University of California
Technical Presentation
November 15, 2006
Presented by: Bill Docherty
Senior Director, Product Management
Page 1 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Technical Infrastructure Overview
1. Architecture and System Requirements
2. System Integration and Administration (SIA)
3. Security (SCR)
4. Support/Upgrades
Page 2 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Architecture and System Requirements
1.1 - To open the discussion, please handout a diagram, describing the
system’s architecture indicating each component’s location with respect to
a corporate firewall.
Page 3 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Architecture and System Requirements
1.2
The system is capable of working with various database and operating
system configurations including SQL 2000/Windows 2000 and Oracle/Unix
or DB2/Unix
Response: The SumTotal platform supports MS SQL 2000/Windows 2000
and Oracle/Unix environments
1.3
The system provides the ability to select or deselect administration,
learner, and course features and functions without jeopardizing the
integrity of the package
Response: SumTotal’s robust role-based security model provides the ability
to enable/disable features by role without jeopardizing application integrity
Page 4 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Architecture and System Requirements Con.
1.4
The system operates in a thin client/fat server configuration to cater to low
bandwidth availability
Response: The SumTotal platform is a 100% thin/web client based
application that is idea for low bandwidth environments
1.5
The system has an easily configured and managed archiving and back-up
system that is based on scheduling rules
Response: The SumTotal platform leverages industry standard database
platforms such as SQL Server 2000 and Oracle and therefore supports the
use of any third party tool for archiving and backup
1.6
The system is object-oriented (if 100% object oriented, make and support
this claim)
Response: The SumTotal application has been developed with object
oriented principles in mind but is not 100% object oriented
Page 5 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Architecture and System Requirements Con.
1.7
Describe and illustrate how the system supports an open database
structure, meets ODBC/JDBC compliance, and contains a central data
repository allowing for multiple sites to be managed by one database.
Describe how the system carries out automated database maintenance and
provides a method for archiving inactive records that can be later
reactivated. Provide the system’s database table schema.
Response: The SumTotal platform is based on open industry database
standards and principles with a well documented relational database
structure. Communication between the web server and database server
tiers occurs via OLEDB/ODBC with calls to database stored procedures and
no embedded SQL. SumTotal “domains” capability supports multiple
sites/instances in a single centralized database. The SumTotal database
supports the use of third-party data archiving and backup tools.
1.8
Describe and illustrate how the system supports an open database
structure, meets ODBC/JDBC compliance, and contains a central data
repository allowing for multiple sites to be managed by one database.
Describe how the system carries out automated database maintenance and
provides a method for archiving inactive records that can be later
reactivated. Provide the system’s database table schema.
Response: Same response as question #1.7 above
Page 6 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Architecture and System Requirements Con.
1.9
Describe the development environment used to customize the system and
identify components of the system that can and can not be customized.
Response: The SumTotal application is developed in ASP (active server
pages) with server side JavaScript. The system also makes extensive use of
database stored procedures. The application source code can be modified
using any tool that supports editing ASP pages. SumTotal happens to use
MS Visual Studio for development internally but this tool is not required. In
addition, SumTotal exposes a broad set of SOAP-based web services. The
only areas of compiled code that cannot be customized are several COM
objects that control system security functions such as providing secure
access to online content.
1.10
Describe and illustrate how the system architecture is decomposed in a
manner that provides the ability to independently monitor and tune each
application component.
Response: The SumTotal application can be supported by one or more web
servers and one or more physical database servers, each which can be
monitored independently and tuned to optimize application performance.
Page 7 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Architecture and System Requirements Con.
1.11
Describe any additional software required on client workstations other than
an IE, Netscape or Safari browser? What is the OS compatibility of the
software/plug-in components?
Response: The SumTotal application does not require the pre-installation of
any software components on client workstations other than a browser for
most modes of the application. The Report Manager component (which is
typically used by a small audience) does require the use of the MS Office
Web Components control, which does require the use of IE and Windows.
In addition, individuals that will upload content must support the download
of a Java applet to support the upload process.
1.12
Provide information on the current version of your software. Describe the
software programming languages used to implement each component of
the system?
Response: SumTotal 7.2 is the current shipping version of the SumTotal
suite. The application is developed in ASP (active server pages) with server
side JavaScript. The system also makes extensive use of database stored
procedures.
Page 8 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Architecture and System Requirements Con.
