Educause Security Discussion mailing list archives

Re: Understanding the security implications of SAKAI?

From: Liudvikas Bukys <liudvikas.bukys () ROCHESTER EDU>
Date: Wed, 15 Sep 2004 15:46:49 -0400

I think that the good news on Sakai security is that the players
(University of Michigan, Indiana University, MIT, Stanford, the uPortal
Consortium, and the Open Knowledge Initiative (OKI)) really have a track
record of producing administrative systems that are integrated with
institutional identity management systems with reasonably robust mechanisms
in a variety of institutions.

The biggest potential issues are shared by both open-source and proprietary
systems.  At a high level:
        - Is the design OK?
                - Is there an authentication model and mechanism?
                - Is there a good authorization model?
                - What are the administrative processes, and do they function well?
                  Are administrative functions assigned and delegated to those
                  with an interest (and the time) to make the right things happen?
        - Is the implementation (by the developers) OK?
        - Is the implementation (by the deployers) OK?
        - Are whole new social issues created or exposed by the use of the system?
        x
        - Is configuration prone to certain pitfalls?
        - Is installation of the underlying web app environment prone to certain pitfalls?
        - In the heat of the moment, are insecure mechanisms chosen by developers or deployers?

The biggest risk is assuming that the platform or vendor has figured
this out for you, so you don't have to look hard yourself.  Any powerful
general-purpose platform offers plenty of potential for bad implementation
decisions even if the platform itself is perfect.  Both community and
local review with sufficient effort is a good idea.

Ideally you'd think about the same issues for this or for, say, a Blackboard
implementation.


Liudvikas Bukys
Scientist
<bukys () cs rochester edu>

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Understanding the security implications of SAKAI? James Moore (Sep 15)
- <Possible follow-ups>
- Re: Understanding the security implications of SAKAI? Liudvikas Bukys (Sep 15)
- Re: Understanding the security implications of SAKAI? Theresa M Rowe (Sep 17)