Educause Security Discussion mailing list archives
Re: ASPs and FERPA compliance
From: Mark Montague <markmont () UMICH EDU>
Date: Tue, 6 Nov 2007 10:24:06 -0500
On Tue, Nov 6, 2007 09:20, Justin Sherenco <jsherenco () EMICH EDU> wrote:
I'm a security analyst new to the academic world. I've come across a situation where someone in another department has signed on with a third party ASP to host a student org application. The issue that we have run into is the provider wants to authenticate the users from our ldap server using a secure ladp connection. All fine except for FERPA considerations. My research has lead me to believe it is acceptable to have a third party Provider, but I'm not sure of the steps I need to take to make sure of FERPA compliance. I would appreciate any suggestions.
A problem here is that LDAP is a directory protocol, not an authentication protocol. What would you do if the ASP vendor said that they wanted to authenticate users from your mail server -- i.e., ask their user for their password and use it to try connecting to your mail server, if the ASP vendor is able to connect using that password, then the user must be who they say they are? A better solution than using LDAP for authentication would be to have the ASP vendor use something like Kerberos to authenticate against your campus-wide Kerberos infrastructure (MIT Kerberos, Microsoft Active Directory, Novell eDirectory, etc.). While this is fairly easy to set up, unless you have full client support for Kerberos and SPNEGO on every user's machine, the users would still send their passwords to the ASP vendor, and you'd have to trust the ASP vendor not to do anything bad with the passwords (like using them to connect to your LDAP server or file servers!). What I would recommend instead requiring the vendor to use whatever Web Single Sign On system that you support on campus. If you don't have a WebSSO system on campus, consider deploying one -- this will reduce the amount of trust you need to place in the vendor, and also help with FERPA compliance. Some WebSSO systems: cosign http://weblogin.org/ Pubcookie http://www.pubcookie.org/ CAS http://www.ja-sig.org/products/cas/ WebAuth http://www.stanford.edu/services/webauth/ For inter-institutional authentication, also consider Shibboleth: http://shibboleth.internet2.edu/ This may be an attractive option for your vendor, as if they support Shibboleth it opens up markets at other educational institutions to them, regardless of which WebSSO the institutions run locally. Full disclosure: I'm part of the team that runs cosign at the University of Michigan and I'm also involved in its maintenance. Mark Montague ITCS Web/Database Production Team The University of Michigan markmont () umich edu
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- ASPs and FERPA compliance Justin Sherenco (Nov 06)
- <Possible follow-ups>
- Re: ASPs and FERPA compliance Mark Montague (Nov 06)