+ Post New Thread
Page 1 of 5 12345 LastLast
Results 1 to 15 of 62
MIS Systems Thread, Cloud MIS Security in Technical; Just a closing thought as i go for my weekend, though will be back tomorrow for a bit in teh ...
  1. #1

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,848
    Thank Post
    671
    Thanked 1,383 Times in 1,145 Posts
    Rep Power
    350

    Cloud MIS Security

    Just a closing thought as i go for my weekend, though will be back tomorrow for a bit in teh morning.

    With a cloud MIS for security you really want to have dual-factor authentication. It's just too risky not to, right? Attempts at enforcing strong passwords, just force the user to write it down, usually somewhere obvious, in clear text, with a big label that says use this for 'XYZ MIS' (yes that popular product rears it's head again!)

    I'm just wondering, how do you then get third party apps and providers to connect to the system?
    Anyone with experience or thoughts?

    For example, we have in-house SIMS, so my add-ins either have credentials passed in at run-time or stored locally on a server here, and they talk to eachother within the confines of my network.

    How does this work, if the MIS is in the cloud, and all staff are using dual factor? How does the third party or automated system authenticate in a way that's dual factor?

  2. #2

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,049
    Thank Post
    591
    Thanked 1,945 Times in 1,345 Posts
    Blog Entries
    19
    Rep Power
    813
    Quote Originally Posted by vikpaw View Post
    How does this work, if the MIS is in the cloud, and all staff are using dual factor? How does the third party or automated system authenticate in a way that's dual factor?
    Depends what the second factor is.

    If it's a code via a physical token/app [Like WoW's two-factor] then they could just use the generator app as part of XYZ MIS and any time a 3rd-party app needs something it just requests the current code.

    TBH, it's something that would be awkward to do [It may not be...] you either have to auto-auth all apps or hand over the code to generate valid authentication codes to 3rd-parties.

  3. #3

    LosOjos's Avatar
    Join Date
    Dec 2009
    Location
    West Midlands
    Posts
    5,447
    Thank Post
    1,438
    Thanked 1,168 Times in 797 Posts
    Rep Power
    707
    I'd imagine this would come down to the third party app having to exist within the same network as the MIS, and two-tier authentication only being employed for connections originating outside of that network.

    I'm certainly not the authority on this though!

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Two factor authentication requires you authenticate with 'something you have' and 'something you know'. So this could be something simple like a pin number and a fingerprint to get inside a building. World of warcraft is a good example of it done well. The 'something you know' is your username/password and the 'something you have' is the battlenet authenticator. It depends on the situation and your users as to what will work best for you, but for internet services of any description look at the WoW model.

  5. #5

    GREED's Avatar
    Join Date
    Mar 2008
    Location
    Portsmouth
    Posts
    2,976
    Thank Post
    367
    Thanked 359 Times in 293 Posts
    Blog Entries
    8
    Rep Power
    173
    @vikpaw mate

    Can you give some examples of third party products that require an ad-hoc or even constant communication link with the cloud MIS in this scenario. I want to respond with specifics here as we are working with the same scenario with a customer using a Dual-Factor Authentication separated security layer between t'nternet and MIS.

    This is common in local authorities who are hosting the MIS in their data centres. It is not a standard feature outside of this. I'm interested at why the distinction between cloud and client MIS here, given so many client MIS's are available via a remote desktop-type facility, which have the same levels of authentication (i.e. not usually dual factor). With the concern, I would want DFA on everything regardless of the cloud.

  6. #6
    Steven_Cleaver's Avatar
    Join Date
    Jul 2008
    Location
    Birmingham
    Posts
    461
    Thank Post
    172
    Thanked 83 Times in 67 Posts
    Rep Power
    50
    If I was accessing any MIS system remotely either internally based system or Cloud based I would expect Dual Factor Authentication, to be honest the main reason we built this into Remote Access solution so to access our MIS system you need to have encrypted app and your Network username and Password as well as your (MIS username Password) no encrypted App can't access MIS systems.

    This makes it reasonably seamless for the user as they click the App and this does encrypted Authentication then they just login as they normally would.

  7. #7

    Join Date
    Sep 2006
    Location
    London
    Posts
    1,318
    Thank Post
    35
    Thanked 351 Times in 237 Posts
    Rep Power
    78
    @GREED an example of an application that runs against SIMS is Groupcall's exporter taking info to LA systems.
    @Geoff I'm not convinced that the "something you know" is sufficient as its a constant; I can obtain millions of static passwords from Internet sources. Random characters from the "something you know" would work I think.

  8. #8
    Steven_Cleaver's Avatar
    Join Date
    Jul 2008
    Location
    Birmingham
    Posts
    461
    Thank Post
    172
    Thanked 83 Times in 67 Posts
    Rep Power
    50
    @GREED We use SIM's but use Insight for parental portal which sits on a seperate Server and communicates with SIM's to extract Student information for parents into Insight is this the kind of thing you mean and requires a SIM's user account authentication to do this so it has virtually live data going across this is all done internally.

  9. #9

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    @Geoff I'm not convinced that the "something you know" is sufficient as its a constant; I can obtain millions of static passwords from Internet sources. Random characters from the "something you know" would work I think.
    I was simplifying for the purposes of readability. The correct term for 'something you know' in the context of two factor authentication is of course a 'knowledge factor'. Which is defined generally as 'the user is required to prove the knowledge of a secret in order to authenticate'. This generally takes the form of a password, pin number or pattern.

  10. #10

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,848
    Thank Post
    671
    Thanked 1,383 Times in 1,145 Posts
    Rep Power
    350
    Good discussion this.

    I know remote access to on-site MIS needs to be secure, and should be dual factor, this is fine as i imagine teh other systems continue working as they do.

