SlideShare una empresa de Scribd logo

Unc cause 2011 random pin

Descargar como PPTX, PDF
M
morelandsmith

UNC Cause Pin about developing Random Pin Distribution tool for UNC Greensboro.

TecnologíaEducación
1 de 67
Custom Secure Random Pin Distribution Moreland Smith The University of North Carolina at Greensboro
Alternate Title How we kept our Registrar from going to jail and got cookies!!!!
Session Rules of Etiquette • Please turn off your cell phone/pager • If you must leave the session early, please do so as discreetly as possible • Please avoid side conversation during the session • Do not pass Go, do not collect $200. 3
Introduction • My goal today • To share UNCG’s custom solution to random PIN distributions across all populations of entering people. 4
Benefits: An understanding of • Business Case • Technical Architecture • Administrative GUI • End User Experience • Project Results • Woulda / Shoulda / Coulda 5
Business Case Things I learned from 1990’s Infomercials
The University of North Carolina at Greensboro • 18,000+ Fall 2010 Enrollment • Undergraduate • Graduate • Distance • Additional 2,000+ iSchoolers (High School) • 3 Entry Offices with Hiring Authority • 6 Entry Offices Admitting Students • Mods Philosophy: “Vanilla…. but with sprinkles… and a bit of fudge mixed in…” 7
Old way of Doing Business • Pattern based initial PIN, custom trigger on DOB entry • DOB rearranged YYDDMM • Pattern published on web sites • Some emailed ID and then snail mailed PIN • Some asked students to allow them to send both PIN via email. • Some offices handed paper to new hires • Letters are lost 8
Where we were Different Offices + Different Practices = INSANITY 9
Good advice from the mid 1990’s….. 10
Potential Problems • Perception, ITS owns the PIN, call Service Desk – Have to talk through general pattern YYDDMM. – Service Desk can’t assist because… • Forgot PIN Q&A Not yet established, can not authoritatively identify caller, since never had successful login • “But they said….” • Root Causes – Incorrect DOB Entered (esp. Internationals) – Student does not know ID 11
Inspiration from Earlier Work • https://getmyid.uncg.edu • Built during transition from SSN to Generate ID approx 2006 • Allows ID display via SSL browser with entry of persons UNCG Username/Password • Allows email delivery of ID • Single Last Name & Email Address Match – Last Name: Smith – Email: Moreland.Smith@gmail.com 12
The Vision: One tool to assist them all • Web Based • Near Real Time, Secure (Encrypted) Delivery of Random PIN • Options for Paper Mail • Receive PIN Information from “Entry Office”, not ITS • Standard text with optional Entry Office specific info • Refer people back to “Entry Office” if there is a problem with their data • Flexible additional populations, additional “Entry Offices” • Log usage 13
However this was beyond our budget And had some nasty side effects…. 14
Core Business Concepts/Challenges • All persons have a “best fit” Entry Office – Single Role (New Freshman =Undergraduate Admissions) – Multi Role people (Employee taking classes=????) • Offices desire to minimize mailing costs, printing labor – Email/web is first choice – Paper mail only if email/web is not possible or selected by person. • If there is a problem with a person’s data it needs to be corrected by their Entry Office, not ITS. • People often do their email via insecure means (Public WiFi) – Therefore delivery of PIN should be SSL Protected and – Not “Man in the Middleable” (Firesheep) 15
Defining Happiness    •  for Person= Doing it all online themselves at 3am and never having to talk to UNCG staff. •  for Entry Office Staff= Person doing it all online themselves at 3am and never having to talk to UNCG Entry Office Staff. •  for Person= Couldn’t get it online, but can get it via snail mail, but at least I didn’t have to talk to a UNCG human. •  for Entry Office Staff= I guess I can run a daily batch job to print and mail some letters, sigh…. •  For Both= I have to talk someone via phone???? 16
Random Pin Origination Process Flow 17
Random Pin Flow 18
Technical Architecture Some vanilla, some sprinkles, and some fudge ripple mixed in….
Sometimes good things are a bit messy…. 20
Security Principles • All Web traffic must be SSL • Email may or not be read via secure means, therefore we must assume it is not • You can’t prove who you are on the web, so we must communicate via previously established address • Something you have, plus something you know. – You have: PIN LINK (Random URL) delivered by email – You know: “Verification word” you gave in an SSL Session, stored by the system, which you must match to use PIN LINK URL 21
Security Principles Continued • Any PIN LINK URLs must be sufficiently random • Any PIN LINK URLs must expire with a set brief time period • Minimize visibility of PIN to UNCG staff (only on hardcopy prints in Entry Office) • Random PINS should be one time use only (Baseline takes over from there) • Even if someone starts the getmypin process who is not you (but they know your Last Name, ID & DOB, we should minimize the “reveal” of your protected information [result=masking of email/addresses]) 22
Technical Components :Baseline • Configurations within – Letter Generation Letters & Paragraphs – GTVSQPR (Business Rule Process Code Validation) – GTVSQRU (Business Rule Code Validation) – GORRSQL (Business Rules Form) – GTVSDAX (For setting expiration value) • Draw upon data within – GOREAML Table – SPRADDR Table – SPRIDEN Table – Various Student, Alumni, Employee tables calculating Entry Office association for a person • Baseline functionality – Ability to set PIN as pre expired (i.e. force change on next login) 23
Technical Components: UNCG Custom Built • INB Components – SZAEOFC (Entry Office Control Form) – SZAHIRC (Entry Office Rule Hierarchy Control Form) – SZAPDIS (Pin Distribution Form) • URL on Banner App Server – https://getmypin.uncg.edu • SSB pages (outside Secure Login) – Request PIN Getting – Respond to PIN LINK URLS • Email generation function (draws text from LTR/PARA) • Batch Job – SZPPNPT (Pin Letter Printing) • PL/SQL Function for Random URL String Generation to NIST Special Publication 800-63 Standard 24
