University of California Technical Presentation November 15, 2006 Presented by: Bill Docherty Senior Director, Product Management Page 1 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Technical Infrastructure Overview 1. Architecture and System Requirements 2. System Integration and Administration (SIA) 3. Security (SCR) 4. Support/Upgrades Page 2 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Architecture and System Requirements 1.1 - To open the discussion, please handout a diagram, describing the system’s architecture indicating each component’s location with respect to a corporate firewall. Page 3 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Architecture and System Requirements 1.2 The system is capable of working with various database and operating system configurations including SQL 2000/Windows 2000 and Oracle/Unix or DB2/Unix Response: The SumTotal platform supports MS SQL 2000/Windows 2000 and Oracle/Unix environments 1.3 The system provides the ability to select or deselect administration, learner, and course features and functions without jeopardizing the integrity of the package Response: SumTotal’s robust role-based security model provides the ability to enable/disable features by role without jeopardizing application integrity Page 4 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Architecture and System Requirements Con. 1.4 The system operates in a thin client/fat server configuration to cater to low bandwidth availability Response: The SumTotal platform is a 100% thin/web client based application that is idea for low bandwidth environments 1.5 The system has an easily configured and managed archiving and back-up system that is based on scheduling rules Response: The SumTotal platform leverages industry standard database platforms such as SQL Server 2000 and Oracle and therefore supports the use of any third party tool for archiving and backup 1.6 The system is object-oriented (if 100% object oriented, make and support this claim) Response: The SumTotal application has been developed with object oriented principles in mind but is not 100% object oriented Page 5 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Architecture and System Requirements Con. 1.7 Describe and illustrate how the system supports an open database structure, meets ODBC/JDBC compliance, and contains a central data repository allowing for multiple sites to be managed by one database. Describe how the system carries out automated database maintenance and provides a method for archiving inactive records that can be later reactivated. Provide the system’s database table schema. Response: The SumTotal platform is based on open industry database standards and principles with a well documented relational database structure. Communication between the web server and database server tiers occurs via OLEDB/ODBC with calls to database stored procedures and no embedded SQL. SumTotal “domains” capability supports multiple sites/instances in a single centralized database. The SumTotal database supports the use of third-party data archiving and backup tools. 1.8 Describe and illustrate how the system supports an open database structure, meets ODBC/JDBC compliance, and contains a central data repository allowing for multiple sites to be managed by one database. Describe how the system carries out automated database maintenance and provides a method for archiving inactive records that can be later reactivated. Provide the system’s database table schema. Response: Same response as question #1.7 above Page 6 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Architecture and System Requirements Con. 1.9 Describe the development environment used to customize the system and identify components of the system that can and can not be customized. Response: The SumTotal application is developed in ASP (active server pages) with server side JavaScript. The system also makes extensive use of database stored procedures. The application source code can be modified using any tool that supports editing ASP pages. SumTotal happens to use MS Visual Studio for development internally but this tool is not required. In addition, SumTotal exposes a broad set of SOAP-based web services. The only areas of compiled code that cannot be customized are several COM objects that control system security functions such as providing secure access to online content. 1.10 Describe and illustrate how the system architecture is decomposed in a manner that provides the ability to independently monitor and tune each application component. Response: The SumTotal application can be supported by one or more web servers and one or more physical database servers, each which can be monitored independently and tuned to optimize application performance. Page 7 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Architecture and System Requirements Con. 1.11 Describe any additional software required on client workstations other than an IE, Netscape or Safari browser? What is the OS compatibility of the software/plug-in components? Response: The SumTotal application does not require the pre-installation of any software components on client workstations other than a browser for most modes of the application. The Report Manager component (which is typically used by a small audience) does require the use of the MS Office Web Components control, which does require the use of IE and Windows. In addition, individuals that will upload content must support the download of a Java applet to support the upload process. 1.12 Provide information on the current version of your software. Describe the software programming languages used to implement each component of the system? Response: SumTotal 7.2 is the current shipping version of the SumTotal suite. The application is developed in ASP (active server pages) with server side JavaScript. The system also makes extensive use of database stored procedures. Page 8 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Architecture and System Requirements Con. 1.13 Does your company use a software engine (i.e., “black box”), to automatically process content such as data stored in a separate database. If yes, is the software engine proprietary technology? Response: No, the SumTotal application does not use a software engine or “black box” 1.14 Has your company created any proprietary development languages or models that enable you to reduce the time and cost of program development? If yes, how does that restrict University of California’ ownership of source code? Describe University of California’ right to maintain the program on its own or via third parties in the future and indicate if the source code is ever maintained in escrow. Response: SumTotal has developed an intermediary language and tool named “Spanner” that allows for the creation of optimized database stored procedures for multiple database platforms in reduced time. Ownership of the application source code remains with SumTotal but does not impact the University of California’s right to customize the code to meet their needs. The application source can be maintained in escrow at a customer’s request Page 9 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal System Integration & Administration (SIA) 2.1 The system has the ability to store content in XML Response: SumTotal's database repository is normalized in database tables. As a result most data is stored within individual database fields and not in XML documents. However there is a facility within our LMS and LCMS that enables customers to create their own metadata fields and store them as XML in the database. 2.2 The system allows for metadata tags to be easily modified Response: All user interface text elements are stored in resource files to facilitate localization in multiple languages and can be easily changed by customers as desired. The system also supports customer defined metatags for various objects in the system such as learning activities and TotalLCMS projects, courses and assets. Page 10 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal System Integration & Administration (SIA) 2.3 The system easily integrates with content produced using common course authoring tools including but not limited to Flash, Firefly, Dreamweaver, FrontPage, Authorware, ToolBook, Breeze and Lectora Response: The SumTotal platform provides strong support for third party content, authoring tools and virtual meeting products. With support for any content produced to the AICC/SCORM standards in addition to out-of-thebox connectors for Breeze, Centra, WebEx and Interwise, SumTotal is unsurpassed in content support. 2.4 The system provides the capacity to manage 15,000 licenses, easily upgradeable to 20,000 licenses. Response: The SumTotal platform is highly scalable with customer implementations with more than 300,000 active users and 4,000 concurrent users. The SumTotal platform easily provides the capability to support 20,000 licenses. Page 11 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal System Integration & Administration (SIA) Con. 2.5 Describe how the system would integrate with an import of payroll/personnel system data to update learner information (e.g., history, new hires, separations, etc.). Provide similar implementation examples from other companies. Response: SumTotal has a well defined batch integration process to import data from HRIS/Payroll/Personnel systems on a regularly scheduled basis. This batch integration interface supports importing flat files containing user, organization and job/role information and is a standard aspect of just about every SumTotal implementation. This batch integration process has been implemented for the University of Michigan to automatically keep users, organizations and user/organization mappings up to date in TotalLMS 2.6 Identify any technical implementation hurdles experienced in the past and describe how they were overcome (if possible, provide an example using an educational institution). Response: With customers spanning just about every vertical industry, SumTotal can run into a range of implementation challenges. One example is with the delivery of learning content to low bandwidth environments, which is typical in the retail industry. SumTotal ran into this challenge at one of the largest grocery chains in the country and worked collaboratively with the customer to develop a remote content solution that ultimately became a part of the SumTotal core product offering. Page 12 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal System Integration & Administration (SIA) Con. 2.7 Demonstrate how a 3rd party reporting tool integrates into your system by generating a live report Response: SumTotal will provide an example of generating a Microsoft Access based report to demonstrate the openness of the SumTotal database and the ease with which 3rd party reporting tools can be used. Page 13 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Security (SCR) 3.1 Describe, in detail, your system’s ability to use Kerberos. Response: The SumTotal application supports Microsoft IIS running on the Windows 2000 or 2003 server operating system and supports Integrated Windows Authentication between the client browser and IIS. If Active Directory Services is installed on the server and the browser is compatible with the Kerberos V5 authentication protocol, both the Kerberos V5 protocol and the challenge/response protocol are used. 3.2 The system is password-protected to enforce security at multiple levels including organization, department, learning organization, etc. Response: The SumTotal system provides a standard application login interface that requires that a user enter a valid login/password combination to access the system. In addition, the system can be implemented with other authentication mechanisms such as NT Authentication, LDAP, Active Directory and Siteminder. One a user is successfully authenticate the application is able to determine the users data access permissions based upon their association to security roles, audiences, domains and organizations. SumTotal has not had a customer report of a user being able to access data in the system that violates their access permissions in the system. Page 14 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Security (SCR) 3.3 The system does not utilize root (system administration) access privileges to accomplish application features Response: The SumTotal system does not utilize root or system administration privileges to accomplish application features/tasks. 3.4 The system uses LDAP to implement system security and can integrate with LDAP for user authentication Response: The standard application does not use LDAP to implement system security. System security is controlled and maintained using the security roles defined within the system. The SumTotal system can be implemented with LDAP for user authentication and is a standard aspect of the product implementation. Page 15 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Security (SCR) Con. 3.5 The system provides an audit trail linking the user or administrator to all transactions updating the database Response: The SumTotal platform complies with CFR 21/Part 11 which is an FDA guidelines that covers the required auditing of training records to be able to prove the validity of that data. This results in the maintenance of a complete audit trail for user, learning activity and learning activity roster records in the system. 3.6 The system provides the ability to monitor user access and traffic patterns (number of contacts, lengths of activity, peak zones, etc.) Response: The SumTotal platform leverages the industry standard Microsoft IIS web server platforms and as such third party tools such as WebTrends can be easily used to monitor application usage and traffice. The WebTrends tool is used by the SumTotal Systems datacenter to analyze usage traffic by hosted customers. Page 16 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Security (SCR) Con. 3.7 Database login configuration is accomplished by a system administration configuration interface and is protected to prevent unauthorized access Response: The database login information utilized by the SumTotal web server to access the SumTotal database is configured by a system administration configuration setting and is stored in an encrypted format. 