Educause Security Discussion mailing list archives
Re: Understanding the security implications of SAKAI?
From: Liudvikas Bukys <liudvikas.bukys () ROCHESTER EDU>
Date: Wed, 15 Sep 2004 15:46:49 -0400
I think that the good news on Sakai security is that the players (University of Michigan, Indiana University, MIT, Stanford, the uPortal Consortium, and the Open Knowledge Initiative (OKI)) really have a track record of producing administrative systems that are integrated with institutional identity management systems with reasonably robust mechanisms in a variety of institutions. The biggest potential issues are shared by both open-source and proprietary systems. At a high level: - Is the design OK? - Is there an authentication model and mechanism? - Is there a good authorization model? - What are the administrative processes, and do they function well? Are administrative functions assigned and delegated to those with an interest (and the time) to make the right things happen? - Is the implementation (by the developers) OK? - Is the implementation (by the deployers) OK? - Are whole new social issues created or exposed by the use of the system? x - Is configuration prone to certain pitfalls? - Is installation of the underlying web app environment prone to certain pitfalls? - In the heat of the moment, are insecure mechanisms chosen by developers or deployers? The biggest risk is assuming that the platform or vendor has figured this out for you, so you don't have to look hard yourself. Any powerful general-purpose platform offers plenty of potential for bad implementation decisions even if the platform itself is perfect. Both community and local review with sufficient effort is a good idea. Ideally you'd think about the same issues for this or for, say, a Blackboard implementation. Liudvikas Bukys Scientist <bukys () cs rochester edu> ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Understanding the security implications of SAKAI? James Moore (Sep 15)
- <Possible follow-ups>
- Re: Understanding the security implications of SAKAI? Liudvikas Bukys (Sep 15)
- Re: Understanding the security implications of SAKAI? Theresa M Rowe (Sep 17)