1.13
Does your company use a software engine (i.e., “black box”), to
automatically process content such as data stored in a separate database.
If yes, is the software engine proprietary technology?
Response: No, the SumTotal application does not use a software engine or
“black box”
1.14
Has your company created any proprietary development languages or
models that enable you to reduce the time and cost of program
development? If yes, how does that restrict University of California’
ownership of source code? Describe University of California’ right to
maintain the program on its own or via third parties in the future and
indicate if the source code is ever maintained in escrow.
Response: SumTotal has developed an intermediary language and tool
named “Spanner” that allows for the creation of optimized database stored
procedures for multiple database platforms in reduced time. Ownership of
the application source code remains with SumTotal but does not impact the
University of California’s right to customize the code to meet their needs.
The application source can be maintained in escrow at a customer’s request
Page 9 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal System Integration & Administration (SIA)
2.1
The system has the ability to store content in XML
Response: SumTotal's database repository is normalized in database tables.
As a result most data is stored within individual database fields and not in
XML documents. However there is a facility within our LMS and LCMS that
enables customers to create their own metadata fields and store them as
XML in the database.
2.2
The system allows for metadata tags to be easily modified
Response: All user interface text elements are stored in resource files to
facilitate localization in multiple languages and can be easily changed by
customers as desired. The system also supports customer defined metatags for various objects in the system such as learning activities and
TotalLCMS projects, courses and assets.
Page 10 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal System Integration & Administration (SIA)
2.3
The system easily integrates with content produced using common course
authoring tools including but not limited to Flash, Firefly, Dreamweaver,
FrontPage, Authorware, ToolBook, Breeze and Lectora
Response: The SumTotal platform provides strong support for third party
content, authoring tools and virtual meeting products. With support for any
content produced to the AICC/SCORM standards in addition to out-of-thebox connectors for Breeze, Centra, WebEx and Interwise, SumTotal is
unsurpassed in content support.
2.4
The system provides the capacity to manage 15,000 licenses, easily
upgradeable to 20,000 licenses.
Response: The SumTotal platform is highly scalable with customer
implementations with more than 300,000 active users and 4,000 concurrent
users. The SumTotal platform easily provides the capability to support
20,000 licenses.
Page 11 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal System Integration & Administration (SIA) Con.
2.5
Describe how the system would integrate with an import of
payroll/personnel system data to update learner information (e.g., history,
new hires, separations, etc.). Provide similar implementation examples
from other companies.
Response: SumTotal has a well defined batch integration process to import
data from HRIS/Payroll/Personnel systems on a regularly scheduled basis.
This batch integration interface supports importing flat files containing
user, organization and job/role information and is a standard aspect of just
about every SumTotal implementation. This batch integration process has
been implemented for the University of Michigan to automatically keep
users, organizations and user/organization mappings up to date in
TotalLMS
2.6
Identify any technical implementation hurdles experienced in the past and
describe how they were overcome (if possible, provide an example using an
educational institution).
Response: With customers spanning just about every vertical industry,
SumTotal can run into a range of implementation challenges. One example
is with the delivery of learning content to low bandwidth environments,
which is typical in the retail industry. SumTotal ran into this challenge at
one of the largest grocery chains in the country and worked collaboratively
with the customer to develop a remote content solution that ultimately
became a part of the SumTotal core product offering.
Page 12 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal System Integration & Administration (SIA) Con.
2.7
Demonstrate how a 3rd party reporting tool integrates into your system by
generating a live report
Response: SumTotal will provide an example of generating a Microsoft
Access based report to demonstrate the openness of the SumTotal database
and the ease with which 3rd party reporting tools can be used.
Page 13 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Security (SCR)
3.1
Describe, in detail, your system’s ability to use Kerberos.
Response: The SumTotal application supports Microsoft IIS running on the
Windows 2000 or 2003 server operating system and supports Integrated
Windows Authentication between the client browser and IIS. If Active
Directory Services is installed on the server and the browser is compatible
with the Kerberos V5 authentication protocol, both the Kerberos V5 protocol
and the challenge/response protocol are used.
3.2
The system is password-protected to enforce security at multiple levels
including organization, department, learning organization, etc.