    I know how dual-factor works, and i expect that there is either a generator, or a physical device of some kind which prevents simple password snooping. This would be for all users. My query is how does an automatic app / third party service, process or whatever use this physical generator / device?

    It's okay to issue all humans with a keyfob but what about the other systems? As has been said, they may have to stay internal, or, utilise some kind of trust. That is what i'm trying to work out.

    For example, we use groupcall emerge, and schoolcomms.

    Emerge uses dual factor as the service is locked to the physical device and then utilises a username, password, and pin code on top. I don't allow public access, so it only works when the user is on my wifi / lan. Even if we published that service externally, it would be secure using the same set up. The groupcall server is on site and has internal comms to SIMS.

    When I run the schoolcomms desktop app and sync data, it uses my client to run sims and connect to the server and i provide sims credentials ad hoc.

    If I use XYZ-Nimbus MIS, and it's in the cloud. How does Groupcall connect to that? Even if i house it internally, the MIS is now out there. For me to connect i need dual factor, how does the groupcall service do ad-hoc calls to the MIS. And it does need to, each device via the server pulls down live attendance data if it's available.

    Schoolcomms may be easier as it might be part of my authentication to the cloud as it's normally called on request.

    Groupcall also does it's overnights on schedule and Salamander connects to SIMS, nightly and on command, to synchronise data between SIMS and the ID card system. Even my own internal scripts would be affected, e.g. Command Reporter which runs overnight to dump data out of SIMS and then into the library system.

    I'm sure there are other third parties with similar requirements, and probably some that are cloud themselves...
    Do they all need to change how they interact with XYZ-Nimbus compared to XYZ-Terra?

    Who is the onus on to make these things work? Is this where SIF has it's place? I don't know, i'm not really sure how it works.

  11. #11

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,049
    Thank Post
    591
    Thanked 1,945 Times in 1,345 Posts
    Blog Entries
    19
    Rep Power
    813
    Quote Originally Posted by vikpaw View Post
    My query is how does an automatic app / third party service, process or whatever use this physical generator / device?
    Trusted system account?

    As in, if $user requests data, DON'T require two-factor.

    The username would be akin to the RM system account we have, where it's a randomly generated string of numbers/letters. [Randomly generated at creation, not every time it's needed.]

  12. #12

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,848
    Thank Post
    671
    Thanked 1,383 Times in 1,145 Posts
    Rep Power
    350
    I guess, but it kind of defeats teh 2-factor argument, cos your system is open to a simple username/password combo access. So yes, i guess, you make it very complex and long. Assuming it's easy enough to do that based on user. Haven't seen how dual-factor is implemented.

  13. #13

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,049
    Thank Post
    591
    Thanked 1,945 Times in 1,345 Posts
    Blog Entries
    19
    Rep Power
    813
    Quote Originally Posted by vikpaw View Post
    I guess, but it kind of defeats teh 2-factor argument, cos your system is open to a simple username/password combo access. So yes, i guess, you make it very complex and long. Assuming it's easy enough to do that based on user. Haven't seen how dual-factor is implemented.
    This soft of thing is how you either compromise your security or break your add-ons...


    Unless all the add-ons are from xyz MIS as extra paid features.

    That way the automated stuff is trusted as it's FROM the company who made the MIS in the first place.

  14. #14

    GREED's Avatar
    Join Date
    Mar 2008
    Location
    Portsmouth
    Posts
    2,976
    Thank Post
    367
    Thanked 359 Times in 293 Posts
    Blog Entries
    8
    Rep Power
    173
    A very good conversation. There are many aspects that can be covered here, including the justification for dual factor authentication specifically for cloud MIS compares to client MIS that is accessable via the internet still. Instances where the likes of Groupcall connect is also interesting.

    Dare I get picky, but this is for x third parties to also answer, how they intend to resolve this compared to how will x cloud MIS resolve this for them (all).

    I must say this has given me some things to think about. What I can say is currently Aspen MIS itself does not use DFA, but customers we are working with utilise DFA through an additional layer, separate from Aspen MIS. We are working on a project to have DFA embedded into Aspen for a large customer in the US. I will also have a better understanding how this will work in practice in the summer and will be happy to share

    Ultimately, now everything can be accessed over the internet, there is the conundrum we have always had: Security over convenience. How can we conveniently get data to x third party (or from) while still being secure with a data key or the like... I don't have the answer myself!

  15. #15

    X-13's Avatar
    Join Date
    Jan 2011
    Location
    /dev/null
    Posts
    9,049
    Thank Post
    591
    Thanked 1,945 Times in 1,345 Posts
    Blog Entries
    19
    Rep Power
    813
    Quote Originally Posted by GREED View Post
    How can we conveniently get data to x third party (or from) while still being secure with a data key or the like... I don't have the answer myself!
    Change them from 3rd party to psuedo-1st party?

    Bring them in-house if they want to write an add-on and let them have the authentication code [along with a cast iron NDA] or require them to hand over the source, which you'll add the authentication generator/code to after it's done.

SHARE:
+ Post New Thread
Page 1 of 5 12345 LastLast

Similar Threads

  1. Cloud MIS systems
    By MissyD in forum Cloud Services
    Replies: 5
    Last Post: 4th February 2013, 04:04 PM
  2. SIMs Discover and MIS Cloud questions
    By Qualitypolice999 in forum MIS Systems
    Replies: 10
    Last Post: 26th June 2012, 01:05 PM
  3. Replies: 4
    Last Post: 17th April 2012, 10:07 AM
  4. MIS in the 'cloud'
    By garrysaddington in forum MIS Systems
    Replies: 13
    Last Post: 4th December 2009, 10:12 PM
  5. School security during holidays
    By nawbus in forum General Chat
    Replies: 4
    Last Post: 27th August 2005, 03:20 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •