budget (OMB) mandate, Memorandum M07-16 attachment 1, and as part of our ongoing efforts to ensure the security of Federal Student Aid data systems, the U.S. Department of Education is required to implement a security protocol through which all authorized users will enter two forms of “authentication” to access Federal Student Aid systems via the Internet. This process is referred to as Two Factor Authentication (TFA). The implementation of Two Factor Authentication significantly reduces exposure to key loggers at both managed and unmanaged endpoints of the network. Authentication is where you prove your identity to a system in order to gain access. When two independent things are combined, strong authentication can be achieved and access is granted. Providing only one piece of information will not allow access to the system. In essence, two factor authentication means providing two independent pieces of evidence that you are who you say you are. Something that you know is the first factor. The second factor is something that you have. Two factor authentication can also be achieved with something you are, using biometrics such as a retina scan or fingerprint. If you have ever used an ATM Card issued by a bank, you have used the two factor authentication process. Something that you know is the First Factor: Your PIN number Something that you have is the Second Factor: The physical ATM Card FSA has chosen a physical “key fob” token that generates a One Time Password (OTP) for the second factor authentication. Something that you know is the First Factor: User ID and Password Something that you have is the Second Factor: Token with a One Time Password (OTP) The One Time Password (OTP) is a six digit numeric code generated by the token. To generate the OTP, the user presses the button on the front of the token. A different OTP will be generated each time the button is pressed and display for 30 seconds. When the number displayed is entered along with the User ID and Password access will be granted for the user. There are many people working in concert across the ecosystem to deliver financial aid. The TFA initiative encompasses approximately 96,000 FSA employees, U.S. Department of
- 3. Education Employees, Financial Aid Directors, Financial Aid Administrators, Destination Point Administrators, Call Center Representatives, Developers and Contractors. The TFA project is focused on privileged users. A privileged user is anyone who can see more than just their own personal data. In this context, personal data is defined as Personally Identifiable Information (PII). PII is “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”2 Examples of PII include, but are not limited to: • Name, such as full name, maiden name, mother‘s maiden name, or alias • Personal identification number, such as social security number (SSN), passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number • Address information, such as street address or email address • Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry)3 In order to “Lock Down” FSA systems at postsecondary schools the Primary Destination Point Administrator (PDPA) or Security Administrator for each school will need confirm (attest) who is authorized to access Federal Student Aid systems on behalf of the school. Similar leadership roles will be identified in each of the third party entities supporting the distribution of Title IV Aid. Upon confirmation of the authorized users, FSA will send tokens to the PDPA. The PDPA will be responsible for providing a token to each authorized user such as a Financial Aid Administrator (FAA). The end user in this scenario, the FAA, will then register their token online. The TFA initiative impacts several FSA systems. We plan to implement system changes for TFA in a phased approach from October 2011 through February 2012. Available Now – FAA Access to CPS Online October 24, 2011 – COD System December 18, 2011 – NSLDS and eCB System February 12, 2012 – SAIG/EDconnect 2 This definition is the GAO expression of an amalgam of the definitions of PII from OMB Memorandums 07-16 and 06-19. GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008, http://www.gao.gov/new.items/d08536.pdf. 3 NIST GUIDE TO PROTECTING THE CONFIDENTIALITY OF PERSONALLY IDENTIFIABLE INFORMATION (PII), SP 800-122, April 2010 http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
- 4. The TFA rollout is planned to run from Fall 2011 through Fall 2012. During Q3 and Q4 of FY 2011, over 6,000 TFA tokens were issued to FSA employees and U.S. Department of Education employees. The next phase of deployment is the postsecondary schools. As we implement the system changes, we will also begin rolling out token information and tokens to the domestic school community. Fall 2011 – Authorized users in the DeVry University system of schools have received and registered their tokens. December 2011 – Authorized users at domestic schools in Delaware, Maryland, Virginia, West Virginia, and the District of Columbia will receive and register their tokens. February 2012 through September 2012 – All authorized users at the remaining domestic schools will receive and register their tokens and begin to use them for all systems noted above. We plan to roll out TFA to the remaining schools in approximately eight different groups of states. Just prior to initiating contact with the schools in each group, we will post an electronic announcement that provides notice of the states included in that group. We must do a better job as stewards of PII and to improve our security posture against data leaks. This is a shared responsibility of not only FSA and U.S. Department of Education associates, but all those who access our systems on behalf of our students. We cannot complete this without your help. For more information on TFA, please stop by one of our three sessions where we will go into more detail on the protection of PII and the TFA rollout.