University of California Technical Presentation

guideflannelΔιακομιστές

4 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

71 εμφανίσεις

Page
1

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

University of California

Technical Presentation

November 15, 2006

Presented by: Bill Docherty

Senior Director, Product Management

Page
2

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal Technical Infrastructure Overview



1.

Architecture and System Requirements

2.

System Integration and Administration (SIA)

3.

Security (SCR)


4.

Support/Upgrades



Page
3

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL


SumTotal Architecture and System Requirements

1.1
-

To open the discussion, please handout a diagram, describing the
system’s architecture indicating each component’s location with respect to
a corporate firewall.

Page
4

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL


SumTotal Architecture and System Requirements

1.2


The

system

is

capable

of

working

with

various

database

and

operating

system

configurations

including

SQL

2000
/Windows

2000

and

Oracle/Unix

or

DB
2
/Unix

1.3


The

system

provides

the

ability

to

select

or

deselect

administration,

learner,

and

course

features

and

functions

without

jeopardizing

the

integrity

of

the

package

Response: The SumTotal platform supports MS SQL 2000/Windows 2000
and Oracle/Unix environments

Response: SumTotal’s robust role
-
based security model provides the ability
to enable/disable features by role without jeopardizing application integrity

Page
5

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL


SumTotal Architecture and System Requirements Con.

1.4


The

system

operates

in

a

thin

client/fat

server

configuration

to

cater

to

low

bandwidth

availability

1.5


The

system

has

an

easily

configured

and

managed

archiving

and

back
-
up

system

that

is

based

on

scheduling

rules

1.6


The

system

is

object
-
oriented

(if

100
%

object

oriented,

make

and

support

this

claim)

Response: The SumTotal platform is a 100% thin/web client based
application that is idea for low bandwidth environments

Response: The SumTotal platform leverages industry standard database
platforms such as SQL Server 2000 and Oracle and therefore supports the
use of any third party tool for archiving and backup

Response: The SumTotal application has been developed with object
oriented principles in mind but is not 100% object oriented

Page
6

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL


SumTotal Architecture and System Requirements Con.

1.7


Describe

and

illustrate

how

the

system

supports

an

open

database

structure,

meets

ODBC/JDBC

compliance,

and

contains

a

central

data

repository

allowing

for

multiple

sites

to

be

managed

by

one

database
.

Describe

how

the

system

carries

out

automated

database

maintenance

and

provides

a

method

for

archiving

inactive

records

that

can

be

later

reactivated
.

Provide

the

system’s

database

table

schema
.



1.8


Describe and illustrate how the system supports an open database
structure, meets ODBC/JDBC compliance, and contains a central data
repository allowing for multiple sites to be managed by one database.
Describe how the system carries out automated database maintenance and
provides a method for archiving inactive records that can be later
reactivated. Provide the system’s database table schema.

Response: The SumTotal platform is based on open industry database
standards and principles with a well documented relational database
structure. Communication between the web server and database server
tiers occurs via OLEDB/ODBC with calls to database stored procedures and
no embedded SQL. SumTotal “domains” capability supports multiple
sites/instances in a single centralized database. The SumTotal database
supports the use of third
-
party data archiving and backup tools.

Response: Same response as question #1.7 above

Page
7

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL


SumTotal Architecture and System Requirements Con.

1.9


Describe the development environment used to customize the system and
identify components of the system that can and can not be customized.

1.10


Describe and illustrate how the system architecture is decomposed in a
manner that provides the ability to independently monitor and tune each
application component.

Response: The SumTotal application is developed in ASP (active server
pages) with server side JavaScript. The system also makes extensive use of
database stored procedures. The application source code can be modified
using any tool that supports editing ASP pages. SumTotal happens to use
MS Visual Studio for development internally but this tool is not required. In
addition, SumTotal exposes a broad set of SOAP
-
based web services. The
only areas of compiled code that cannot be customized are several COM
objects that control system security functions such as providing secure
access to online content.

Response: The SumTotal application can be supported by one or more web
servers and one or more physical database servers, each which can be
monitored independently and tuned to optimize application performance.

Page
8

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL


SumTotal Architecture and System Requirements Con.

1.11


Describe any additional software required on client workstations other than
an IE, Netscape or Safari browser? What is the OS compatibility of the
software/plug
-
in components?

1.12


Provide information on the current version of your software. Describe the
software programming languages used to implement each component of
the system?

Response: The SumTotal application does not require the pre
-
installation of
any software components on client workstations other than a browser for
most modes of the application. The Report Manager component (which is
typically used by a small audience) does require the use of the MS Office
Web Components control, which does require the use of IE and Windows.
In addition, individuals that will upload content must support the download
of a Java applet to support the upload process.

Response: SumTotal 7.2 is the current shipping version of the SumTotal
suite. The application is developed in ASP (active server pages) with server
side JavaScript. The system also makes extensive use of database stored
procedures.

Page
9

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL


SumTotal Architecture and System Requirements Con.

1.13


Does your company use a software engine (i.e., “black box”), to
automatically process content such as data stored in a separate database.
If yes, is the software engine proprietary technology?

1.14


Has your company created any proprietary development languages or
models that enable you to reduce the time and cost of program
development? If yes, how does that restrict University of California’
ownership of source code? Describe University of California’ right to
maintain the program on its own or via third parties in the future and
indicate if the source code is ever maintained in escrow.

Response: No, the SumTotal application does not use a software engine or
“black box”

Response: SumTotal has developed an intermediary language and tool
named “Spanner” that allows for the creation of optimized database stored
procedures for multiple database platforms in reduced time. Ownership of
the application source code remains with SumTotal but does not impact the
University of California’s right to customize the code to meet their needs.
The application source can be maintained in escrow at a customer’s request

Page
10

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal System Integration & Administration (SIA)

2.1

The system has the ability to store content in XML


2.2


The system allows for metadata tags to be easily modified

Response:
SumTotal's database repository is normalized in database tables.
As a result most data is stored within individual database fields and not in
XML documents. However there is a facility within our LMS and LCMS that
enables customers to create their own metadata fields and store them as
XML in the database.

Response: All user interface text elements are stored in resource files to
facilitate localization in multiple languages and can be easily changed by
customers as desired. The system also supports customer defined meta
-
tags for various objects in the system such as learning activities and
TotalLCMS projects, courses and assets.

Page
11

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal System Integration & Administration (SIA)

2.3


The

system

easily

integrates

with

content

produced

using

common

course

authoring

tools

including

but

not

limited

to

Flash,

Firefly,

Dreamweaver,

FrontPage,

Authorware,

ToolBook,

Breeze

and

Lectora

2.4


The system provides the capacity to manage 15,000 licenses, easily
upgradeable to 20,000 licenses.

Response: The SumTotal platform provides strong support for third party
content, authoring tools and virtual meeting products. With support for any
content produced to the AICC/SCORM standards in addition to out
-
of
-
the
-
box connectors for Breeze, Centra, WebEx and Interwise, SumTotal is
unsurpassed in content support.

Response: The SumTotal platform is highly scalable with customer
implementations with more than 300,000 active users and 4,000 concurrent
users. The SumTotal platform easily provides the capability to support
20,000 licenses.

Page
12

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal System Integration & Administration (SIA) Con.

2.5


Describe

how

the

system

would

integrate

with

an

import

of

payroll/personnel

system

data

to

update

learner

information

(e
.
g
.
,

history,

new

hires,

separations,

etc
.
)
.

Provide

similar

implementation

examples

from

other

companies
.

2.6


Identify

any

technical

implementation

hurdles

experienced

in

the

past

and

describe

how

they

were

overcome

(if

possible,

provide

an

example

using

an

educational

institution)
.


Response: SumTotal has a well defined batch integration process to import
data from HRIS/Payroll/Personnel systems on a regularly scheduled basis.
This batch integration interface supports importing flat files containing
user, organization and job/role information and is a standard aspect of just
about every SumTotal implementation. This batch integration process has
been implemented for the University of Michigan to automatically keep
users, organizations and user/organization mappings up to date in
TotalLMS

Response: With customers spanning just about every vertical industry,
SumTotal can run into a range of implementation challenges. One example
is with the delivery of learning content to low bandwidth environments,
which is typical in the retail industry. SumTotal ran into this challenge at
one of the largest grocery chains in the country and worked collaboratively
with the customer to develop a remote content solution that ultimately
became a part of the SumTotal core product offering.

Page
13

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal System Integration & Administration (SIA) Con.

2.7


Demonstrate how a 3rd party reporting tool integrates into your system by
generating a live report

Response: SumTotal will provide an example of generating a Microsoft
Access based report to demonstrate the openness of the SumTotal database
and the ease with which 3
rd

party reporting tools can be used.

Page
14

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal Security (SCR)

3.1


Describe, in detail, your system’s ability to use Kerberos.

3.2


The

system

is

password
-
protected

to

enforce

security

at

multiple

levels

including

organization,

department,

learning

organization,

etc
.

Response: The SumTotal application supports Microsoft IIS running on the
Windows 2000 or 2003 server operating system and supports Integrated
Windows Authentication between the client browser and IIS.
If Active
Directory Services is installed on the server and the browser is compatible
with the Kerberos V5 authentication protocol, both the Kerberos V5 protocol
and the challenge/response protocol are used
.

Response: The SumTotal system provides a standard application login
interface that requires that a user enter a valid login/password combination
to access the system. In addition, the system can be implemented with
other authentication mechanisms such as NT Authentication, LDAP, Active
Directory and Siteminder. One a user is successfully authenticate the
application is able to determine the users data access permissions based
upon their association to security roles, audiences, domains and
organizations. SumTotal has not had a customer report of a user being able
to access data in the system that violates their access permissions in the
system.

Page
15

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal Security (SCR)

3.3


The

system

does

not

utilize

root

(system

administration)

access

privileges

to

accomplish

application

features


3.4


The

system

uses

LDAP

to

implement

system

security

and

can

integrate

with

LDAP

for

user

authentication

Response: The SumTotal system does not utilize root or system
administration privileges to accomplish application features/tasks.

Response: The standard application does not use LDAP to implement system
security. System security is controlled and maintained using the security
roles defined within the system. The SumTotal system can be implemented
with LDAP for user authentication and is a standard aspect of the product
implementation.

Page
16

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal Security (SCR) Con.

3.5


The

system

provides

an

audit

trail

linking

the

user

or

administrator

to

all

transactions

updating

the

database

3.6


The

system

provides

the

ability

to

monitor

user

access

and

traffic

patterns

(number

of

contacts,

lengths

of

activity,

peak

zones,

etc
.
)


Response: The SumTotal platform complies with CFR 21/Part 11 which is an
FDA guidelines that covers the required auditing of training records to be
able to prove the validity of that data. This results in the maintenance of a
complete audit trail for user, learning activity and learning activity roster
records in the system.

Response: The SumTotal platform leverages the industry standard Microsoft
IIS web server platforms and as such third party tools such as WebTrends
can be easily used to monitor application usage and traffice. The
WebTrends tool is used by the SumTotal Systems datacenter to analyze
usage traffic by hosted customers.

Page
17

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal Security (SCR) Con.

3.7


Database

login

configuration

is

accomplished

by

a

system

administration

configuration

interface

and

is

protected

to

prevent

unauthorized

access

3.8


Describe

application

compliancy

with

each

of

the

OWASP

Top

Ten

Minimum

Security

Standards

for

Web

Application

Security
.

Response: The database login information utilized by the SumTotal web
server to access the SumTotal database is configured by a system
administration configuration setting and is stored in an encrypted format.

Response: Response to each of the OWASP Top Ten is on the three
subsequent slides

Page
18

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

OWASP Top Ten Security Vulnerabilities

Vulnerability

Description

SumTotal Response

Unvalidated Input

Information from web requests is not validated before
being used by a web application. Attackers can use
these flaws to attack backend components through a
web application.

Not an issue


validated by third party
security audits

Broken Access Control

Restrictions on what authenticated users are allowed
to do are not properly enforced. Attackers can exploit
these flaws to access other users' accounts, view
sensitive files, or use unauthorized functions.

Not an issue


validated by third party
security audits


Broken Authentication and Session
Management

Account credentials and session tokens are not
properly protected. Attackers that can compromise
passwords, keys, session cookies, or other tokens
can defeat authentication restrictions and assume
other users' identities.

Not an issue


validated by third party
security audits


Page
19

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

OWASP Top Ten Security Vulnerabilities

Vulnerability

Description

SumTotal Response

Cross Site Scripting (XSS) Flaws

The web application can be used as a mechanism to
transport an attack to an end user's browser. A
successful attack can disclose the end user?s
session token, attack the local machine, or spoof
content to fool the user.

Several identified issues via third party
security audits. Were addressed via a
security hotfix for the 7.1 release and now
part of the core product

Buffer Overflows

Web application components in some languages that
do not properly validate input can be crashed and, in
some cases, used to take control of a process. These
components can include CGI, libraries, drivers, and
web application server components.

Not an issue


validated by third party
security audits


Injection Flaws

Web applications pass parameters when they access
external systems or the local operating system. If an
attacker can embed malicious commands in these
parameters, the external system may execute those
commands on behalf of the web application.

No SQL injection vulnerabilities


all stored
procedures used for DB access. A few
exposures to JavaScript “Eval()” function
injection. Were addressed via security
hotfix for 7.1 release and now part of the
core product

Page
20

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

OWASP Top Ten Security Vulnerabilities

Vulnerability

Description

SumTotal Response

Improper Error Handling

Error conditions that occur during normal operation
are not handled properly. If an attacker can cause
errors to occur that the web application does not
handle, they can gain detailed system information,
deny service, cause security mechanisms to fail, or
crash the server.

Not an issue


validated by third party
security audits

Insecure Storage

Web applications frequently use cryptographic
functions to protect information and credentials.
These functions and the code to integrate them have
proven difficult to code properly, frequently resulting
in weak protection.

Not an issue


validated by third party
security audits


Denial of Service

Attackers can consume web application resources to
a point where other legitimate users can no longer
access or use the application. Attackers can also lock
users out of their accounts or even cause the entire
application to fail.

Not an issue


validated by third party
security audits


Insecure Configuration Management

Having a strong server configuration standard is
critical to a secure web application. These servers
have many configuration options that affect security
and are not secure out of the box.

Not an issue


validated by third party
security audits


Page
21

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal Security (SCR) Con.

3.9


Describe

audit

capability

for

monitoring

and

reporting

on

application

configuration

changes
.

3.10


Describe

how

vendor

test

and

release

schedule

for

maintaining

compatibility

with

server

and

end
-
user

operating

system,

application

and/or

database

security

patch

releases
.

Response: SumTotal does

Response: SumTotal typically releases a new major or minor application
version every six months and the goal of each release is to support new
server/client operating system versions, browser versions and
application/database patch releases. In addition, SumTotal has a dedicated
performance and
compatibility testing lab where every attempt is made to
support the latest versions of software platforms for existing SumTotal
releases based upon customer demand.

Page
22

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal Security (SCR) Con.

3.11


Describe

any

required

vendor

remote

access

to

application

for

support

purposes
.

What

measures

are

available

to

ensure

secure

vendor

authentication

and

authorization?

3.12


Describe

how

restricted

personal

information

will

be

transported

between

application

servers

and

application

users
.

Response: SumTotal does not typically require remote access to customer
server environments to address issues but there are times where having
such access can assist in resolving an issue in a more timely manner. In
such instances such remote access is controlled by the customer. In
instances where the application is hosted by SumTotal, all remote access to
the customer environment by SumTotal occurs via CheckPoint SecuRemote
authentication.

Response: For most customers the data stored in the SumTotal platform is
not considered restricted personnel information. The SumTotal platform
does support the use of SSL to encrypt all application data traffic that flows
between application users and the SumTotal web server.

Page
23

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal Security (SCR) Con.

3.13


Describe

vendor

response

system

and

escalation

process

for

client

report

of

security

and/or

technical

application

issues
.

3.14


Describe

your

system’s

reporting

capability

regarding

usage

log

files

and

traffic

patterns
.

Response:
SumTotal Systems currently has over 100 people dedicated to
some aspect of customer support in our global organization. Our Standard
Support program operates on a queue basis where the next available
engineer is assigned a new support request. Issues can be escalated
directly to Customer Support Management or through your SumTotal
Account Executive or Professional Services Project Manager. Escalated
issues are elevated to SumTotal executive management as necessary (no
less than weekly) and there is a dedicated Customer Advocacy function to
assist in the tracking and resolution of particularly important or complex
customer issues.

Response: The SumTotal platform leverages the industry standard Microsoft
IIS web server platforms and as such third party tools such as WebTrends
can be easily used to monitor application usage and traffice. The
WebTrends tool is used by the SumTotal Systems datacenter to analyze
usage traffic by hosted customers.

Page
24

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal Support/Upgrades

4.1


Provide

information

on

how

client

reported

defects

are

identified,

tracked,

and

resolved
.

4.2


Describe

the

extent

to

which

University

of

California

can

customize

code

and

still

receive

timely

and

efficient

upgrades
.

Additionally,

use

this

time

to

review

your

normal

upgrade

process

and

an

atypical

upgrade

(to

a

customization

system)
.

Also,

address

required

training

related

to

customization

of

the

system
.


Response:
Product support is initiated by a request from a customer file via
phone or over the web. The request comes into our Tier 1 representative,
whose primary responsibility is to log the issue into our ticket tracking
system and perform a basic level of troubleshooting. If the issue is not
immediately resolved, it is assigned to a Tier 2 representative with
functional expertise in the product area in question. At any point, the
support engineer is empowered to escalate the issue to other functions
within our organization to facilitate swift resolution.

Response: SumTotal’s recommended approach for extending the
applications features is to leverage our SOAP
-
based web services interface.
This model abstracts customers from database schema and application
changes in future release. SumTotal provides detailed web services
documentation and can provided tailored training and consulting on the
user of web services to meet specific customer needs.

Page
25

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

SumTotal Support/Upgrades

4.3


Describe

any

shortcomings

of

your

system

and

explain

your

plan

to

resolve

them

in

upcoming

releases
.

Response: Three functional shortcomings in the current shipping product
are scheduled to be addressed in a release in 2007. They are:



The ability to assign required training to an audience


The ability for a manager to define a delegate or proxy


The ability to define email attachments for notifications

Page
26

-

December 4, 2013



PROPRIETARY AND CONFIDENTIAL

University of CA Technical
Presentation, November 15, 2006

Presented by: Bill Docherty, Senior
Director, Product Management