REQUEST for PROPOSAL UP16-DF-0401 Multi-Factor Identity Authentication
Total Page:16
File Type:pdf, Size:1020Kb
UNIVERSITY OF MASSACHUSETTS President’s Office REQUEST FOR PROPOSAL UP16-DF-0401 Multi-Factor Identity Authentication
Answers to Bidder Questions
Category: Architecture/Infrastructure
Questions Received: How many locations would we have implement the for (datacenters and/or number of OAM environments etc..) Please describe and/or provide diagrams which show the number of environments (e.g., development, test/QA, Staging, etc.) which are available and which require the deployment of multi-factor authentication mechanisms.
Response: There are 2 development environments, one test environment, and one production.
Question Received: What is the version of your OAM infrastructure (i.e. Version, OS on which they run the WebGate, JRE used etc.. As much details as possible is appreciated as there many components or modules which make up OAM and so multiple versions would be involved)? Please confirm if you are using the 11.1.2.0 version of OAM? If so are there plans for an upgrade in the near future?
Response: OAM version - 11gR2PS2 (i.e. 11.1.2.2.7), 2 servers, clustered Webgate(s) version - 11g JRE version – JRockit 1.6.0_65+ All IAM servers are running in Oracle EL6.6 x86_64
Question Received: What would be your choice of OS for implementing a third party solution (i.e. Windows or RedHat Linux etc..)? – Alternatively, are you open to using a Virtual Appliance instead?
Response: OEL 6 (RedHat) all on oracle virtual server (zen), windows virtual Windows2012. Preference is Linux. Virtual appliance would be acceptable for certain functions.
Question Received: If you choose on premise software, you will need to provide a repository for it to store its information/data. What would your choice of repository (i.e. LDAP directory or SQL database)?
Response: Either one Questions Received: For Shibboleth, Does UMass have an ADFS 3.0 infrastructure which can be utilized as an IDP for the SAML based authentication? – if not or if they don’t want to use ADFS, then the solution would have be leveraged as an IDP. In that case, how many instances of Shibboleth needs to configured for 2FA (i.e. HA and/or DR and/or Scalability etc.) Is authentication using Shibboleth currently being used? Is the Shibboleth IdP model already in place and if so, already integrated with Amherst LDAP system
Response: Although some of our campuses (including Amherst) use Shibboleth, The UMass System Office (UMS) uses the Oracle product set (Oracle Identity Federation) for federation. UMS acts as the IdP in all currently configured federations. The majority of SPs we federate with are Shibboleth implementations, but we also have configurations that federate with the RSA FIM & ADFS products/vendors. We currently use the standalone 11.1.1.7 version of OIF in production, but are in the process of upgrading our IAM stack to 11gR2PS2 and will use the federation module provided in the OAM installation (as both IdP & SP). Our OAM environment is clustered, so by default any configured federation will be HA, etc.
For Amherst, the configuration of MFA in the Shibboleth environment is out of scope for this RFP.
Question Received: Is Umass open for other IdP solutions to be used for Amherst integration besides Shibboleth?
Response: No, this is to remain Shibboleth
Question Received: How does the University manage user sessions? What settings are in place within OAM and the protected application(s)?
Response: OAM manages the session cookies; 1 hour inactivity & 8 hour max session timeouts are in place. We don’t currently have a concurrent user restriction enforced, but we’re looking into setting that to restrict the number of sessions a single user can have established at any given time.
Question Received: Is BI Publisher part of the current infrastructure?
Response: Yes
Question Received: Does the UMass System utilize a solution such as Greyheller’s ERP Firewall to secure its PeopleSoft environments? Response: No Questions Received: What components of the Oracle toolset are currently available and/or in use? Please describe the current patch level of Oracle IAM 11gR2 toolset Please list all the Oracle IAM products (OAM/OIM/OAAM/OVD/OID) and their exact version and patchset installed in the UMASS environment.
Response: OIM – 11.1.1.2.7 OAM – 11.1.1.2.7 OID – 11.1.1.7 (with a few one-off patches) OVD- 1.1.1.1.7 (with a few one-off patches) OAAM hasn’t been installed yet.
Question Received: In RFP, section 7.2. High-level requirement - "The system must support both central and campus IDPs - Amherst Campus IDP must support Shibboleth". Please confirm if Shibboleth implementation is part of MFA implementation scope or is Shibboleth already implemented in Amherst campus and only requires MFA to be integrated.
Response: For Amherst, Shibboleth is already deployed, and the configuration of MFA in the Shibboleth environment is out of scope for this RFP.