Response: The SumTotal system provides a standard application login
interface that requires that a user enter a valid login/password combination
to access the system. In addition, the system can be implemented with
other authentication mechanisms such as NT Authentication, LDAP, Active
Directory and Siteminder. One a user is successfully authenticate the
application is able to determine the users data access permissions based
upon their association to security roles, audiences, domains and
organizations. SumTotal has not had a customer report of a user being able
to access data in the system that violates their access permissions in the
system.
Page 14 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Security (SCR)
3.3
The system does not utilize root (system administration) access privileges
to accomplish application features
Response: The SumTotal system does not utilize root or system
administration privileges to accomplish application features/tasks.
3.4
The system uses LDAP to implement system security and can integrate with
LDAP for user authentication
Response: The standard application does not use LDAP to implement system
security. System security is controlled and maintained using the security
roles defined within the system. The SumTotal system can be implemented
with LDAP for user authentication and is a standard aspect of the product
implementation.
Page 15 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Security (SCR) Con.
3.5
The system provides an audit trail linking the user or administrator to all
transactions updating the database
Response: The SumTotal platform complies with CFR 21/Part 11 which is an
FDA guidelines that covers the required auditing of training records to be
able to prove the validity of that data. This results in the maintenance of a
complete audit trail for user, learning activity and learning activity roster
records in the system.
3.6
The system provides the ability to monitor user access and traffic patterns
(number of contacts, lengths of activity, peak zones, etc.)
Response: The SumTotal platform leverages the industry standard Microsoft
IIS web server platforms and as such third party tools such as WebTrends
can be easily used to monitor application usage and traffice. The
WebTrends tool is used by the SumTotal Systems datacenter to analyze
usage traffic by hosted customers.
Page 16 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Security (SCR) Con.
3.7
Database login configuration is accomplished by a system administration
configuration interface and is protected to prevent unauthorized access
Response: The database login information utilized by the SumTotal web
server to access the SumTotal database is configured by a system
administration configuration setting and is stored in an encrypted format.
3.8
Describe application compliancy with each of the OWASP Top Ten Minimum
Security Standards for Web Application Security.
Response: Response to each of the OWASP Top Ten is on the three
subsequent slides
Page 17 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
OWASP Top Ten Security Vulnerabilities
Vulnerability
Description
SumTotal Response
Unvalidated Input
Information from web requests is not validated before
being used by a web application. Attackers can use
these flaws to attack backend components through a
web application.
Not an issue – validated by third party
security audits
Broken Access Control
Restrictions on what authenticated users are allowed
to do are not properly enforced. Attackers can exploit
these flaws to access other users' accounts, view
sensitive files, or use unauthorized functions.
Not an issue – validated by third party
security audits
Broken Authentication and Session
Management
Account credentials and session tokens are not
properly protected. Attackers that can compromise
passwords, keys, session cookies, or other tokens
can defeat authentication restrictions and assume
other users' identities.
Not an issue – validated by third party
security audits
Page 18 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
OWASP Top Ten Security Vulnerabilities
Vulnerability
Description
SumTotal Response
Cross Site Scripting (XSS) Flaws
The web application can be used as a mechanism to
transport an attack to an end user's browser. A
successful attack can disclose the end user?s
session token, attack the local machine, or spoof
content to fool the user.
Several identified issues via third party
security audits. Were addressed via a
security hotfix for the 7.1 release and now
part of the core product
Buffer Overflows
Web application components in some languages that
do not properly validate input can be crashed and, in
some cases, used to take control of a process. These
components can include CGI, libraries, drivers, and
web application server components.
Not an issue – validated by third party
security audits
Injection Flaws
Web applications pass parameters when they access
external systems or the local operating system. If an
attacker can embed malicious commands in these
parameters, the external system may execute those
commands on behalf of the web application.
No SQL injection vulnerabilities – all stored
procedures used for DB access. A few
exposures to JavaScript “Eval()” function
injection. Were addressed via security
hotfix for 7.1 release and now part of the
core product
Page 19 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
OWASP Top Ten Security Vulnerabilities
Vulnerability
Description
SumTotal Response
Improper Error Handling
Error conditions that occur during normal operation
are not handled properly. If an attacker can cause
errors to occur that the web application does not
handle, they can gain detailed system information,
deny service, cause security mechanisms to fail, or
crash the server.
Not an issue – validated by third party
security audits
Insecure Storage
Web applications frequently use cryptographic
functions to protect information and credentials.
These functions and the code to integrate them have
proven difficult to code properly, frequently resulting
in weak protection.