20 Minutes of Defense • How long to make the random URL??? • Calculations by UNCG Security Analyst • Assuming web requests can be processed at 20,000 per second, x 60 seconds per minute x 20 minutes=24 million attempts possible in time frame. • http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf page 53 • Goal 36 bits of entropy • Achieved by 20 character random from a 63 character alphabet (upper, lower and numbers) • If 20 characters is good, then 32 is even better…. • And even if you get a hit on a Random URL that happens to be “Usable” at the moment, you still have to guess the Verification word, and you only have 3 attempts. 25
Administrative GUI Putting the Puzzle Together
Initial Setups • GTVSQPR (Business Rule Process Code Validation) • GTVSQRU (Business Rule Code Validation) • GORRSQL (Business Rules Form) • GTVSDAX (For setting expiration value) 27
GTVSQPR Business Rule Process Code Validation 28
GTVSQRU: Business Rule Code Validation 29
GORRSQL Business Rule Form Sample 30
Now for the Custom UNCG Stuff • SZAEOFC (Entry Office Control Form) • SZAHIRC (Entry Office Rule Hierarchy Control Form) • SZAPDIS (Pin Distribution Form) 31
SZAEOFC: Entry Office Control Form 32
SZAHIRC: Entry Office Rule Hierarchy Control Form 33
SZAPDIS: Pin Distribution Form 34
End User Experience Finding Happiness
Finding Happiness 36
3 Faces of Happiness •  Self Service Email Delivery •  Request Paper Mail Delivery, Entry Office Prints •  Sorry, Person and Entry Office Communication Required • All begin at https://getmypin.uncg.edu 37
Answer me these Questions 3 What is Your Name What is Your ID What is your DOB 38
Initial Entry: ID, Name, DOB 39
Would you like your pin in bits? 40
For your safety…… 41
Process Tips & Disclaimers 42
Were done! Check your email 43
Sample of Email Body (sent from EO email addy) Note the PIN LINK Long URL 44
Having clicked the link 45
Oops, you waited too long 46
3 strikes and you are Out! 47
If you remember your Verification Word: Success! 48
From Here • User logs into Baseline Self Service – They must answer baseline “Forgot PIN” Security Questions & Answers • Because random PIN was set as pre-expired – They must set a new PIN. • User is in Self Service and can do their business •  “didn’t have to talk to a human…” 49
Face #2  Request Paper Mail Delivery, Entry Office Prints 50
You want your PIN on dead trees… 51
Ok, Please be Patient 52
Were done! 53
After the Entry Office, Prints, Mails and you receive 54
The Third Face  Sorry, Person and Entry Office Communication Required 55
 Recap of the Path • Success with ID, DOB, & Name • No Valid Emails or did not choose emails and • No Valid Mailing Address or said do not send via paper 56
Oh, addresses out of date/ don’t trust US Postal Service 57
 Next Steps • Hopefully person calls their entry office at the phone number listed. • Staff member with privileges on SZAPDIS can review request, status, etc. • Based on Entry Office specific practices staff can attempt to – Identify person calling (20 questions method) – Gather corrected contact information – Immediately enter that in Banner (GOAEMAL/SPRADDR) – Have the person try again. 58
Miscellaneous Info • Email is sent from Entry Office specific email address, so bounces are returned there for remediation by Entry Office staff. • Letters are sent from Entry Office, in their envelopes, so returned mail can be dealt with by Entry Office staff. • Other Error Messages – Did not answer 3 initial questions correctly = “The Information you entered was not found in our records. Please check the Information for Errors.” 59
Results What it has done for UNCG
Results Page • All persons (students, staff, faculty, other) follow the same process. • Email & Address data is better maintained by Entry Offices, since correct emails mean more happy faces. • DOB Pattern based PINs are gone! • Many fewer calls to Service Desk with PIN problems due to DOB issues, or “I lost my letter/email” • Registrar’s Office Staff spend less time dealing with PINS for Alums (required for transcript ordering) 61
Unsolicited Client Email: Subj: Just sending some love The PIN re-set website has been a great help. In the past, I received an average of 8-10 calls a month. Which isn't bad, I know, but as this was an average, I sometimes had 8-10 in a week. I have only printed 3 PIN letters since we went live with this function last Spring. THANK YOU. -- Kelly A. Rowett-James , University Registrar The University of North Carolina at Greensboro 62
Summary • Solve the Business Problem: – Make it Standardized, Self Service, Secure, – Also make it Flexible and Customizable • Architecture: Use what you have & build what you need – Baseline Components: GORRSQL, Letter Gen, GTVSDAX – Custom INB, SSB, Batch Job pieces • Admin GUI: Build for flexibility • End User Experience – Small, Simple Steps 63
Woulda/Shoulda/Coulda Things we might do to enhance or would do differently.
Ideas to make it better • Build Form/Table to map users of SZAPDIS to Entry Offices in order to restrict staff to “their” people, and ITS Staff to global Query. [Could also be done with Value Based Security] • Build a secondary log table for each status of a Pin Reset Request. • Build a “pre log table” to capture any situations where all 3 items do not match, to detect bot attack • Put in a “Captcha” as a bot defense • Build reporting to look for patterns of non successful actions. • Schedule batch process in UC4 for automatic nightly printing. • Set up Workflow’s to notify Entry office, “You’ve’ got PIN LETTERS to Print!” 65
Questions? • Any and all are welcome 66
Thank You! Moreland Smith mtsmith@uncg.edu Please complete the class evaluation form 67

