MIS Systems Thread, Cloud MIS Security in Technical; Just a closing thought as i go for my weekend, though will be back tomorrow for a bit in teh ...
13th February 2013, 02:16 PM #1
Cloud MIS Security
Just a closing thought as i go for my weekend, though will be back tomorrow for a bit in teh morning.
With a cloud MIS for security you really want to have dual-factor authentication. It's just too risky not to, right? Attempts at enforcing strong passwords, just force the user to write it down, usually somewhere obvious, in clear text, with a big label that says use this for 'XYZ MIS' (yes that popular product rears it's head again!)
I'm just wondering, how do you then get third party apps and providers to connect to the system?
Anyone with experience or thoughts?
For example, we have in-house SIMS, so my add-ins either have credentials passed in at run-time or stored locally on a server here, and they talk to eachother within the confines of my network.
How does this work, if the MIS is in the cloud, and all staff are using dual factor? How does the third party or automated system authenticate in a way that's dual factor?
IDG Tech News
13th February 2013, 02:33 PM #2
Depends what the second factor is.
Originally Posted by vikpaw
If it's a code via a physical token/app [Like WoW's two-factor] then they could just use the generator app as part of XYZ MIS and any time a 3rd-party app needs something it just requests the current code.
TBH, it's something that would be awkward to do [It may not be...] you either have to auto-auth all apps or hand over the code to generate valid authentication codes to 3rd-parties.
13th February 2013, 02:35 PM #3
I'd imagine this would come down to the third party app having to exist within the same network as the MIS, and two-tier authentication only being employed for connections originating outside of that network.
I'm certainly not the authority on this though!
13th February 2013, 03:12 PM #4
Two factor authentication requires you authenticate with 'something you have' and 'something you know'. So this could be something simple like a pin number and a fingerprint to get inside a building. World of warcraft is a good example of it done well. The 'something you know' is your username/password and the 'something you have' is the battlenet authenticator. It depends on the situation and your users as to what will work best for you, but for internet services of any description look at the WoW model.
13th February 2013, 04:49 PM #5
Can you give some examples of third party products that require an ad-hoc or even constant communication link with the cloud MIS in this scenario. I want to respond with specifics here as we are working with the same scenario with a customer using a Dual-Factor Authentication separated security layer between t'nternet and MIS.
This is common in local authorities who are hosting the MIS in their data centres. It is not a standard feature outside of this. I'm interested at why the distinction between cloud and client MIS here, given so many client MIS's are available via a remote desktop-type facility, which have the same levels of authentication (i.e. not usually dual factor). With the concern, I would want DFA on everything regardless of the cloud.
13th February 2013, 06:21 PM #6
If I was accessing any MIS system remotely either internally based system or Cloud based I would expect Dual Factor Authentication, to be honest the main reason we built this into Remote Access solution so to access our MIS system you need to have encrypted app and your Network username and Password as well as your (MIS username Password) no encrypted App can't access MIS systems.
This makes it reasonably seamless for the user as they click the App and this does encrypted Authentication then they just login as they normally would.
13th February 2013, 07:15 PM #7
@GREED an example of an application that runs against SIMS is Groupcall's exporter taking info to LA systems.
@Geoff I'm not convinced that the "something you know" is sufficient as its a constant; I can obtain millions of static passwords from Internet sources. Random characters from the "something you know" would work I think.
13th February 2013, 07:34 PM #8
@GREED We use SIM's but use Insight for parental portal which sits on a seperate Server and communicates with SIM's to extract Student information for parents into Insight is this the kind of thing you mean and requires a SIM's user account authentication to do this so it has virtually live data going across this is all done internally.
14th February 2013, 11:13 AM #9
I was simplifying for the purposes of readability. The correct term for 'something you know' in the context of two factor authentication is of course a 'knowledge factor'. Which is defined generally as 'the user is required to prove the knowledge of a secret in order to authenticate'. This generally takes the form of a password, pin number or pattern.
I'm not convinced that the "something you know" is sufficient as its a constant; I can obtain millions of static passwords from Internet sources. Random characters from the "something you know" would work I think.
14th February 2013, 11:45 AM #10
Good discussion this.
I know remote access to on-site MIS needs to be secure, and should be dual factor, this is fine as i imagine teh other systems continue working as they do.
