Re: Outsourcing Student Email - Security Concerns?

[John Ladwig <John.Ladwig () CSU MNSCU EDU>]

I'm not authoritative on this, but those that are closer have advised that the current Live@EDU offering DOES NOT offer 
federation as an option, but a soon-upcoming version ?Live365 WILL offer federation as an option.  That'll come on line 
later this calendar year.

Might be worth verifying the timelines, for your situation.

I personally would *love* to have our integrations federation-based rather than using password syncing.

   -jml


-----Original Message-----
From: Allen Wood
Sent: 2011-05-26 17:09:30
To: Allen Wood;The EDUCAUSE Security Constituent Group Listserv
Cc: 
Subject: Re: [SECURITY] Outsourcing Student Email - Security Concerns?


Thank you for all of the great responses.  I apparently was a little confused when it came to the authentication 
options and I'm now a little more open to the idea than I was in the past.  I think I'll study into both Google & 
Live@Edu since we're an Exchange shop and then begin to put together my opinion.
Thanks again for all of the responses.

Have a great weekend,

Allen


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dr. Wole 
Akpose
Sent: Thursday, May 26, 2011 3:48 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Outsourcing Student Email - Security Concerns?

Per:  Another key consideration in favor on password sync over SSO for us was Business Continuity. We're on the coast 
of Florida, on low land, so we must plan for complete campus shutdowns even when hurricanes miss us.

Have you considered offsite Replication of your Identity Server as part of your BC considerations?

W. Akpose

On 5/26/11 4:29 PM, "Mike Porter" <mike () UDEL EDU> wrote:

> On Thu, 26 May 2011, Francis, Greg wrote:
>
> > As a campus using SSO, I agree that BC is a major consideration. We 
> > chose  the SSO option to keep passwords local. However, when we had an 
> > internal  event that knocked out our VMWare environment, students lost 
> > the ability to  login to Google. The solution is only as good as its 
> > weakest link and our  internal infrastructure is probably that weakest 
> > link with regards to Google  Apps. We have not changed our approach as 
> > a result of that event but it did  reconfirm a weakness that we had 
> > already seen in an SSO configuration.
> >
> > Greg
>
> Same thing here.  I will add that one of the big wins for us with SSO 
> is we can log when and where the logins are coming from.  When 
> investigating hacking issues, this is very useful.
>
> Mike
>
> Mike Porter
> Systems Programmer V
> IT/NSS
> University of Delaware
>
> > On 5/26/11 12:56 PM, "Walter Moore" <moorewr () ECKERD EDU> wrote:
> >
> > > Another key consideration in favor on password sync over SSO for us 
> > > was  Business Continuity. We're on the coast of Florida, on low land, 
> > > so we must  plan for complete campus shutdowns even when hurricanes 
> > > miss us.
> > >
> > > On Thu, May 26, 2011 at 3:42 PM, Barron Hulver 
> > > <Barron.Hulver () oberlin edu>
> > > wrote:
> > > > We moved everyone go Google Apps for Edu about 3 years ago.  I was 
> > > > involved  with negotiating our agreement with Google (before it 
> > > > became more
> > > > general)
> > > > and we had our external counsel involved as well.  We didn't really 
> > > > make that  many changes to the agreement.
> > > >
> > > > On the technical side, we also went with a password sync process 
> > > > instead of  an SSO.  After discussions with my two people that 
> > > > handle our directories, we  decided to implement a reduced single 
> > > > sign-on environment by either having  applications authenticate 
> > > > directly to one of our two LDAP servers or use  password 
> > > > synchronization.  I preferred the password sync with Google for two
> > > > reasons:  1) It is convenient for people using POP or IMAP and it 
> > > > enforces  our password policies and 2) in the event of a 
> > > > communication problem to our  central servers (e.g. Internet link is 
> > > > down or LDAP is down - almost never  happens), the Google services 
> > > > could still be used from home.  We see this as  an advantage in a 
> > > > disaster recovery/business continuity situation.
> > > >
> > > >
> > > > Barron Hulver
> > > > Director of Networking, Operations, and Systems Center for 
> > > > Information Technology Oberlin College
> > > > 148 West College Street
> > > > Oberlin, OH  44074
> > > > 440-775-8798
> > > > Barron.J.Hulver () oberlin edu
> > > > http://www2.oberlin.edu/staff/bhulver/
> > > >
> > > >
> > > >
> > > >
> > > > -------- Original Message --------
> > > > Subject:        Re: Outsourcing Student Email - Security Concerns?
> > > > Date:   Thu, 26 May 2011 11:57:48 -0400
> > > > From:   Walter Moore <moorewr () ECKERD EDU>
> > > > Reply-To:       The EDUCAUSE Security Constituent Group Listserv
> > > > <SECURITY () LISTSERV EDUCAUSE EDU>
> > > >
> > > > To:     SECURITY () LISTSERV EDUCAUSE EDU
> > > >
> > > >
> > > >
> > > > There have been some fairly public debates about this, notably at 
> > > > Yale.
> > > >
> > > > http://www.yaledailynews.com/news/2010/mar/30/its-delays-switch-to-g
> > > > mai
> > > > l/
> > > >
> > > > Our discussion centered on the Google Apps SLA, but in the end our  
> > > > General Counsel felt was acceptable. We ended up using a password 
> > > > sync  process instead of SSO, but you could opt to run a SAML 
> > > > server. In that  scenario your AD password would not be stored or 
> > > > synced to Google Apps.
> > > >
> > > > Be aware that users will, in that scenario, need to set a separate 
> > > > password for external IMAP/SMTP clients (phones etc).
> > > >
> > > > On Thu, May 26, 2011 at 11:04 AM, Allen Wood <awood () hillcollege edu 
> > > > <mailto:awood () hillcollege edu>> wrote:
> > > >
> > > >     Hello all,
> > > >
> > > >     I work for a small community college and we?re currently running
> > > >     Exchange 2010 for student email.  Our VP likes the idea of using
> > > >     Google Apps for Education (or Microsoft?s Live@edu) and freeing up
> > > >     that mail server for something else.  I am leery of making the 
> > > > move
> > > >     and basically putting the student?s Active Directory accounts in
> > > >     someone else?s hands. I would think there are also possible
> > > >     compliance issues, but I haven?t really studied that side of it 
> > > > yet.
> > > >
> > > >     Have any of you ever made either side of this argument before?  If
> > > >     so, would you mind sharing any info that you may have available 
> > > > that
> > > >     may help us decide outsourced vs. locally hosted, and maybe even
> > > >     Google vs. Microsoft?
> > > >
> > > >     Thanks in advance for any info-
> > > >
> > > >     Allen Wood
> >
> > Greg Francis
> > Director, Central Computing and Network Support Services
> > 502 E. Boone Ave.
> > Spokane, WA 99258-0092
> > 509.313.6896 direct
> > http://www.gonzaga.edu/its
>
> -
> Mike Porter
> PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA  2F D2 37 F3 99 ED D1 C2