Re: [External] [SECURITY] Banner Parent Proxy

["Gregg, Christopher S." <csgregg () STTHOMAS EDU>]

  1.  Is anyone using MFA for the proxy user login? And if so, are you using Duo? I am not entirely sure our license 
covers this but I am also not sure I want to supporting non-WSU accounts.

No.  Is this even an option?  The auth for proxy access is kind of its own animal in Banner as I understand it and I am 
not sure that it can be connected to SSO.  Hardly definitive, but Googling for university proxy access pages, I didn't 
find any that seemed to mention using MFA.  And as you mention, supporting MFA for proxy users could be problematic 
even if technically possible and allowed by your licensing.


  1.  It looks like the only thing required to give someone proxy access is a valid email, has anyone put something in 
place to validate the proxy user is an actual parent or guardian?

We're not doing this.  Proxy access could be used for a variety of 3rd party uses so this could be challenging to 
verify relationships with the information we available.


  1.  Is this something your IT teams would instinctively consult general counsel about for any FERPA issues?

Yes, I believe at the time we rolled this out that we worked closely with the registrar and general counsel.

One thing to think about is that the alternative to using proxy access is that students would likely share their 
account info with others instead which has its own FERPA issues.  That becomes harder and/or more problematic depending 
on how you look at it if you have MFA on Banner SS.

I don't know if this is possible, but one compensating control might be to age proxy entries so they at least don't 
stay active forever.   (Your questions caused me to notice that the test proxy access I setup 6 years ago for myself 
here at our institution is still active)

Thanks,

Chris



Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Innovation & Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu/>





From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Garrett McManaway
Sent: Tuesday, February 9, 2021 10:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] [SECURITY] Banner Parent Proxy

All,

We are going to be rolling out the Parent Proxy feature in Banner and I have a few questions for anyone that is 
currently using the product. We were brought in late to the discussion about this one and trying to get some quick 
answers before it goes live.


  1.  Is anyone using MFA for the proxy user login? And if so, are you using Duo? I am not entirely sure our license 
covers this but I am also not sure I want to supporting non-WSU accounts.
  2.  It looks like the only thing required to give someone proxy access is a valid email, has anyone put something in 
place to validate the proxy user is an actual parent or guardian?
  3.  Is this something your IT teams would instinctively consult general counsel about for any FERPA issues?

The last question might be a discussion all on its own. No one in our IT team or the business partners working on 
rolling this out thought to ask "we can, but should we?" until I was involved. It the issue in the second question that 
concerns me. I know part of the reason my team and myself are here is to identify those concerns ask that question when 
we reviewing projects but I also know I cannot review 100% of our applications due to time and resource constraints.

Garrett McManaway
CISO & Sr. Director
C&IT - Information Security and Compliance
Wayne State University
Phone: 313-577-3454


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ccsgregg%40STTHOMAS.EDU%7C16b2d183939b4963429a08d8cd187ea5%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637484853592873250%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=DG4PrhiDYfpHyre3ulSnGrqR0rpT7TM0Txkzt2Gnjuc%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community