Question Received: As per the architecture, only OAM is deployed for authentication/sso, are there other IDPs in any of the campus environment not depicted in the architecture?
Response: No
Question Received: Specify number of data centers and their high level architecture (Primary/Primary or Primary/Secondary) where IAM is installed?
Response: 1 Production and 1 DTR (DEV/TEST/Disaster Recovery) site for Oracle IAM Suite, 1 datacenter for Shibboleth
Question Received: Specify environments where Oracle products are installed (Dev, QA and Prod?)
Response: Oracle Products installed in Prod, Test, Dev, Recovery & LTD (sandbox) Question Received: Do you have a disaster recovery environment? If please provide high level architecture? Do these environments have real time synch of data or is it manual at specific periods (not real time)? Response: Yes – near real time
Question Received: In RFP, section 7.2. High-level requirements lists following requirements on scalability. • The system should be scalable so that it can be rolled out to other applications in the future • The system should support up to 80,000 users Is it a valid assumption that current implementation (of single factor authentication) already supports the above requirement?
Response: Yes
Question Received: If available, please list total number of concurrent sessions currently supported by the environment?
Response: System has been successfully performance tested with a target of 700 active, concurrent users. Test profile consisted of ramp up/down, 20 minutes saturation run at 700 users, no think time, no delays, no settle time.
Category: Scope
Questions Received: It appears from the requirements that OAM and OAAM, as well as the Oracle IAM Suite, are already licensed and the intent is to implement these solutions to provide two factor authentication to eBusiness Suite. Is that an accurate assumption? Or are you looking for alternate technologies to either supplement or fully provide two factor? Are there any other applications, other than PeopleSoft, which are currently protected or that needs to be protected as part of this project? Attachment A shows that PeopleSoft HR application is in scope and currently protected by OAM. Are there other applications in scope or is PeopleSoft the only application? For the purposes of this RFP, in addition to protecting Oracle PeopleSoft are there any other types of applications and/or services that the UMass System is looking to protect with two-factor authentication? Please list applications that require Multi factor authentication and also mention which of them are already integrated with OAM for single factor authentication. Do these consist of both On-Premises and Cloud-based applications/services? Please specify: I. On-Premises II. Cloud What types of users would be included in the deployment? a. Faculty/Staff b. Students c. Alumni d. Contractors and others not paid by UMass e. Hospital staff You mentioned 80,000 users. Would you please breakdown which types of users are represented in that number as best you can with the realization that some users are fall into multiple types (Faculty, Student, Adjunct, Alumni, Staff): Are there any applications in scope of this RFP that should be integrated with OAAM ? If yes then please provide application names, types and the use case for which OAAM is to be integrated.
Response: The scope of this project will be limited to Faculty/Staff utilizing PeopleSoft HCM v9.2, although we would like to have a solution that is scalable to then be rolled out to additional targets sometime in the future (i.e. PeopleSoft Finance, PeopleSoft Student, Oracle OBIEE). All of these applications are hosted on-site (not in the cloud) and are already integrated with OAM.
Question Received: What would be your choice of authenticators for second factor (i.e. soft tokens, QA or KBA, Risk based Authentication, Out of band authentication via email or SMS or Voice etc..)? How many different challenge methods are required or envisioned by the University? For two factor authentication, are there any preferred mechanisms [Challenge Questions, OTP, etc.]? Please further define “multiple methods of challenge distribution” (is it as in, OTP, KBA via SMS, Voice, Web, Email) Please define multi factor for this context ? (E.g. With OAAM is the digital fingerprint that is constructed based on end user device, location, end user access behavior and other customized parameter) What are acceptable soft token communication channels for your users? (For ex, SMS, email, voice etc.) Is there a preferred MFA factor to be used such as Mobile Authentication, SMS, email etc.
Response: The solution should use the what you know of already established passwords, and overlay either what you have (e.g. phone call, SMS, smart phone app, etc.) or who you are (i.e. biometrics) to ensure that the 2 factors are not of the same “class”. It may use a variety of authenticators for different parts of the population. In addition, the following features should be strived for in the solution: 1. It should use existing solutions when possible 2. Key or token management complexities should be minimized 3. Additional cost of tokens should be minimized or eliminated 4. It should rely on out-of-band conveyance of the token code/second factor. (i.e., the token shouldn’t be presented on the same path as the actual login screen.) It is acceptable to request the token code as part of the login process if the token code rotates or is otherwise resists replay attacks. 5. The solution should assume a variety of technical skill level and capabilities for the user population. I.e. not everyone has a smart phone, or can navigate a complex process without assistance. Beyond the criteria listed above, there is no preference for choice of authenticators.
