As a CIO responsible for network security and sustainability, and a Web Producer interested in using hosted Web Services, e.g. Blogger, Wordpress.com, wikispaces, basecamp, Volgistics, etc. to further the mission, I find I'm being challenged by honoring the network security responsibility with the flexibility of web hosted services.
For example, we purchase the services of a web hosted company, e.g. Volgistics, Workamajig, and need to set up access for our staff to use the services. But these services don't integrate with our LDAP ACL. We host WordPress in house and staff feel it isn't flexible enough for them so they create Blogger blogs. In this case, I'm concerned that they're not accustomed to following good security and failover practices such as ensuring other people in their organization know the admin credentials to maintain the blog in case the originator is suddenly unavailable.
Does anyone have any suggestions for great practices in these areas or papers I could read?
Thanks!
API?
If the web-hosted service has an API, you could write a script that logs into it and deactivates the account via the API. In a linux environment you could write a cron that queries the users in LDAP and updates the accounts with each web-based software service that you are using.
Are you over-engineering the solution?
I'm not quite sure I'm seeing the problem with the web hosted services. Why do you actually need to integrate it with your LDAP ACL? Why not let users have separate logins with external web services?
The blogging stuff sounds like a different issue -- if Blogger has features they desire as opposed to WP (really? like what? or is it an ease of use and / or prettier templates) can you add features to your WP install?
Overengineering? Perhaps. Perhaps Not.
Thanks for your response.
Let me explain further. So we're going to start using Workamajig, a project management/workflow software, by creative-manager.com. The Marketing Department will be administering access to the system. They'll create user accounts (likely the staff's email address) and permissions to the system. This is all cool. They'll be setting up access to the system for people in the Marketing Department AND outside their department - in our program staff.
Now lets say someone in the program staff terminates employment with the museum. The Information Technology department, who maintains the LDAP ACL for network access, is notified by HR that the staff has left. So IT inactivates or eliminates the network account at midnight of the day of termination. The staff person no longer has access to the network and therefore can't injure it, especially if they left under tenuating circumstances.
But, IT doesn't have responsibility for removing that staff person's access to Workamajig. So, a disgruntled former employee would still have access to that system until the Marketing administrator realizes they're gone.
You say that HR should inform Marketing of the staff's termination? I agree. But, the more we use hosted services that don't integrate with our LDAP, the more unwieldly this becomes. We currently use hosted services for managing access/review to our corporate credit cards, for volunteer management, for project management (Basecamp), and now Workamajig. So now HR needs to notify at least five organizations when a staff person terminates.
Thoughts?
Post new comment