SSN Vault FAQ

Is it true we are going to retire the SSN Vault?

Yes, the Division of IT has decided to remove the SSN Vault and all associated integrations by June 2018.  We’ll restore SSNs to all PeopleSoft pillars at once in November 2017 (with a back-up date of March 2018) and other applications by May, 2018.  The Vault and associated applications will be decommissioned in June 2018.

Why are we retiring the SSN Vault?

The SSN Vault is increasingly unsupportable.  First, there are custom and unsupported components that were created by staff who are no longer employed by the university.  Second, the vendor support windows for the underlying platforms (Oracle and Red Hat Enterprise Linux) are rapidly closing.  Staying with older versions is risky and prevents us from taking advantage of new application features, but upgrading is not an option.  Furthermore, there is also the possibility future versions of PeopleSoft may no longer be compatible.

What are you going to do to make the change and how will it affect users?

After a year of detailed investigation, we’ve initiated a project to retire the SSN Vault.  To do this we will be augmenting the security of the applications and databases currently using AltID and then returning SSNs to those systems.  In addition we will not be returning SSNs to places where AltID is a non-critical or non-used data element.

As part of the investigation project, the Division of IT has identified business processes in all the affected applications that are currently using AltID.  We have made plans to modify these processes to coincide with the return of SSNs to the applications to minimize impact to users.  In many cases, this will lead to a simplification of the process, which will benefit users.

In addition, the Division of IT plans to make SSN to AltID mapping data available to users who need it to facilitate customer support and user identification troubleshooting.

What security changes will you be making to the applications and databases?

The Division of IT is responsible for ensuring that the infrastructure, platforms, databases, and applications that store SSN have a high degree of security protection to prevent an SSN data breach.  To do this the Division of IT will implement data encryption, data redaction, logging, and access controls.

What is data redaction?

Data redaction is the obscuring of all or a portion of a sensitive data element, in this case the SSN.  Within PeopleSoft, we will be applying data redaction controls to fully bock the SSN data on pages where the user is not authorized to see it, allow only the last 4 digits of the SSN if that is sufficient for the user’s need, or display the whole SSN when justified by the business process.  What you see will depend on the level of permission you have been granted within the application.

How will you determine who gets access to the SSN in PeopleSoft?

Prior to returning the SSNs to PeopleSoft, we will be conducting an audit of users who currently have SSN Vault access.  We will ensure that the user still has a business need for the SSN data and whether that user needs the full SSN or just last the 4 digits.  Then the user will be assigned to the appropriate role(s) in PeopleSoft.  There should be no interruption in access at the time the SSNs are returned to PeopleSoft.

How will testing be conducted prior to putting SSNs into PeopleSoft production?

The Division of IT is creating additional development instances of each PeopleSoft pillar for the initial round of testing.  The new security control structure and data redaction features will be applied there first and tested by the PeopleSoft developers and a limited set of functional users.  Once the development environments are complete, the changes will be put into the QA instances of each pillar where full functional testing will occur prior to go live.

What if I still need access to the AltID after the Vault has been retired?

We will create AltID/SSN crosswalk tables for access by users with a need to know.

What if I have a home-grown or commercial application that relies on AltID?

Contact the project manager, Terry Robb (882-5555, RobbTL@missouri.edu), as soon as possible.