3.8 Describe application compliancy with each of the OWASP Top Ten Minimum Security Standards for Web Application Security. Response: Response to each of the OWASP Top Ten is on the three subsequent slides Page 17 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL OWASP Top Ten Security Vulnerabilities Vulnerability Description SumTotal Response Unvalidated Input Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application. Not an issue – validated by third party security audits Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions. Not an issue – validated by third party security audits Broken Authentication and Session Management Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities. Not an issue – validated by third party security audits Page 18 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL OWASP Top Ten Security Vulnerabilities Vulnerability Description SumTotal Response Cross Site Scripting (XSS) Flaws The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user?s session token, attack the local machine, or spoof content to fool the user. Several identified issues via third party security audits. Were addressed via a security hotfix for the 7.1 release and now part of the core product Buffer Overflows Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components. Not an issue – validated by third party security audits Injection Flaws Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. No SQL injection vulnerabilities – all stored procedures used for DB access. A few exposures to JavaScript “Eval()” function injection. Were addressed via security hotfix for 7.1 release and now part of the core product Page 19 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL OWASP Top Ten Security Vulnerabilities Vulnerability Description SumTotal Response Improper Error Handling Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server. Not an issue – validated by third party security audits Insecure Storage Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection. Not an issue – validated by third party security audits Denial of Service Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. Not an issue – validated by third party security audits Insecure Configuration Management Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box. Not an issue – validated by third party security audits Page 20 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Security (SCR) Con. 3.9 Describe audit capability for monitoring and reporting on application configuration changes. Response: SumTotal does 3.10 Describe how vendor test and release schedule for maintaining compatibility with server and end-user operating system, application and/or database security patch releases. Response: SumTotal typically releases a new major or minor application version every six months and the goal of each release is to support new server/client operating system versions, browser versions and application/database patch releases. In addition, SumTotal has a dedicated performance and compatibility testing lab where every attempt is made to support the latest versions of software platforms for existing SumTotal releases based upon customer demand. Page 21 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Security (SCR) Con. 3.11 Describe any required vendor remote access to application for support purposes. What measures are available to ensure secure vendor authentication and authorization? Response: SumTotal does not typically require remote access to customer server environments to address issues but there are times where having such access can assist in resolving an issue in a more timely manner. In such instances such remote access is controlled by the customer. In instances where the application is hosted by SumTotal, all remote access to the customer environment by SumTotal occurs via CheckPoint SecuRemote authentication. 3.12 Describe how restricted personal information will be transported between application servers and application users. Response: For most customers the data stored in the SumTotal platform is not considered restricted personnel information. The SumTotal platform does support the use of SSL to encrypt all application data traffic that flows between application users and the SumTotal web server. Page 22 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Security (SCR) Con. 3.13 Describe vendor response system and escalation process for client report of security and/or technical application issues. Response: SumTotal Systems currently has over 100 people dedicated to some aspect of customer support in our global organization. Our Standard Support program operates on a queue basis where the next available engineer is assigned a new support request. Issues can be escalated directly to Customer Support Management or through your SumTotal Account Executive or Professional Services Project Manager. Escalated issues are elevated to SumTotal executive management as necessary (no less than weekly) and there is a dedicated Customer Advocacy function to assist in the tracking and resolution of particularly important or complex customer issues. 3.14 Describe your system’s reporting capability regarding usage log files and traffic patterns. Response: The SumTotal platform leverages the industry standard Microsoft IIS web server platforms and as such third party tools such as WebTrends can be easily used to monitor application usage and traffice. The WebTrends tool is used by the SumTotal Systems datacenter to analyze usage traffic by hosted customers. Page 23 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Support/Upgrades 4.1 Provide information on how client reported defects are identified, tracked, and resolved. Response: Product support is initiated by a request from a customer file via phone or over the web. The request comes into our Tier 1 representative, whose primary responsibility is to log the issue into our ticket tracking system and perform a basic level of troubleshooting. If the issue is not immediately resolved, it is assigned to a Tier 2 representative with functional expertise in the product area in question. At any point, the support engineer is empowered to escalate the issue to other functions within our organization to facilitate swift resolution. 4.2 Describe the extent to which University of California can customize code and still receive timely and efficient upgrades. Additionally, use this time to review your normal upgrade process and an atypical upgrade (to a customization system). Also, address required training related to customization of the system. Response: SumTotal’s recommended approach for extending the applications features is to leverage our SOAP-based web services interface. This model abstracts customers from database schema and application changes in future release. SumTotal provides detailed web services documentation and can provided tailored training and consulting on the user of web services to meet specific customer needs. Page 24 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL SumTotal Support/Upgrades 4.3 Describe any shortcomings of your system and explain your plan to resolve them in upcoming releases. Response: Three functional shortcomings in the current shipping product are scheduled to be addressed in a release in 2007. They are: The ability to assign required training to an audience The ability for a manager to define a delegate or proxy The ability to define email attachments for notifications Page 25 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL University of CA Technical Presentation, November 15, 2006 Presented by: Bill Docherty, Senior Director, Product Management Page 26 - March 13, 2016 – PROPRIETARY AND CONFIDENTIAL