Re: Multiple campus SSO security requirements

[Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>]

Ian,

 

This sounds like a boundary issue.  Is each campus documented as a different boundary?  If so, you would want to 
document in your system security plan how this connection has an effect on security issues at your campus.  If you have 
a system security plan to address security on your campus, document controls, conduct regular system testing, etc, you 
could share the parts of this plan that could have an effect on other campuses through this connection with those other 
campuses.  Based upon their review of your controls, they make the final decision of whether or not you are a trusted 
partner.  Likewise, before accepting their credentials, you would want to make sure that they were a trusted partner.  
You would ask for their information You may have some sort of checklist of what you expect to see in their environment 
before you allow a connection.  If they do not have a system security plan, you could send them this checklist and make 
them explain how each of your campus requirements are met in their environment.  You would then review the list to feel 
comfortable that they have instituted good controls, and that the information accessible via the shared LDAP connection 
will remain safe.  Once you have established that the connection is safe, you would make the other campus sign an 
agreement stating that their controls can be reviewed by you at any time, especially if a security breach is suspected, 
and on an annual basis.  Detail what information is going to be shared through the connection, and the Rules of 
Behavior for accessing and using the information.  This type of agreement is often known as a Memorandum of 
Understanding or  MOU.  Because of the legal limitations of an MOU, you still would want to limit the information that 
the other campuses could receive based upon a valid “need to know.”  Only give access to the information that is 
imperative to the mission and expectations of a multi-campus web-SSO system. 

 

Hope this helps,

 

Sarah Stevens, CISSP

President

STI

(704) 625-8842

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stewart, 
Ian
Sent: Monday, November 03, 2008 1:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Multiple campus SSO security requirements

 

Hello,

We are considering multi-campus web-SSO system that allows an end-user to authenticate using their home campus LDAP 
account or another campus LDAP account they may hold   Has anyone implemented such a system and how have you dealt with 
the trust issues between campuses that this creates? For example, each campus may have their upfront ID-issuing or 
vetting process reviewed by all the other campuses and an agreement signed before they are allowed to participate, as 
in a federation.  Any thoughts on this issue would be welcome.

Thanks,

 

:: Ian Stewart, Manager of Identity Management

:: University of Massachusetts

:: 508.856.2069 Phone

:: 508.864.0088 Mobile

:: 508.856.4844 Fax 

               :: istewart () umassp edu <mailto:istewart () umassp edu> 

 

               333 South St., Suite 400 ◦ Shrewsbury, MA 01545 ◦ www.massachusetts.edu <http://www.massachusetts.edu/>