- Chris Creswell
- Robbie Douglas
- Jackie Gottlieb
- Harry Kaplanian
- Tod Olson
- Florian Ruckelshausen
- Wayne Schneider
- Catherine Smith
- Brandon Tharp
- Zeno Tajoli
- Ian Walls
- Todd Wallwork
- Patty Wanninger
- Securing Okapi
|10||Update from Product Council||FOLIO Product Council Agenda/Minutes - 2019-11-07|
We should log these issues into JIRA.
Wayne: In order to take advantage of these exploits, something else needs to break. It does put more pressure on the Sysadmin. It's not the right way to do things, but it's not a big risk. The vendors will be taking on this risk. As a customer, you need to be aware and make sure they are taking on the risk correctly.
Tod: what are practical ways to protect against this?
Wayne: it would take some thought and work
Philip: need to balance this against performance.
Wayne, one way to protect is build your own docker container and not trust anyone else's. It's a pain and not what we want it to be. Intermodule communication in Kuberneties between nodes are encrypted. Brandon is not sure (needs investigation). Wayne is most concerned about super user access to the database.
Ingolf: We need JIRA tickets for these issues.
***Todo - Tod: Should bring up in the TC as they are technical debt.
Wayne, as a sys admin, these are risks I'm willing to take on. The super user database issue makes him uncomfortable. e would run patron data from a separate database.
*** Todo - Wayne will create the JIRA tickets. Jo will be a watcher. Due next Friday prior to this meeting for review by the SIG.
Are these a weakness of FOLIO or the hoster's network? But security by design is better.