The following checklist is a high level assessment for gauging the suitability of an application integration with LDAP:
- The application must be hosted on the trusted UBC network.
- The application URL must be on the "ubc.ca" domain.
- The application must be hosted on trusted UBC owned and operated servers.
- Application servers must be secured, patched, and updated with industry best practices.
- Access to servers hosting the application and service accounts are restricted to trusted UBC personnel i.e. employees of UBC.
- Quarterly vulnerability assessment scans on the application servers to verify no high level vulnerabilities (CVSS score 7.0 to 10.0).
- Secure communications must be used in all cases with a minimum Security Strength Factor (SSF) of 128-bit encryption.
- SSL must be configured to verify the certificate chain using the correct root CAs when making connections i.e. SSL no verify must not be enabled.
- Certificates from a trusted certificate authority such as Thawte must be used in all production applications. No self-signed certificates are allowed.
- SSL encryption must be used throughout the communication chain i.e. from the front-end of the application through to the LDAP back-end.
- LDAP Service Account data must be held securely by the application.
- Integrating applications must utilize the best practices recommended for their environment to manage security and Web sessions.
- The application must not capture or store (including debug logging) CWL logins or CWL passwords in any form.
- Links to UBC Information Security and Responsible Use Policies must be provided on the application's login page.
- Links to CWL Account Administration must be provided on the application's login page.
