Web Team Policy Change to Sandbox FTP AccountsHi All,
As you know the Web Team is underway converting sites to OmniUpdate (our new WCMS). Many folks are requesting training and converting their sites. Julie has reported that we now have over 100 Omni accounts. Slowly but surely, these sites are being pushed live by Larry and the users' old sandbox (development Web server) accounts are being fazed out.
One of the reasons for choosing Omni, other than the great and easy way for non-technical staff and faculty to keep their Web sites updated, was for security. Sandbox accounts require FTP access. Most of those accounts use the old non-secure FTP protocol as it was grandfathered into the Web Team's service many years ago. With an FTP account, any file can be uploaded onto our main Web server via the sandbox development server and the potiential for a cracking system security is present with an FTP account. This has been a security concern for me since my first day on the job.
Julie, Larry, and Alice (our student worker) have done a terrific job creating and setting up Omni sites, managing Omni sites, and training users on OmniUpdate.
At the beginning of June, I sent out a 30-day notice for all sandbox accounts to be renewed. All accounts expire in one year and an account holder must request renewal. Before arriving at De Anza, many accounts for our Web site were so old, no one knew who they belonged to or who was currently using that account. It was a terrible security set up that I changed immediately. As attacks on Web sites are becoming more bold and Web security is more and more a concern, my current security policy of year-long Web accounts and using standard FTP is no longer adequate.
Now that there is an option with OmniUpdate (a more secure system for Web management), I'm making the following Web Team service policy change:
Starting in the 2009-10 academic year, all sandbox FTP accounts must be renewed every 30 days and must be a sFTP (secure FTP) account.
As it is now, access information is provided by the Web Team (ie: users cannot create their own passwords).
Note: an OmniUpdate account does not require access renewals. However, the Web Team has considered forcing users to update their passwords. For OmniUpdate, this would remain on an annual basis starting the 2009-10 academic year.
I will be providing users with this updated policy during this month's round of renewals.
Thanks and if you have any questions, please don't hesitate to ask.
College Web Coordinator, Senior