Re: Outsourcing Student Email - Security Concerns?

[Mike Porter <mike () UDEL EDU>]

On Thu, 26 May 2011, Francis, Greg wrote:

> As a campus using SSO, I agree that BC is a major consideration. We chose
> the SSO option to keep passwords local. However, when we had an internal
> event that knocked out our VMWare environment, students lost the ability to
> login to Google. The solution is only as good as its weakest link and our
> internal infrastructure is probably that weakest link with regards to Google
> Apps. We have not changed our approach as a result of that event but it did
> reconfirm a weakness that we had already seen in an SSO configuration.
>
> Greg

Same thing here.  I will add that one of the big wins for us with
SSO is we can log when and where the logins are coming from.  When
investigating hacking issues, this is very useful.

Mike

Mike Porter
Systems Programmer V
IT/NSS
University of Delaware

> On 5/26/11 12:56 PM, "Walter Moore" <moorewr () ECKERD EDU> wrote:
>
> > Another key consideration in favor on password sync over SSO for us was
> > Business Continuity. We're on the coast of Florida, on low land, so we must
> > plan for complete campus shutdowns even when hurricanes miss us.
> >
> > On Thu, May 26, 2011 at 3:42 PM, Barron Hulver <Barron.Hulver () oberlin edu>
> > wrote:
> > > We moved everyone go Google Apps for Edu about 3 years ago.  I was involved
> > > with negotiating our agreement with Google (before it became more general)
> > > and we had our external counsel involved as well.  We didn't really make that
> > > many changes to the agreement.
> > >
> > > On the technical side, we also went with a password sync process instead of
> > > an SSO.  After discussions with my two people that handle our directories, we
> > > decided to implement a reduced single sign-on environment by either having
> > > applications authenticate directly to one of our two LDAP servers or use
> > > password synchronization.  I preferred the password sync with Google for two
> > > reasons:  1) It is convenient for people using POP or IMAP and it enforces
> > > our password policies and 2) in the event of a communication problem to our
> > > central servers (e.g. Internet link is down or LDAP is down - almost never
> > > happens), the Google services could still be used from home.  We see this as
> > > an advantage in a disaster recovery/business continuity situation.
> > >
> > >
> > > Barron Hulver
> > > Director of Networking, Operations, and Systems
> > > Center for Information Technology
> > > Oberlin College
> > > 148 West College Street
> > > Oberlin, OH  44074
> > > 440-775-8798
> > > Barron.J.Hulver () oberlin edu
> > > http://www2.oberlin.edu/staff/bhulver/
> > >
> > >
> > >
> > >
> > > -------- Original Message --------
> > > Subject:        Re: Outsourcing Student Email - Security Concerns?
> > > Date:   Thu, 26 May 2011 11:57:48 -0400
> > > From:   Walter Moore <moorewr () ECKERD EDU>
> > > Reply-To:       The EDUCAUSE Security Constituent Group Listserv
> > > <SECURITY () LISTSERV EDUCAUSE EDU>
> > >
> > > To:     SECURITY () LISTSERV EDUCAUSE EDU
> > >
> > >
> > >
> > > There have been some fairly public debates about this, notably at Yale.
> > > http://www.yaledailynews.com/news/2010/mar/30/its-delays-switch-to-gmail/
> > >
> > > Our discussion centered on the Google Apps SLA, but in the end our
> > > General Counsel felt was acceptable. We ended up using a password sync
> > > process instead of SSO, but you could opt to run a SAML server. In that
> > > scenario your AD password would not be stored or synced to Google Apps.
> > >
> > > Be aware that users will, in that scenario, need to set a separate
> > > password for external IMAP/SMTP clients (phones etc).
> > >
> > > On Thu, May 26, 2011 at 11:04 AM, Allen Wood <awood () hillcollege edu
> > > <mailto:awood () hillcollege edu>> wrote:
> > >
> > >     Hello all,
> > >
> > >     I work for a small community college and we?re currently running
> > >     Exchange 2010 for student email.  Our VP likes the idea of using
> > >     Google Apps for Education (or Microsoft?s Live@edu) and freeing up
> > >     that mail server for something else.  I am leery of making the move
> > >     and basically putting the student?s Active Directory accounts in
> > >     someone else?s hands. I would think there are also possible
> > >     compliance issues, but I haven?t really studied that side of it yet.
> > >
> > >     Have any of you ever made either side of this argument before?  If
> > >     so, would you mind sharing any info that you may have available that
> > >     may help us decide outsourced vs. locally hosted, and maybe even
> > >     Google vs. Microsoft?
> > >
> > >     Thanks in advance for any info-
> > >
> > >     Allen Wood
>
> Greg Francis
> Director, Central Computing and Network Support Services
> 502 E. Boone Ave.
> Spokane, WA 99258-0092
> 509.313.6896 direct
> http://www.gonzaga.edu/its

-
Mike Porter
PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA  2F D2 37 F3 99 ED D1 C2