Re: ASPs and FERPA compliance

[Mark Montague <markmont () UMICH EDU>]

On Tue, Nov 6, 2007 09:20, Justin Sherenco <jsherenco () EMICH EDU> wrote:
> I'm a security analyst new to the academic world.  I've come across a
> situation where someone in another department has signed on with a third
> party ASP to host a student org application.  The issue that we have run
> into is the provider wants to authenticate the users from our ldap server
> using a secure ladp connection.  All fine except for FERPA considerations.
> My research has lead me to believe it is acceptable to have a third party
> Provider, but I'm not sure of the steps I need to take to make sure of FERPA
> compliance.  I would appreciate any suggestions.

A problem here is that LDAP is a directory protocol, not an
authentication protocol.  What would you do if the ASP vendor said that
they wanted to authenticate users from your mail server -- i.e., ask
their user for their password and use it to try connecting to your mail
server, if the ASP vendor is able to connect using that password, then
the user must be who they say they are?

A better solution than using LDAP for authentication would be to have
the ASP vendor use something like Kerberos to authenticate against your
campus-wide Kerberos infrastructure (MIT Kerberos, Microsoft Active
Directory, Novell eDirectory, etc.).  While this is fairly easy to set
up, unless you have full client support for Kerberos and SPNEGO on every
user's machine, the users would still send their passwords to the ASP
vendor, and you'd have to trust the ASP vendor not to do anything bad
with the passwords (like using them to connect to your LDAP server or
file servers!).

What I would recommend instead requiring the vendor to use whatever Web
Single Sign On system that you support on campus.  If you don't have a
WebSSO system on campus, consider deploying one -- this will reduce the
amount of trust you need to place in the vendor, and also help with
FERPA compliance.

Some WebSSO systems:

cosign http://weblogin.org/
Pubcookie http://www.pubcookie.org/
CAS http://www.ja-sig.org/products/cas/
WebAuth http://www.stanford.edu/services/webauth/

For inter-institutional authentication, also consider Shibboleth:
http://shibboleth.internet2.edu/   This may be an attractive option for
your vendor, as if they support Shibboleth it opens up markets at other
educational institutions to them, regardless of which WebSSO the
institutions run locally.

Full disclosure: I'm part of the team that runs cosign at the University
of Michigan and I'm also involved in its maintenance.

               Mark Montague
               ITCS Web/Database Production Team
               The University of Michigan
               markmont () umich edu

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature