Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties

["Semmens, Theresa" <theresa.semmens () NDSU EDU>]

That depends on if the employees are using a service called RIM. NDSU looking at this product because of a cost factor. 
 RIM requires submission of credentials, which is a violation of IT policy here at NDSU. I am researching how our state 
government IT department is handling this and if it fits NDSU's business model, would like to encourage us to follow 
the same.  I have requested that our general counsel provide a statement and opinion on the practice as well; his 
expertise and clout seems to carry far further than those of the ITSO. ;-)  

Theresa Semmens, CISA
Chief IT Security Officer
North Dakota State University
IACC 210D
PO Box 6050
Fargo, ND 58108
Phone: 701-231-5870
Fax: 701-231-8541
Theresa.Semmens () ndsu edu

Security is a process, privacy is a consequence
Security is action, privacy is a result of successful action
Security is the strategy, privacy is the outcome
Security is the sealed envelope, privacy is the successful delivery of the message inside the envelope  ~ Unknown



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Gillett
Sent: Wednesday, August 25, 2010 11:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Back on topic.... Re: [SECURITY] Universitycredentials used by third parties

  I haven't looked closely at Blackberry -- perhaps I need to?  The
scenarios I'm aware of are:

1.  User sets their institution email to forward to a remote address -- in
this case their Blackberry address.  No exposure of credentials unless they
want to reply (or originate) on the device and have those messages go
through our outbound servers....

2.  User configures personal device to download messages from their
institution inbox.

  Does either of these actually involve sharing the user's credentials with
the *service*, beyond their device?  I had assumed not, but now I'm not so
sure....

David Gillett


-----Original Message-----
From: Mike Porter [mailto:mike () UDEL EDU]
Sent: Wednesday, August 25, 2010 08:55
To: SECURITY () listserv educause edu
Subject: Re: [SECURITY] Back on topic.... Re: [SECURITY]
Universitycredentials used by third parties

On Wed, 25 Aug 2010, Jesse Thompson wrote:

> On 08/24/2010 11:08 AM, Joel Rosenblatt wrote:
> > Just to thorough another thought into this mix, does anyone prevent
> > their students (or other users) from turning over their credentials
> > to Gmail or Blackberry?
> >
> > We see lots of authenticated logins from these services - and if I
> > were to come down hard on this Ultrinsic using our sharing of
> > password policy (which we do have) I'm sure that this would amount to
> > having to change our policy to - you can't share your credentials -
> > except with (gmail, Blackberry, etc.)
> >
> > I really hate inconsistent enforcement of policies, so it's either
> > change the policy or cut off everyone.
>
> +1
>
> Our help desk created end-user instructions for IMAP-syncing email
> accounts with Gmail, despite the fact that it completely violates password
policy.
> They did this specifically because they get flooded with "how do I
> save my email" requests when we deactivate email accounts, but other
> users take advantage of it as well.
>
> Yet, when we propose the idea of officially embracing this
> Gmail-IMAP-sync option as a more reliable alternative to forwarding  -
> essentially treating Gmail the same as any other IMAP client - the
> idea is immediately shot down because it violates password policy.

What was the violation?  The problem that users woud need to store a
password, likely the regular one, at gmail in order to use imap?

We ended up with a convoluted system to avoid some of those issues.


Mike

Mike Porter
Systems Programmer V
IT/NSS
University of Delaware

> Jesse
> (an email admin at Wisconsin)

-
Mike Porter
PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA  2F D2 37 F3 99 ED D1 C2