Thursday, August 05, 2010

We need a security audit, now please

Audits are not the most welcome thing. Nobody likes an audit. But, with SJSU in the midst of a huge migration from proprietary e-mail systems like Lotus Notes and Exchange to Google Provided Gmail there have been some major changes that should be looked at. The user authentication method (UAM) used by the old systems was distributed and administrated by staff employees in organizational units (OUs) who had administration capabilities limited to employees in their own OU. The UAM for Gmail at SJSU is SJSUOne.

Password resets for SJSUOne campus wide are routinely done by student assistants. SJSUOne is the same UAM that has been used for the SJSU wireless network and the current security protocols were designed with less secure needs in mind (like the wireless network) than authentication to every employee at SJSU's e-mail.

Somebody who has expertise and real authority (and ability to change things if they need to be changed) needs to take a hard look and decide if SJSU's SJSUOne security protocols are tight enough to be used for a system that will authenticate the e-mail of the university president, the head of HR, SJSU's counselors, deans, managers, faculty and every other employee of San Jose State University.


Jeremy said...

This tough, honest transparency. At least we know one professional's hand is on the tiller.

Rich said...

BSA Hotline

Someone needs to file a complaint with the state auditors against your campus for allowing this to go on, long after it has been brought to their attention.

Rich McGee
Chair, CSUEU Unit 9