Re: [Possible SPAM] sync general user accounts to SIS accounts ?

[Karen Duncanson <duncans2 () OAKLAND EDU>]

Richard:

I am encouraged to hear that you are planning a secure strategy with two layers of authentication. I am an advocate of 
systems designed to prevent breaches, even when some convenience is sacrificed.  I realize that a good solution may be 
difficult to identify and more difficult to implement.

I have recently been asked to recommend something for our network that would provide an initial challenge to confirm 
WHO the individual is, before giving basic read access and then a second different challenge (password) to gain 
read/write access on secure devices. It is easier described than done. Secure ID (one time password), is of course, an 
effective, but expensive solution, so I don't see us doing that. I am thinking more along the lines of a second 
password authentication system separate and unique from the campus LDAP.

My feeling is that there is a reasonable solution, but regardless there will be individuals who will feel 
inconvenienced simply because it is different than what they are used to.

Karen

---- Original message ----
> Date: Tue, 1 May 2007 17:53:19 -0400
> From: Richard Gambrell <richard-gambrell () UTC EDU>
> Subject: Re: [SECURITY] [Possible SPAM]  [SECURITY] sync general user accounts to SIS accounts ?
> To: SECURITY () LISTSERV EDUCAUSE EDU
>
> In my view, reasonable security efforts trumpet convenience.
>
> We are planning for, but haven't implemented fully, two layers of
> "single" sign on authentication, one at the "portal" or "access" or
> "outer" level that would use the more general campus id and password
> (email, PC, etc.) and a second userid and password to access "highly
> sensitive or confidential" information systems by privileged users.
>
> We would attempt user ID and password synchronization within each layer
> through the use of a Novell Identity manager product.  Access to the
> inner layer would require authentication at the outer layer first. We
> plan to primarily use radius and ldap for the outer layer and probably
> an Oracle user and login at the inner.
>
> We're also talking about using a one time password system for system
> administrators.
>
> Richard
>
> Michael Fox wrote:
> > We are looking at implementing a single point of authentication for most of our accounts. I would like to ask what 
> > others are doing in respect to accounts that access your SIS information. For example, faculty that access SIS to 
> > enter student grades. Are you using separate accounts for SIS or are the general accounts being used for this kind 
> > of access?
> >
> > I would like to see a separate account but I am getting the convenience side argument (which I understand).
> >
> > Any thoughts will be a help.
> >
> > Thanks,
> > Mike
> >
> > Mike Fox
> > Georgia Southern University
> > Information Technology Services
> > Office of Information Security
> > mfox () georgiasouthern edu
> > (912)871-1592
> >
> > Jeremiah 29:11-16
> >
> > NOTE: This email message is intended only for the named recipient(s) above
> > and may contain information that is privileged, confidential, and or exempt
> > from disclosure under applicable law. If you have received this message in
> > error, or are not the named recipient(s), please immediately contact the
> > sender and delete this email message.
>
>
> --
> Richard L Gambrell, Director of Information Systems
> Information Technology Division, University of Tennessee at Chattanooga
> 103 Admin Dept 4054, 615 McCallie Ave, Chattanooga, TN 37403-2598
> CECS IT problems: please contact cecstech () utc edu
> COBA IT problems: please contact Joshua-Cutler () utc edu
> Otherwise report IT Problems: Help-Desk () utc edu or 423-425-4000
> Phone troubles: troubles () utc edu or 423-425-4784
> IT Business Office: 423-425-1755 Main UTC phone: 423-425-4111
> My office phone: 423-425-5316 My (urgent) mobile: 423-432-5122
> Email: richard-gambrell () utc edu
Karen Duncanson, CISSP, CCNA
UTS/Network Security Analyst
www.oakland.edu/uts
248-370-2675