I know how dual-factor works, and i expect that there is either a generator, or a physical device of some kind which prevents simple password snooping. This would be for all users. My query is how does an automatic app / third party service, process or whatever use this physical generator / device?
It's okay to issue all humans with a keyfob but what about the other systems? As has been said, they may have to stay internal, or, utilise some kind of trust. That is what i'm trying to work out.
For example, we use groupcall emerge, and schoolcomms.
Emerge uses dual factor as the service is locked to the physical device and then utilises a username, password, and pin code on top. I don't allow public access, so it only works when the user is on my wifi / lan. Even if we published that service externally, it would be secure using the same set up. The groupcall server is on site and has internal comms to SIMS.
When I run the schoolcomms desktop app and sync data, it uses my client to run sims and connect to the server and i provide sims credentials ad hoc.
If I use XYZ-Nimbus MIS, and it's in the cloud. How does Groupcall connect to that? Even if i house it internally, the MIS is now out there. For me to connect i need dual factor, how does the groupcall service do ad-hoc calls to the MIS. And it does need to, each device via the server pulls down live attendance data if it's available.
Schoolcomms may be easier as it might be part of my authentication to the cloud as it's normally called on request.
Groupcall also does it's overnights on schedule and Salamander connects to SIMS, nightly and on command, to synchronise data between SIMS and the ID card system. Even my own internal scripts would be affected, e.g. Command Reporter which runs overnight to dump data out of SIMS and then into the library system.
I'm sure there are other third parties with similar requirements, and probably some that are cloud themselves...
Do they all need to change how they interact with XYZ-Nimbus compared to XYZ-Terra?
Who is the onus on to make these things work? Is this where SIF has it's place? I don't know, i'm not really sure how it works.
14th February 2013, 12:28 PM #11
Trusted system account?
Originally Posted by vikpaw
As in, if $user requests data, DON'T require two-factor.
The username would be akin to the RM system account we have, where it's a randomly generated string of numbers/letters. [Randomly generated at creation, not every time it's needed.]
14th February 2013, 12:41 PM #12
I guess, but it kind of defeats teh 2-factor argument, cos your system is open to a simple username/password combo access. So yes, i guess, you make it very complex and long. Assuming it's easy enough to do that based on user. Haven't seen how dual-factor is implemented.
14th February 2013, 12:46 PM #13
This soft of thing is how you either compromise your security or break your add-ons...
Originally Posted by vikpaw
Unless all the add-ons are from xyz MIS as extra paid features.
That way the automated stuff is trusted as it's FROM the company who made the MIS in the first place.
14th February 2013, 12:59 PM #14
A very good conversation. There are many aspects that can be covered here, including the justification for dual factor authentication specifically for cloud MIS compares to client MIS that is accessable via the internet still. Instances where the likes of Groupcall connect is also interesting.
Dare I get picky, but this is for x third parties to also answer, how they intend to resolve this compared to how will x cloud MIS resolve this for them (all).
I must say this has given me some things to think about. What I can say is currently Aspen MIS itself does not use DFA, but customers we are working with utilise DFA through an additional layer, separate from Aspen MIS. We are working on a project to have DFA embedded into Aspen for a large customer in the US. I will also have a better understanding how this will work in practice in the summer and will be happy to share
Ultimately, now everything can be accessed over the internet, there is the conundrum we have always had: Security over convenience. How can we conveniently get data to x third party (or from) while still being secure with a data key or the like... I don't have the answer myself!
14th February 2013, 01:19 PM #15
Change them from 3rd party to psuedo-1st party?
Originally Posted by GREED
Bring them in-house if they want to write an add-on and let them have the authentication code [along with a cast iron NDA] or require them to hand over the source, which you'll add the authentication generator/code to after it's done.
By MissyD in forum Cloud Services
Last Post: 4th February 2013, 04:04 PM
By Qualitypolice999 in forum MIS Systems
Last Post: 26th June 2012, 01:05 PM
By CPLTD in forum Our Advertisers
Last Post: 17th April 2012, 10:07 AM
By garrysaddington in forum MIS Systems
Last Post: 4th December 2009, 10:12 PM
By nawbus in forum General Chat
Last Post: 27th August 2005, 03:20 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)