Questions Received: Do you want to give end user capability to select the challenge type or it will be same for all
Response: We will flush this out during design sessions Questions Received: Total number of users count, who would leveraging the 2FA solution? – If possible, OAM users and Shibboleth users breakdown would be great and also what kind of second factor authenticator would those users be given. How many users are currently using the system? Is 80,000 users the current count or projected count?
Response: System end-state should be able to support 90,000 users
Question Received: Approximately how many users would the UMass System be interested in protecting? (the RFP states up to 80,000 users)
Response : There are approximately 30,000 users utilizing the UMass PeopleSoft HCM system.
Questions Received: Are there any compliance requirements – PCI, ISO, HIPAA, etc. - for any of the services or infrastructure that is in scope? Does the UMass System require the ability to apply access control policies globally, on a user group level, or on a per application basis?
Response: Yes, specific requirements to be documented in discovery phase of project
Question Received: Is the expectation that Amherst users (via Shibboleth) and the other users (via OAAM) required to follow similar MFA form factors?
Response: Not necessarily, TBD during requirements
Question Received: In today’s system are we following form based or Kerberos authentication and what is the expectation from end state system both for OAM and Shibboleth.
Response: OAM is a will be form-based.
Question Received: Are there any aspects of authorization which will be augmented through multi-factor challenges?
Response: None identified at this time, would– need vendor to clarify if they are asking if there is step up authentication
Question Received: Under Federation, does the “Amh Page” already support multi-factor authentication? If not, please describe the University’s requirements or vision for integrating multi-factor authentication with the “Amh Page.”
Response:
Sorry, this question could not be answered.
Question Received: Our assumption is that Oracle Access Manager is already installed and now multi-factor authentication is to be provided. Is this correct?
Response: Yes
Question Received: In addition to utilizing Oracle Identity Access Manager, does the UMass System utilize a single sign on solution such as Shibboleth at other campuses in addition to Amherst? If so, are these SSO services capable of authenticating all users who require access to Oracle/PeopleSoft resources?
Response: Amherst is the only campus currently not under the Oracle Identity Access Manager umbrella.
Question Received: Would the UMass System be using the two factor authentication solution to protect any sort of healthcare/clinical applications that have access to health records?
Response: No
Question Received: Does the UMass System require the completion of a “proof of concept” as a part of the bid process?
Response: No
Question Received: Does the UMass System currently utilize any existing multi-factor solutions at scale? If so, is the system looking to replace these solutions or utilize in parallel?
Response: UMass System does not currently utilize any existing multi-factor solutions at scale
Question Received: Will each the UMass System individual campuses be administering their own two factor authentication instance or will it be centrally deployed/managed? Will each campus require their own separate administrative instance of the two factor authentication solution?
Response: The multifactor solution will be a single solution with delegated administration. The solution covering Shibboleth will be administered at the Amherst campus and will be out of scope for the implementation of two factor authentication.
Question Received: Does the UMass System allow for a cloud hosted two factor authentication solution (hosted in Amazon Web Services)?
Response: If it meets confidentiality, integrity, and availability requirements.
Question Received: Does the UMass System or any of its Universities own a SIEM or syslog solution? If so, what solutions are utilized?
Response: Lowell: Q1Radar, Amherst: Q1 Radar, Boston: Splunk, Dartmouth: Alien Vault-D (EIQ Pilot), Med School: Enterysys Dragon, President’s Office: EIQ
Question Received: Does the UMass System require professional services included to assist in implementing the solution?
Response: Yes – please reference the RFP
Question Received: Is there an existing soft-token application that need to be integrated (e.g. RSA) or is the native OAAM OTP is in scope?
Response: No Question Received: If OAAM OTP is going to be used, the UMASS have a SMS delivery platform available?
Response: We do not have currently an SMS delivery platform available Question Received: Please define the driver for enabling MFA for campuses.
Response: Increased security of credentials
Question Received: Are there existing use cases that needs real-time risk assessment by OAAM?
Response: No, but we don’t want to exclude from the solution if present
Question Received: Do you have Analytics system configured to provide necessary risk profiling of users or activity being performed?
Response: OAM – not currently
Question Received: In RFP, section 7.2. High-level requirement - "The system should enable the risk assessment features of OAAM", please elaborate on this requirement, Are you looking to enable any one or all of OAAM capabilities such as risk analytics, behavioral analytics and predictive risk analytics? Please specify if any particular use cases are of more importance than others
Response: In general, yes, we are looking to enable any one or all of OAAM capabilities such as risk analytics, behavioral analytics and predictive risk analytics. Details to be determined during requirements.
Question Received: What are the typical use cases or transactions for which MFA needs to be enforced. For ex, user login, authorization, payment approval, transfer funds or any other use cases that are specific to universities or its stakeholders
Response: MFA will be determined by user, app & privilege.
Question Received: Please list different types of user communities who will be part of Multi Factor Authentication use cases Response: Employees & students
Question Received: Is Mobile based authentication currently enabled?
Response: Yes it is, would need clarifying information in order to provide additional information
Question Received: Do you currently have windows integrated authentication enabled (GINA). If yes, is it integrated with OAM for SSO?
Response: No
Question Received: Is there a token-based VPN setup? If yes, do you want to leverage VPN set-up as MFA in OAM/Shibboleth? If yes then please provide VPN token product information
Response: No
Question Received: Is Auditing and Reporting (online real time and/or static document showing access activity) currently enabled in Oracle IAM 11gR2?
Response: Yes
Question Received: In reference to RFP section 7.2. High-level requirement - "The system should enable soft-token generation as a service". Are you primarily looking to leverage Oracle (OAAM) capabilities for soft token services or do you have any other service that you are more inclined towards?
Response: We would like to enable the OAAM internal capabilities to provide OTP as a service, similar to those provided by Duo.
Question Received: Do you have any cloud applications that require MFA enablement?
Response: Not in the scope of this project. Question Received: How many users will be expected to use MFA?
Response: End-state = 90,000
Question Received: Would UMASS pilot the solution prior to rolling out to a wider audience? What would be the size of the pilot group?
Response: Yes. Size to be determined in discovery phase of project.
Question Received: What kind of reports would be required from the system?
Response: To be determined in discovery phase of project.
Question Received: The system must support both central and campus IDPs Central IDP must support OAM two factor Amherst Campus IDP must support Shibboleth Question: The access management architecture outlined in Attachment A describes the Shibboleth environment leveraging the OAM components for authentication. It appears that no direct integration with Shibboleth is required as long as OAM facilitates the multi-factor authentication. Is this understanding correct?
Response: No, the expectation is that OAM acts as the SP for the Shibboleth IDP.
Question Received: The system will produce reports, online real-time and/or static documents, showing access activity requested during Requirements gathering. Question: Can you please clarify the statement “requested during Requirements gathering”? What is an example of the information that would be “requested during Requirements gathering”?. Is reporting on authentication requests, user information and credential status the type of information you wish to be able to pull from the solution? If not, what type of information are you looking for? Is there a preferred reporting engine to be used to address the reporting requirements such as BI, BOE etc.
Response: UMass would like to leverage the innate capabilities of the product. If insufficient, UMass is a licensee of Oracle’s OBIEE product. Question Received: Can you please describe how users are currently on boarded into the system today? For example, is it done manually by an administrator? Is it completed through a self-service portal? Is there a customized tool to complete these tasks? This information will help us describe how best to integrate into the existing IDM environment.
Response: Oracle OIM is central engine for identities utilizing PeopleSoft HR as authoritative source.
Question Received: Is there any software needed in addition to the services requested?
Response: Unknown at this time. TBD during discovery.
Category: Timeline/Budget
Question Received: From the point at which the contract begins, what is the expected amount of time in order to get the two factor authentication deployed? Is there a target implementation date? Is there target date for enabling MFA solution to certain or all applications? If yes to above question please list applications and target deadlines for enabling MFA solution.
Response: We do not have any hard constraints on timeline and are looking to determine this in the discovery phase of the project.
Question Received: Is there a cap set for the project budget?
Response: Not available at this time
Category: Resources
Question Received: Does UMass have in house OAM and Shibboleth experts, who will guide as well as help in architecting the MFA solution to UMass’s needs/expectations?
Response: Yes
Question Received: Are there any restrictions for providing the support services using US-domestic resources, only, or can global resources be used to deliver some or all of the services?
Response: Domestic resources only
Question Received Are there any restrictions or considerations requiring that all the services be provided from a single entity? Or, can the respondent be the primary contractor and subcontract one or more of the support services?
Response: The vendor is not to subcontract support services for this project.
Question Received: How many internal resources will be supporting this project?
Response: Core team : 4 people, extended team approx. 10 people (including core team), potentially more as needed
Category: Misc
Question Received: Can the University please share its password policies and any details about existing password/authentication challenge details? Does the University have a list of users’ attributes which are already required and/or available under OVD or other repository reference?
Response: The Password policy will be shared after vendor is under contract. The university does have a list of user attributes which are already required and/or available under OVD; these will be shared after vendor is under contract.
Question Received: As it relates to user type, please rate the following from most important to least important around multi-factor authentication. Why is the most important the most important?
Students Staff Faculty Adjuncts Alumni 1. 2. 3. 4. 5. 6. 7.
Items to Rank:
1. Multi-factor authentication including something you have and something you know. 2. Frictionless multi-factor authentication (minimal direct human interaction / impact on the user experience such as an OTP to the users phone, soft tokens, pins, passwords, etc. 3. Adaptive authentication based on the end point being accessed, data being accessed, user type, user location, etc. 4. Threat intelligence / risk analysis of the identity after authentication 5. Behavior biometrics / behavior analysis. 6. Branding / look and feel for the users experience. 7. Logging, SEIM integration, identity threat dashboard, etc.
Response: To be determined in discovery phase of project.
Question Received: Please explain the following questions for each of the user types (Students, Faculty, Staff, Adjuncts, Alumni) for the boarding process:
1. What is the authoritative source of record such as registrar office / HR system for (Students, Faculty, Staff, Adjuncts, Alumni)?
Response: HCM 9.2 is the system of record for employees covered under this project.
2. Where is user profile data needed by the end points and access decision points stored for (Students, Faculty, Staff, Adjuncts, Alumni)? LDAP, Active Directory, Oracle Database, a virtual directory like OVID, other?
Response: Multiple LDAPs accessed via OVD.
3. Where is the information used to authenticate and authorize (Students, Faculty, Staff, Adjuncts, Alumni) when giving them access to the end points , data and systems stored? LDAP, Active Directory, Oracle Database, virtual directory like OVID, other?
Response: Multiple LDAPs accessed via OVD.
4. How is the data taken from the authoritative source of record sent to / utilized to provision a new (Students, Faculty member, Staff member, Adjunct, Alumni) into the user profile store, the authentication source and any role based access control such as Active Directory or LDAP group memberships
Response: Through a custom reconciliation process and provisioned to targets via OIM Processing.
5. How are access changes such as a faculty member who decides to take classes and thus becomes more student faculty triggered as well as how are the access changes applied today? Response: Via the aforementioned recon process.
6. What auditing takes place today of the provisioned identities and access changes that happen over time to that identity? Are user identities every fully de-provisioned and if so what triggers that process?
Response: Auditing is performed manually by local administrators. Events in the authoritative systems trigger the de-provisioning events.
Question Received: Please provide details on the top five end points of access that multi-factor authentication is needed for (faculty, staff, students, and alumni): 1. The name of / vendor of the end point 2. The user store type utilized by that end point to determine authentication as well as authorization 3. How is authorization for the end point determined? Group membership, role based, other? 4. The ideal multi-factor workflow / user experience for students when authenticating. 5. Is the end point on premise or hosted (cloud base / SaaS)?
Response: 1 – Oracle PeopleSoft 2 – LDAP 3 – Group membership 4 – To be expanded during discovery 5 – On-prem
Question Received: How does the University of Massachusetts embrace, and provide secure access bring your own devices (BYOD) for each of the following today? - Students - Adjuncts - Alumni
How would the University of Massachusetts like to embrace, and provide secure access bring your own devices (BYOD) for each of the following going forward?
Response: Currently no global policy
Question Received: Which of the following groups do you feel presents the biggest risk of being utilized to execute a data breach at the University of Massachusetts and why? 1. Students 2. Staff 3. Faculty 4. Alumni 5. Adjuncts
Response: N/A
Question Received: Please explain on how the Oracle IAM / OAAIM is implemented and utilized today to perform: User on boarding / access changes Single Sign On authentication Identity risk assessment User profile data / identity management such as email address, phone numbers, passwords, account locks, etc. for both self-service as well as helpdesk administrative functions Auditing identities Governance and compliancy analysis / enforcing Role based access control (RBAC)
Response: OIM used to onboard and perform access changes SSO provided by OAM Identity risk assessment not currently implemented via a tool Combination automated and manual processes, some performed in OIM. Other using local campus processes and resources. Currently manual, varies by campus Local campus policy Not currently implemented
Question Received: What does high availability for web server based authentication / IAM solution look like for the University of Massachusetts today as well as post implementation of the multi-factor solution?
Response: Single datacenter, highly available, redundant component services. All Production servers in a clustered configuration. Same for post-implementation