Educause Security Discussion mailing list archives
Re: [Possible SPAM] sync general user accounts to SIS accounts ?
From: Karen Duncanson <duncans2 () OAKLAND EDU>
Date: Tue, 1 May 2007 18:49:27 -0400
Richard: I am encouraged to hear that you are planning a secure strategy with two layers of authentication. I am an advocate of systems designed to prevent breaches, even when some convenience is sacrificed. I realize that a good solution may be difficult to identify and more difficult to implement. I have recently been asked to recommend something for our network that would provide an initial challenge to confirm WHO the individual is, before giving basic read access and then a second different challenge (password) to gain read/write access on secure devices. It is easier described than done. Secure ID (one time password), is of course, an effective, but expensive solution, so I don't see us doing that. I am thinking more along the lines of a second password authentication system separate and unique from the campus LDAP. My feeling is that there is a reasonable solution, but regardless there will be individuals who will feel inconvenienced simply because it is different than what they are used to. Karen ---- Original message ----
Date: Tue, 1 May 2007 17:53:19 -0400 From: Richard Gambrell <richard-gambrell () UTC EDU> Subject: Re: [SECURITY] [Possible SPAM] [SECURITY] sync general user accounts to SIS accounts ? To: SECURITY () LISTSERV EDUCAUSE EDU In my view, reasonable security efforts trumpet convenience. We are planning for, but haven't implemented fully, two layers of "single" sign on authentication, one at the "portal" or "access" or "outer" level that would use the more general campus id and password (email, PC, etc.) and a second userid and password to access "highly sensitive or confidential" information systems by privileged users. We would attempt user ID and password synchronization within each layer through the use of a Novell Identity manager product. Access to the inner layer would require authentication at the outer layer first. We plan to primarily use radius and ldap for the outer layer and probably an Oracle user and login at the inner. We're also talking about using a one time password system for system administrators. Richard Michael Fox wrote:We are looking at implementing a single point of authentication for most of our accounts. I would like to ask what others are doing in respect to accounts that access your SIS information. For example, faculty that access SIS to enter student grades. Are you using separate accounts for SIS or are the general accounts being used for this kind of access? I would like to see a separate account but I am getting the convenience side argument (which I understand). Any thoughts will be a help. Thanks, Mike Mike Fox Georgia Southern University Information Technology Services Office of Information Security mfox () georgiasouthern edu (912)871-1592 Jeremiah 29:11-16 NOTE: This email message is intended only for the named recipient(s) above and may contain information that is privileged, confidential, and or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately contact the sender and delete this email message.-- Richard L Gambrell, Director of Information Systems Information Technology Division, University of Tennessee at Chattanooga 103 Admin Dept 4054, 615 McCallie Ave, Chattanooga, TN 37403-2598 CECS IT problems: please contact cecstech () utc edu COBA IT problems: please contact Joshua-Cutler () utc edu Otherwise report IT Problems: Help-Desk () utc edu or 423-425-4000 Phone troubles: troubles () utc edu or 423-425-4784 IT Business Office: 423-425-1755 Main UTC phone: 423-425-4111 My office phone: 423-425-5316 My (urgent) mobile: 423-432-5122 Email: richard-gambrell () utc edu
Karen Duncanson, CISSP, CCNA UTS/Network Security Analyst www.oakland.edu/uts 248-370-2675
Current thread:
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Richard Gambrell (May 01)
- <Possible follow-ups>
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Richard Gambrell (May 01)
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Karen Duncanson (May 01)
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Gary Flynn (May 02)
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Gary Flynn (May 02)