Educause Security Discussion mailing list archives
Re: [External] [SECURITY] Banner Parent Proxy
From: "Gregg, Christopher S." <csgregg () STTHOMAS EDU>
Date: Tue, 9 Feb 2021 19:13:50 +0000
1. Is anyone using MFA for the proxy user login? And if so, are you using Duo? I am not entirely sure our license covers this but I am also not sure I want to supporting non-WSU accounts. No. Is this even an option? The auth for proxy access is kind of its own animal in Banner as I understand it and I am not sure that it can be connected to SSO. Hardly definitive, but Googling for university proxy access pages, I didn't find any that seemed to mention using MFA. And as you mention, supporting MFA for proxy users could be problematic even if technically possible and allowed by your licensing. 1. It looks like the only thing required to give someone proxy access is a valid email, has anyone put something in place to validate the proxy user is an actual parent or guardian? We're not doing this. Proxy access could be used for a variety of 3rd party uses so this could be challenging to verify relationships with the information we available. 1. Is this something your IT teams would instinctively consult general counsel about for any FERPA issues? Yes, I believe at the time we rolled this out that we worked closely with the registrar and general counsel. One thing to think about is that the alternative to using proxy access is that students would likely share their account info with others instead which has its own FERPA issues. That becomes harder and/or more problematic depending on how you look at it if you have MFA on Banner SS. I don't know if this is possible, but one compensating control might be to age proxy entries so they at least don't stay active forever. (Your questions caused me to notice that the test proxy access I setup 6 years ago for myself here at our institution is still active) Thanks, Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Innovation & Technology Services (ITS) csgregg () stthomas edu<mailto:csgregg () stthomas edu> p 1 (651) 962-6265 University of St. Thomas | stthomas.edu<https://www.stthomas.edu/> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Garrett McManaway Sent: Tuesday, February 9, 2021 10:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [External] [SECURITY] Banner Parent Proxy All, We are going to be rolling out the Parent Proxy feature in Banner and I have a few questions for anyone that is currently using the product. We were brought in late to the discussion about this one and trying to get some quick answers before it goes live. 1. Is anyone using MFA for the proxy user login? And if so, are you using Duo? I am not entirely sure our license covers this but I am also not sure I want to supporting non-WSU accounts. 2. It looks like the only thing required to give someone proxy access is a valid email, has anyone put something in place to validate the proxy user is an actual parent or guardian? 3. Is this something your IT teams would instinctively consult general counsel about for any FERPA issues? The last question might be a discussion all on its own. No one in our IT team or the business partners working on rolling this out thought to ask "we can, but should we?" until I was involved. It the issue in the second question that concerns me. I know part of the reason my team and myself are here is to identify those concerns ask that question when we reviewing projects but I also know I cannot review 100% of our applications due to time and resource constraints. Garrett McManaway CISO & Sr. Director C&IT - Information Security and Compliance Wayne State University Phone: 313-577-3454 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccsgregg%40STTHOMAS.EDU%7C16b2d183939b4963429a08d8cd187ea5%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637484853592873250%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=DG4PrhiDYfpHyre3ulSnGrqR0rpT7TM0Txkzt2Gnjuc%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Banner Parent Proxy Garrett McManaway (Feb 09)
- Re: [External] [SECURITY] Banner Parent Proxy Gregg, Christopher S. (Feb 09)
- <Possible follow-ups>
- Re: Banner Parent Proxy Uday Kiran (Feb 09)
- Re: [External] Re: [SECURITY] Banner Parent Proxy Kevin Wilcox (Feb 10)