Not an issue – validated by third party
security audits
Denial of Service
Attackers can consume web application resources to
a point where other legitimate users can no longer
access or use the application. Attackers can also lock
users out of their accounts or even cause the entire
application to fail.
Not an issue – validated by third party
security audits
Insecure Configuration Management
Having a strong server configuration standard is
critical to a secure web application. These servers
have many configuration options that affect security
and are not secure out of the box.
Not an issue – validated by third party
security audits
Page 20 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Security (SCR) Con.
3.9
Describe audit capability for monitoring and reporting on application
configuration changes.
Response: SumTotal does
3.10
Describe how vendor test and release schedule for maintaining
compatibility with server and end-user operating system, application
and/or database security patch releases.
Response: SumTotal typically releases a new major or minor application
version every six months and the goal of each release is to support new
server/client operating system versions, browser versions and
application/database patch releases. In addition, SumTotal has a dedicated
performance and compatibility testing lab where every attempt is made to
support the latest versions of software platforms for existing SumTotal
releases based upon customer demand.
Page 21 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Security (SCR) Con.
3.11
Describe any required vendor remote access to application for support
purposes. What measures are available to ensure secure vendor
authentication and authorization?
Response: SumTotal does not typically require remote access to customer
server environments to address issues but there are times where having
such access can assist in resolving an issue in a more timely manner. In
such instances such remote access is controlled by the customer. In
instances where the application is hosted by SumTotal, all remote access to
the customer environment by SumTotal occurs via CheckPoint SecuRemote
authentication.
3.12
Describe how restricted personal information will be transported between
application servers and application users.
Response: For most customers the data stored in the SumTotal platform is
not considered restricted personnel information. The SumTotal platform
does support the use of SSL to encrypt all application data traffic that flows
between application users and the SumTotal web server.
Page 22 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Security (SCR) Con.
3.13
Describe vendor response system and escalation process for client report of
security and/or technical application issues.
Response: SumTotal Systems currently has over 100 people dedicated to
some aspect of customer support in our global organization. Our Standard
Support program operates on a queue basis where the next available
engineer is assigned a new support request. Issues can be escalated
directly to Customer Support Management or through your SumTotal
Account Executive or Professional Services Project Manager. Escalated
issues are elevated to SumTotal executive management as necessary (no
less than weekly) and there is a dedicated Customer Advocacy function to
assist in the tracking and resolution of particularly important or complex
customer issues.
3.14
Describe your system’s reporting capability regarding usage log files and
traffic patterns.
Response: The SumTotal platform leverages the industry standard Microsoft
IIS web server platforms and as such third party tools such as WebTrends
can be easily used to monitor application usage and traffice. The
WebTrends tool is used by the SumTotal Systems datacenter to analyze
usage traffic by hosted customers.
Page 23 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Support/Upgrades
4.1
Provide information on how client reported defects are identified, tracked,
and resolved.
Response: Product support is initiated by a request from a customer file via
phone or over the web. The request comes into our Tier 1 representative,
whose primary responsibility is to log the issue into our ticket tracking
system and perform a basic level of troubleshooting. If the issue is not
immediately resolved, it is assigned to a Tier 2 representative with
functional expertise in the product area in question. At any point, the
support engineer is empowered to escalate the issue to other functions
within our organization to facilitate swift resolution.
4.2
Describe the extent to which University of California can customize code
and still receive timely and efficient upgrades. Additionally, use this time
to review your normal upgrade process and an atypical upgrade (to a
customization system). Also, address required training related to
customization of the system.
Response: SumTotal’s recommended approach for extending the
applications features is to leverage our SOAP-based web services interface.
This model abstracts customers from database schema and application
changes in future release. SumTotal provides detailed web services
documentation and can provided tailored training and consulting on the
user of web services to meet specific customer needs.
Page 24 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
SumTotal Support/Upgrades
4.3
Describe any shortcomings of your system and explain your plan to resolve
them in upcoming releases.
Response: Three functional shortcomings in the current shipping product
are scheduled to be addressed in a release in 2007. They are:
The ability to assign required training to an audience
The ability for a manager to define a delegate or proxy
The ability to define email attachments for notifications
Page 25 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL
University of CA Technical
Presentation, November 15, 2006
Presented by: Bill Docherty, Senior
Director, Product Management
Page 26 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL