Educause Security Discussion mailing list archives
Re: Back on topic.... Re: [SECURITY] University credentials used by third parties
From: Guy Pace <gpace () SBCTC EDU>
Date: Tue, 24 Aug 2010 09:22:23 -0700
I feel your pain, Joel. However, Washington State University--as someone pointed out earlier in the thread--has a pretty decent approach to a solution. The student, staff or faculty doesn't give out their credentials, but "sponsors" the third party to get its own set of guest credentials. The student, staff or faculty then authorizes sharing of specific information (based on a menu of information the institution will make available) with that third party. This way, you can still have your AUP and policy against sharing credentials, and still allow people to make decisions about sharing personal information with third parties. While the sharing of information part makes most of us cringe, the decision is up to the individual. They are the ones taking the risk at that point, not the institution. About the only concern I would have, if I still worked at WSU, would be the implied acceptance of gambling on grades by allowing Ultrinsic to participate. But, that's just me. Guy L. Pace, CISSP Security Administrator Information Technology Division WA State Board for Community and Technical Colleges (SBCTC) 3101 Northup Way, Suite 100 Bellevue, WA 98004 425-803-9724 gpace () sbctc edu "Great art is a practice. Turn it into a process and the result is a paint-by-numbers system." Bob Lewis -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Tuesday, August 24, 2010 9:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Back on topic.... Re: [SECURITY] University credentials used by third parties Just to thorough another thought into this mix, does anyone prevent their students (or other users) from turning over their credentials to Gmail or Blackberry? We see lots of authenticated logins from these services - and if I were to come down hard on this Ultrinsic using our sharing of password policy (which we do have) I'm sure that this would amount to having to change our policy to - you can't share your credentials - except with (gmail, Blackberry, etc.) I really hate inconsistent enforcement of policies, so it's either change the policy or cut off everyone. Comments? Thanks, Joel --On Tuesday, August 24, 2010 3:36 PM +0000 "Flynn, Gary - flynngn" <flynngn () JMU EDU> wrote:
In the terms and conditions Ultrinsic says, " Access to School Account. By providing Ultrinsic with your username and password for your online school account, you authorize Ultrinsic to access the account and to view and record any information in your account." If the university AUP prohibits revealing credentials to third parties, does a student have the legal authority to authorize Ultrinsic to access the university system? And if not, wouldn't this be unauthorized access of a university system by Ultrinsic with attendant legal repercussions, particularly at state universities? A disclaimer on login pages could reinforce this. For example,³For interactive use by university students, employees, registered affiliates, and alumni only. All other use and access prohibited. Violators will be prosecuted.²How would one go about blocking Ultrinic's access to your student information system? The address they use for their web site might not be the same one they use to source logins to your student system. It might turn into a case of whack-a-mole. This kind of thing furthers the argument for more widely mandated certificate or 2-factor based authentication to all Internet exposed services that are access controlled...even self-service ones. In this case, more as an enforcement AUP restrictions on giving out authentication credentials than of any type of hacking.
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Re: Password Expatriation notification, (continued)
- Re: Password Expatriation notification Eric Case (Aug 19)
- Re: Password Expatriation notification Morrow Long (Aug 19)
- Re: Password Expatriation notification Allison Dolan (Aug 19)
- Re: Password Expatriation notification Ullman, Catherine (Aug 19)
- Re: Password Expatriation notification James Farr '05 (Aug 19)
- Re: Password Expatriation notification Russell Fulton (Aug 20)
- Re: Password Expatriation notification Dergenski, Todd A. (Aug 23)
- Re: Password Expatriation notification Ozzie Paez (Aug 23)
- Back on topic.... Re: [SECURITY] University credentials used by third parties Flynn, Gary - flynngn (Aug 24)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Joel Rosenblatt (Aug 24)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Guy Pace (Aug 24)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties David L. Wasley (Aug 24)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties David Gillett (Aug 24)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Jesse Thompson (Aug 25)
- Re: Back on topic.... Re: [SECURITY] University credentials used by third parties Mike Porter (Aug 25)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties David Gillett (Aug 25)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Semmens, Theresa (Aug 25)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Eric Case (Aug 25)
- Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties Adam Carlson (Aug 25)
- Experience with EPO and endpoint encryption David Grisham (Aug 25)
- Re: Experience with EPO and endpoint encryption Gibson, Nathan J. (HSC) (Aug 25)