Educause Security Discussion mailing list archives
Re: Multiple campus SSO security requirements
From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Mon, 3 Nov 2008 10:38:25 -0800
Ian, This sounds like a boundary issue. Is each campus documented as a different boundary? If so, you would want to document in your system security plan how this connection has an effect on security issues at your campus. If you have a system security plan to address security on your campus, document controls, conduct regular system testing, etc, you could share the parts of this plan that could have an effect on other campuses through this connection with those other campuses. Based upon their review of your controls, they make the final decision of whether or not you are a trusted partner. Likewise, before accepting their credentials, you would want to make sure that they were a trusted partner. You would ask for their information You may have some sort of checklist of what you expect to see in their environment before you allow a connection. If they do not have a system security plan, you could send them this checklist and make them explain how each of your campus requirements are met in their environment. You would then review the list to feel comfortable that they have instituted good controls, and that the information accessible via the shared LDAP connection will remain safe. Once you have established that the connection is safe, you would make the other campus sign an agreement stating that their controls can be reviewed by you at any time, especially if a security breach is suspected, and on an annual basis. Detail what information is going to be shared through the connection, and the Rules of Behavior for accessing and using the information. This type of agreement is often known as a Memorandum of Understanding or MOU. Because of the legal limitations of an MOU, you still would want to limit the information that the other campuses could receive based upon a valid “need to know.” Only give access to the information that is imperative to the mission and expectations of a multi-campus web-SSO system. Hope this helps, Sarah Stevens, CISSP President STI (704) 625-8842 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stewart, Ian Sent: Monday, November 03, 2008 1:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Multiple campus SSO security requirements Hello, We are considering multi-campus web-SSO system that allows an end-user to authenticate using their home campus LDAP account or another campus LDAP account they may hold Has anyone implemented such a system and how have you dealt with the trust issues between campuses that this creates? For example, each campus may have their upfront ID-issuing or vetting process reviewed by all the other campuses and an agreement signed before they are allowed to participate, as in a federation. Any thoughts on this issue would be welcome. Thanks, :: Ian Stewart, Manager of Identity Management :: University of Massachusetts :: 508.856.2069 Phone :: 508.864.0088 Mobile :: 508.856.4844 Fax :: istewart () umassp edu <mailto:istewart () umassp edu> 333 South St., Suite 400 ◦ Shrewsbury, MA 01545 ◦ www.massachusetts.edu <http://www.massachusetts.edu/>
Current thread:
- Multiple campus SSO security requirements Stewart, Ian (Nov 03)
- <Possible follow-ups>
- Re: Multiple campus SSO security requirements Chris Green (Nov 03)
- Re: Multiple campus SSO security requirements Sarah Stevens (Nov 03)
- Re: Multiple campus SSO security requirements Greg Vickers (Nov 03)
- Re: Multiple campus SSO security requirements Steven Carmody (Nov 04)
- Re: Multiple campus SSO security requirements Stewart, Ian (Nov 04)
- Re: Multiple campus SSO security requirements David Walker (Nov 04)
- Re: Multiple campus SSO security requirements Stewart, Ian (Nov 04)
- Re: Multiple campus SSO security requirements David Walker (Nov 05)