Recomendados

Unc cause 2011 random pin
Unc cause 2011 random pinUnc cause 2011 random pin
Unc cause 2011 random pinmorelandsmith
 
Extending SugarCRM for Not for Profit Organisations
Extending SugarCRM for Not for Profit OrganisationsExtending SugarCRM for Not for Profit Organisations
Extending SugarCRM for Not for Profit OrganisationsLoaded Technologies
 
Presentación serafin y andrea
Presentación serafin y andreaPresentación serafin y andrea
Presentación serafin y andreaSerafinMartinez1997
 
Powerpoint for web
Powerpoint for webPowerpoint for web
Powerpoint for webTayCampb02
 
Back to School
Back to SchoolBack to School
Back to Schoolmrdavispe
 
Muscle Groups and Exercises - STUDENT
Muscle Groups and Exercises - STUDENTMuscle Groups and Exercises - STUDENT
Muscle Groups and Exercises - STUDENTmrdavispe
 
Passwords
PasswordsPasswords
PasswordsGrittyCC
 
Keyzapp Scottish Property Technology Roadshow Slides 2016
Keyzapp Scottish Property Technology Roadshow Slides 2016Keyzapp Scottish Property Technology Roadshow Slides 2016
Keyzapp Scottish Property Technology Roadshow Slides 2016Tim Hill
 

Recomendados

Unc cause 2011 random pin
Unc cause 2011 random pinUnc cause 2011 random pin
Unc cause 2011 random pinmorelandsmith
 
Extending SugarCRM for Not for Profit Organisations
Extending SugarCRM for Not for Profit OrganisationsExtending SugarCRM for Not for Profit Organisations
Extending SugarCRM for Not for Profit OrganisationsLoaded Technologies
 
Presentación serafin y andrea
Presentación serafin y andreaPresentación serafin y andrea
Presentación serafin y andreaSerafinMartinez1997
 
Powerpoint for web
Powerpoint for webPowerpoint for web
Powerpoint for webTayCampb02
 
Back to School
Back to SchoolBack to School
Back to Schoolmrdavispe
 
Muscle Groups and Exercises - STUDENT
Muscle Groups and Exercises - STUDENTMuscle Groups and Exercises - STUDENT
Muscle Groups and Exercises - STUDENTmrdavispe
 
Passwords
PasswordsPasswords
PasswordsGrittyCC
 
Keyzapp Scottish Property Technology Roadshow Slides 2016
Keyzapp Scottish Property Technology Roadshow Slides 2016Keyzapp Scottish Property Technology Roadshow Slides 2016
Keyzapp Scottish Property Technology Roadshow Slides 2016Tim Hill
 
An Introduction To Software Development - Test Driven Development
An Introduction To Software Development - Test Driven DevelopmentAn Introduction To Software Development - Test Driven Development
An Introduction To Software Development - Test Driven DevelopmentBlue Elephant Consulting
 
SharePoint - How to go contracting
SharePoint - How to go contractingSharePoint - How to go contracting
SharePoint - How to go contractingPeter Ward
 
Going Remote: User experiences at a distance
Going Remote: User experiences at a distanceGoing Remote: User experiences at a distance
Going Remote: User experiences at a distancelinoleumjet
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchBayCHI
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchBayCHI
 
Logos, Labels and Login - Rod Widdowson
Logos, Labels and Login - Rod WiddowsonLogos, Labels and Login - Rod Widdowson
Logos, Labels and Login - Rod WiddowsonEduserv
 
Building Business with Cincom Smalltalk
Building Business with Cincom SmalltalkBuilding Business with Cincom Smalltalk
Building Business with Cincom SmalltalkESUG
 
Outsourcing - maximising benefits while minimising the risks
Outsourcing - maximising benefits while minimising the risksOutsourcing - maximising benefits while minimising the risks
Outsourcing - maximising benefits while minimising the risksOnlineiq with Urszula Richards
 
Post Transaction Surveys Webinar.pptx
Post Transaction Surveys Webinar.pptxPost Transaction Surveys Webinar.pptx
Post Transaction Surveys Webinar.pptxDaniel Rangel
 
Rock the Technical Interview
Rock the Technical InterviewRock the Technical Interview
Rock the Technical InterviewTISHAN MILLS
 
Workteam with oDesk
Workteam with oDeskWorkteam with oDesk
Workteam with oDeskTsungWei Hu
 
TDD: seriously, try it! 
TDD: seriously, try it! TDD: seriously, try it! 
TDD: seriously, try it! Nacho Cougil
 
10 points to make a rogue SharePoint environment really, really secure..
10 points to make a rogue SharePoint environment really, really secure..10 points to make a rogue SharePoint environment really, really secure..
10 points to make a rogue SharePoint environment really, really secure..SharePoint Saturday New Jersey
 
Project Management 101 - Wordcamp TO 05112011
Project Management 101 - Wordcamp TO 05112011Project Management 101 - Wordcamp TO 05112011
Project Management 101 - Wordcamp TO 05112011Liesl Barrell
 
Ramon ray
Ramon rayRamon ray
Ramon rayOPENForumEditor
 
TMA 2015 The Technical Mind
TMA 2015 The Technical MindTMA 2015 The Technical Mind
TMA 2015 The Technical MindSteve Levy
 
Starting your digital transformation strategy
Starting your digital transformation strategyStarting your digital transformation strategy
Starting your digital transformation strategyJames Milne
 
Gregynog
GregynogGregynog
GregynogAlex Stuart
 
Security 101 for No- techies
Security 101 for No- techiesSecurity 101 for No- techies
Security 101 for No- techiesBrenton Johnson
 
Optimizely Experience Chicago - Trunk Club
Optimizely Experience Chicago - Trunk ClubOptimizely Experience Chicago - Trunk Club
Optimizely Experience Chicago - Trunk ClubOptimizely
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Más contenido relacionado

Similar a Unc cause 2011 random pin

An Introduction To Software Development - Test Driven Development
An Introduction To Software Development - Test Driven DevelopmentAn Introduction To Software Development - Test Driven Development
An Introduction To Software Development - Test Driven DevelopmentBlue Elephant Consulting
 
SharePoint - How to go contracting
SharePoint - How to go contractingSharePoint - How to go contracting
SharePoint - How to go contractingPeter Ward
 
Going Remote: User experiences at a distance
Going Remote: User experiences at a distanceGoing Remote: User experiences at a distance
Going Remote: User experiences at a distancelinoleumjet
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchBayCHI
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchBayCHI
 
Logos, Labels and Login - Rod Widdowson
Logos, Labels and Login - Rod WiddowsonLogos, Labels and Login - Rod Widdowson
Logos, Labels and Login - Rod WiddowsonEduserv
 
Building Business with Cincom Smalltalk
Building Business with Cincom SmalltalkBuilding Business with Cincom Smalltalk
Building Business with Cincom SmalltalkESUG
 
Outsourcing - maximising benefits while minimising the risks
Outsourcing - maximising benefits while minimising the risksOutsourcing - maximising benefits while minimising the risks
Outsourcing - maximising benefits while minimising the risksOnlineiq with Urszula Richards
 
Post Transaction Surveys Webinar.pptx
Post Transaction Surveys Webinar.pptxPost Transaction Surveys Webinar.pptx
Post Transaction Surveys Webinar.pptxDaniel Rangel
 
Rock the Technical Interview
Rock the Technical InterviewRock the Technical Interview
Rock the Technical InterviewTISHAN MILLS
 
Workteam with oDesk
Workteam with oDeskWorkteam with oDesk
Workteam with oDeskTsungWei Hu
 
TDD: seriously, try it! 
TDD: seriously, try it! TDD: seriously, try it! 
TDD: seriously, try it! Nacho Cougil
 
10 points to make a rogue SharePoint environment really, really secure..
10 points to make a rogue SharePoint environment really, really secure..10 points to make a rogue SharePoint environment really, really secure..
10 points to make a rogue SharePoint environment really, really secure..SharePoint Saturday New Jersey
 
Project Management 101 - Wordcamp TO 05112011
Project Management 101 - Wordcamp TO 05112011Project Management 101 - Wordcamp TO 05112011
Project Management 101 - Wordcamp TO 05112011Liesl Barrell
 
TMA 2015 The Technical Mind
TMA 2015 The Technical MindTMA 2015 The Technical Mind
TMA 2015 The Technical MindSteve Levy
 
Starting your digital transformation strategy
Starting your digital transformation strategyStarting your digital transformation strategy
Starting your digital transformation strategyJames Milne
 
Security 101 for No- techies
Security 101 for No- techiesSecurity 101 for No- techies
Security 101 for No- techiesBrenton Johnson
 
Optimizely Experience Chicago - Trunk Club
Optimizely Experience Chicago - Trunk ClubOptimizely Experience Chicago - Trunk Club
Optimizely Experience Chicago - Trunk ClubOptimizely
 

Similar a Unc cause 2011 random pin (20)

An Introduction To Software Development - Test Driven Development
An Introduction To Software Development - Test Driven DevelopmentAn Introduction To Software Development - Test Driven Development
An Introduction To Software Development - Test Driven Development
 
SharePoint - How to go contracting
SharePoint - How to go contractingSharePoint - How to go contracting
SharePoint - How to go contracting
 
Going Remote: User experiences at a distance
Going Remote: User experiences at a distanceGoing Remote: User experiences at a distance
Going Remote: User experiences at a distance
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote Research
 
Juliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote ResearchJuliette Melton at BayCHI: Real World Remote Research
Juliette Melton at BayCHI: Real World Remote Research
 
Logos, Labels and Login - Rod Widdowson
Logos, Labels and Login - Rod WiddowsonLogos, Labels and Login - Rod Widdowson
Logos, Labels and Login - Rod Widdowson
 
Building Business with Cincom Smalltalk
Building Business with Cincom SmalltalkBuilding Business with Cincom Smalltalk
Building Business with Cincom Smalltalk
 
Outsourcing - maximising benefits while minimising the risks
Outsourcing - maximising benefits while minimising the risksOutsourcing - maximising benefits while minimising the risks
Outsourcing - maximising benefits while minimising the risks
 
Post Transaction Surveys Webinar.pptx
Post Transaction Surveys Webinar.pptxPost Transaction Surveys Webinar.pptx
Post Transaction Surveys Webinar.pptx
 
Rock the Technical Interview
Rock the Technical InterviewRock the Technical Interview
Rock the Technical Interview
 
Workteam with oDesk
Workteam with oDeskWorkteam with oDesk
Workteam with oDesk
 
TDD: seriously, try it! 
TDD: seriously, try it! TDD: seriously, try it! 
TDD: seriously, try it! 
 
10 points to make a rogue SharePoint environment really, really secure..
10 points to make a rogue SharePoint environment really, really secure..10 points to make a rogue SharePoint environment really, really secure..
10 points to make a rogue SharePoint environment really, really secure..
 
Project Management 101 - Wordcamp TO 05112011
Project Management 101 - Wordcamp TO 05112011Project Management 101 - Wordcamp TO 05112011
Project Management 101 - Wordcamp TO 05112011
 
Ramon ray
Ramon rayRamon ray
Ramon ray
 
TMA 2015 The Technical Mind
TMA 2015 The Technical MindTMA 2015 The Technical Mind
TMA 2015 The Technical Mind
 
Starting your digital transformation strategy
Starting your digital transformation strategyStarting your digital transformation strategy
Starting your digital transformation strategy
 
Gregynog
GregynogGregynog
Gregynog
 
Security 101 for No- techies
Security 101 for No- techiesSecurity 101 for No- techies
Security 101 for No- techies
 
Optimizely Experience Chicago - Trunk Club
Optimizely Experience Chicago - Trunk ClubOptimizely Experience Chicago - Trunk Club
Optimizely Experience Chicago - Trunk Club
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Último (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Unc cause 2011 random pin

  • 1. Custom Secure Random Pin Distribution Moreland Smith The University of North Carolina at Greensboro
  • 2. Alternate Title How we kept our Registrar from going to jail and got cookies!!!!
  • 3. Session Rules of Etiquette • Please turn off your cell phone/pager • If you must leave the session early, please do so as discreetly as possible • Please avoid side conversation during the session • Do not pass Go, do not collect $200. 3
  • 4. Introduction • My goal today • To share UNCG’s custom solution to random PIN distributions across all populations of entering people. 4
  • 5. Benefits: An understanding of • Business Case • Technical Architecture • Administrative GUI • End User Experience • Project Results • Woulda / Shoulda / Coulda 5
  • 6. Business Case Things I learned from 1990’s Infomercials
  • 7. The University of North Carolina at Greensboro • 18,000+ Fall 2010 Enrollment • Undergraduate • Graduate • Distance • Additional 2,000+ iSchoolers (High School) • 3 Entry Offices with Hiring Authority • 6 Entry Offices Admitting Students • Mods Philosophy: “Vanilla…. but with sprinkles… and a bit of fudge mixed in…” 7
  • 8. Old way of Doing Business • Pattern based initial PIN, custom trigger on DOB entry • DOB rearranged YYDDMM • Pattern published on web sites • Some emailed ID and then snail mailed PIN • Some asked students to allow them to send both PIN via email. • Some offices handed paper to new hires • Letters are lost 8
  • 9. Where we were Different Offices + Different Practices = INSANITY 9
  • 10. Good advice from the mid 1990’s….. 10
  • 11. Potential Problems • Perception, ITS owns the PIN, call Service Desk – Have to talk through general pattern YYDDMM. – Service Desk can’t assist because… • Forgot PIN Q&A Not yet established, can not authoritatively identify caller, since never had successful login • “But they said….” • Root Causes – Incorrect DOB Entered (esp. Internationals) – Student does not know ID 11
  • 12. Inspiration from Earlier Work • https://getmyid.uncg.edu • Built during transition from SSN to Generate ID approx 2006 • Allows ID display via SSL browser with entry of persons UNCG Username/Password • Allows email delivery of ID • Single Last Name & Email Address Match – Last Name: Smith – Email: Moreland.Smith@gmail.com 12
  • 13. The Vision: One tool to assist them all • Web Based • Near Real Time, Secure (Encrypted) Delivery of Random PIN • Options for Paper Mail • Receive PIN Information from “Entry Office”, not ITS • Standard text with optional Entry Office specific info • Refer people back to “Entry Office” if there is a problem with their data • Flexible additional populations, additional “Entry Offices” • Log usage 13
  • 14. However this was beyond our budget And had some nasty side effects…. 14
  • 15. Core Business Concepts/Challenges • All persons have a “best fit” Entry Office – Single Role (New Freshman =Undergraduate Admissions) – Multi Role people (Employee taking classes=????) • Offices desire to minimize mailing costs, printing labor – Email/web is first choice – Paper mail only if email/web is not possible or selected by person. • If there is a problem with a person’s data it needs to be corrected by their Entry Office, not ITS. • People often do their email via insecure means (Public WiFi) – Therefore delivery of PIN should be SSL Protected and – Not “Man in the Middleable” (Firesheep) 15
  • 16. Defining Happiness    •  for Person= Doing it all online themselves at 3am and never having to talk to UNCG staff. •  for Entry Office Staff= Person doing it all online themselves at 3am and never having to talk to UNCG Entry Office Staff. •  for Person= Couldn’t get it online, but can get it via snail mail, but at least I didn’t have to talk to a UNCG human. •  for Entry Office Staff= I guess I can run a daily batch job to print and mail some letters, sigh…. •  For Both= I have to talk someone via phone???? 16
  • 19. Technical Architecture Some vanilla, some sprinkles, and some fudge ripple mixed in….
  • 20. Sometimes good things are a bit messy…. 20
  • 21. Security Principles • All Web traffic must be SSL • Email may or not be read via secure means, therefore we must assume it is not • You can’t prove who you are on the web, so we must communicate via previously established address • Something you have, plus something you know. – You have: PIN LINK (Random URL) delivered by email – You know: “Verification word” you gave in an SSL Session, stored by the system, which you must match to use PIN LINK URL 21
  • 22. Security Principles Continued • Any PIN LINK URLs must be sufficiently random • Any PIN LINK URLs must expire with a set brief time period • Minimize visibility of PIN to UNCG staff (only on hardcopy prints in Entry Office) • Random PINS should be one time use only (Baseline takes over from there) • Even if someone starts the getmypin process who is not you (but they know your Last Name, ID & DOB, we should minimize the “reveal” of your protected information [result=masking of email/addresses]) 22
  • 23. Technical Components :Baseline • Configurations within – Letter Generation Letters & Paragraphs – GTVSQPR (Business Rule Process Code Validation) – GTVSQRU (Business Rule Code Validation) – GORRSQL (Business Rules Form) – GTVSDAX (For setting expiration value) • Draw upon data within – GOREAML Table – SPRADDR Table – SPRIDEN Table – Various Student, Alumni, Employee tables calculating Entry Office association for a person • Baseline functionality – Ability to set PIN as pre expired (i.e. force change on next login) 23
  • 24. Technical Components: UNCG Custom Built • INB Components – SZAEOFC (Entry Office Control Form) – SZAHIRC (Entry Office Rule Hierarchy Control Form) – SZAPDIS (Pin Distribution Form) • URL on Banner App Server – https://getmypin.uncg.edu • SSB pages (outside Secure Login) – Request PIN Getting – Respond to PIN LINK URLS • Email generation function (draws text from LTR/PARA) • Batch Job – SZPPNPT (Pin Letter Printing) • PL/SQL Function for Random URL String Generation to NIST Special Publication 800-63 Standard 24
  • 25. 20 Minutes of Defense • How long to make the random URL??? • Calculations by UNCG Security Analyst • Assuming web requests can be processed at 20,000 per second, x 60 seconds per minute x 20 minutes=24 million attempts possible in time frame. • http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf page 53 • Goal 36 bits of entropy • Achieved by 20 character random from a 63 character alphabet (upper, lower and numbers) • If 20 characters is good, then 32 is even better…. • And even if you get a hit on a Random URL that happens to be “Usable” at the moment, you still have to guess the Verification word, and you only have 3 attempts. 25
  • 27. Initial Setups • GTVSQPR (Business Rule Process Code Validation) • GTVSQRU (Business Rule Code Validation) • GORRSQL (Business Rules Form) • GTVSDAX (For setting expiration value) 27
  • 28. GTVSQPR Business Rule Process Code Validation 28
  • 30. GORRSQL Business Rule Form Sample 30
  • 31. Now for the Custom UNCG Stuff • SZAEOFC (Entry Office Control Form) • SZAHIRC (Entry Office Rule Hierarchy Control Form) • SZAPDIS (Pin Distribution Form) 31
  • 33. SZAHIRC: Entry Office Rule Hierarchy Control Form 33
  • 37. 3 Faces of Happiness •  Self Service Email Delivery •  Request Paper Mail Delivery, Entry Office Prints •  Sorry, Person and Entry Office Communication Required • All begin at https://getmypin.uncg.edu 37
  • 38. Answer me these Questions 3 What is Your Name What is Your ID What is your DOB 38
  • 39. Initial Entry: ID, Name, DOB 39
  • 40. Would you like your pin in bits? 40
  • 42. Process Tips & Disclaimers 42
  • 43. Were done! Check your email 43
  • 44. Sample of Email Body (sent from EO email addy) Note the PIN LINK Long URL 44
  • 46. Oops, you waited too long 46
  • 47. 3 strikes and you are Out! 47
  • 48. If you remember your Verification Word: Success! 48
  • 49. From Here • User logs into Baseline Self Service – They must answer baseline “Forgot PIN” Security Questions & Answers • Because random PIN was set as pre-expired – They must set a new PIN. • User is in Self Service and can do their business •  “didn’t have to talk to a human…” 49
  • 50. Face #2  Request Paper Mail Delivery, Entry Office Prints 50
  • 51. You want your PIN on dead trees… 51
  • 52. Ok, Please be Patient 52
  • 54. After the Entry Office, Prints, Mails and you receive 54
  • 55. The Third Face  Sorry, Person and Entry Office Communication Required 55
  • 56.  Recap of the Path • Success with ID, DOB, & Name • No Valid Emails or did not choose emails and • No Valid Mailing Address or said do not send via paper 56
  • 57. Oh, addresses out of date/ don’t trust US Postal Service 57
  • 58.  Next Steps • Hopefully person calls their entry office at the phone number listed. • Staff member with privileges on SZAPDIS can review request, status, etc. • Based on Entry Office specific practices staff can attempt to – Identify person calling (20 questions method) – Gather corrected contact information – Immediately enter that in Banner (GOAEMAL/SPRADDR) – Have the person try again. 58
  • 59. Miscellaneous Info • Email is sent from Entry Office specific email address, so bounces are returned there for remediation by Entry Office staff. • Letters are sent from Entry Office, in their envelopes, so returned mail can be dealt with by Entry Office staff. • Other Error Messages – Did not answer 3 initial questions correctly = “The Information you entered was not found in our records. Please check the Information for Errors.” 59
  • 60. Results What it has done for UNCG
  • 61. Results Page • All persons (students, staff, faculty, other) follow the same process. • Email & Address data is better maintained by Entry Offices, since correct emails mean more happy faces. • DOB Pattern based PINs are gone! • Many fewer calls to Service Desk with PIN problems due to DOB issues, or “I lost my letter/email” • Registrar’s Office Staff spend less time dealing with PINS for Alums (required for transcript ordering) 61
  • 62. Unsolicited Client Email: Subj: Just sending some love The PIN re-set website has been a great help. In the past, I received an average of 8-10 calls a month. Which isn't bad, I know, but as this was an average, I sometimes had 8-10 in a week. I have only printed 3 PIN letters since we went live with this function last Spring. THANK YOU. -- Kelly A. Rowett-James , University Registrar The University of North Carolina at Greensboro 62
  • 63. Summary • Solve the Business Problem: – Make it Standardized, Self Service, Secure, – Also make it Flexible and Customizable • Architecture: Use what you have & build what you need – Baseline Components: GORRSQL, Letter Gen, GTVSDAX – Custom INB, SSB, Batch Job pieces • Admin GUI: Build for flexibility • End User Experience – Small, Simple Steps 63
  • 64. Woulda/Shoulda/Coulda Things we might do to enhance or would do differently.
  • 65. Ideas to make it better • Build Form/Table to map users of SZAPDIS to Entry Offices in order to restrict staff to “their” people, and ITS Staff to global Query. [Could also be done with Value Based Security] • Build a secondary log table for each status of a Pin Reset Request. • Build a “pre log table” to capture any situations where all 3 items do not match, to detect bot attack • Put in a “Captcha” as a bot defense • Build reporting to look for patterns of non successful actions. • Schedule batch process in UC4 for automatic nightly printing. • Set up Workflow’s to notify Entry office, “You’ve’ got PIN LETTERS to Print!” 65
  • 66. Questions? • Any and all are welcome 66
  • 67. Thank You! Moreland Smith mtsmith@uncg.edu Please complete the class evaluation form 67