Docstoc

SumTotal Corporate Powerpoint Template (PowerPoint)

Document Sample
SumTotal Corporate Powerpoint Template (PowerPoint) Powered By Docstoc
					                                                             University of California
                                                             Technical Presentation
                                                                  November 15, 2006

                                                               Presented by: Bill Docherty
                                                          Senior Director, Product Management




Page 1 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal Technical Infrastructure Overview




            1. Architecture and System Requirements
            2. System Integration and Administration (SIA)
            3. Security (SCR)
            4. Support/Upgrades




Page 2 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
       SumTotal Architecture and System Requirements
1.1 - To open the discussion, please handout a diagram, describing the
system’s architecture indicating each component’s location with respect to
a corporate firewall.




 Page 3 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
      SumTotal Architecture and System Requirements

                      1.2


                      The system is capable of working with various database and operating
                      system configurations including SQL 2000/Windows 2000 and Oracle/Unix
                      or DB2/Unix

                      Response: The SumTotal platform supports MS SQL 2000/Windows 2000
                      and Oracle/Unix environments




                      1.3


                      The system provides the ability to select or deselect administration,
                      learner, and course features and functions without jeopardizing the
                      integrity of the package

                      Response: SumTotal’s robust role-based security model provides the ability
                      to enable/disable features by role without jeopardizing application integrity




Page 4 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
      SumTotal Architecture and System Requirements Con.

                      1.4


                      The system operates in a thin client/fat server configuration to cater to low
                      bandwidth availability

                      Response: The SumTotal platform is a 100% thin/web client based
                      application that is idea for low bandwidth environments



                       1.5


                       The system has an easily configured and managed archiving and back-up
                       system that is based on scheduling rules

                      Response: The SumTotal platform leverages industry standard database
                      platforms such as SQL Server 2000 and Oracle and therefore supports the
                      use of any third party tool for archiving and backup


                      1.6


                      The system is object-oriented (if 100% object oriented, make and support
                      this claim)

                      Response: The SumTotal application has been developed with object
                      oriented principles in mind but is not 100% object oriented




Page 5 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
      SumTotal Architecture and System Requirements Con.
                       1.7


                      Describe and illustrate how the system supports an open database
                      structure, meets ODBC/JDBC compliance, and contains a central data
                      repository allowing for multiple sites to be managed by one database.
                      Describe how the system carries out automated database maintenance and
                      provides a method for archiving inactive records that can be later
                      reactivated. Provide the system’s database table schema.

                      Response: The SumTotal platform is based on open industry database
                      standards and principles with a well documented relational database
                      structure. Communication between the web server and database server
                      tiers occurs via OLEDB/ODBC with calls to database stored procedures and
                      no embedded SQL. SumTotal “domains” capability supports multiple
                      sites/instances in a single centralized database. The SumTotal database
                      supports the use of third-party data archiving and backup tools.



                      1.8


                      Describe and illustrate how the system supports an open database
                      structure, meets ODBC/JDBC compliance, and contains a central data
                      repository allowing for multiple sites to be managed by one database.
                      Describe how the system carries out automated database maintenance and
                      provides a method for archiving inactive records that can be later
                      reactivated. Provide the system’s database table schema.

                      Response: Same response as question #1.7 above




Page 6 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
      SumTotal Architecture and System Requirements Con.
                      1.9


                      Describe the development environment used to customize the system and
                      identify components of the system that can and can not be customized.
                      Response: The SumTotal application is developed in ASP (active server
                      pages) with server side JavaScript. The system also makes extensive use of
                      database stored procedures. The application source code can be modified
                      using any tool that supports editing ASP pages. SumTotal happens to use
                      MS Visual Studio for development internally but this tool is not required. In
                      addition, SumTotal exposes a broad set of SOAP-based web services. The
                      only areas of compiled code that cannot be customized are several COM
                      objects that control system security functions such as providing secure
                      access to online content.

                      1.10


                      Describe and illustrate how the system architecture is decomposed in a
                      manner that provides the ability to independently monitor and tune each
                      application component.

                      Response: The SumTotal application can be supported by one or more web
                      servers and one or more physical database servers, each which can be
                      monitored independently and tuned to optimize application performance.




Page 7 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
      SumTotal Architecture and System Requirements Con.
                     1.11


                     Describe any additional software required on client workstations other than
                     an IE, Netscape or Safari browser? What is the OS compatibility of the
                     software/plug-in components?

                     Response: The SumTotal application does not require the pre-installation of
                     any software components on client workstations other than a browser for
                     most modes of the application. The Report Manager component (which is
                     typically used by a small audience) does require the use of the MS Office
                     Web Components control, which does require the use of IE and Windows.
                     In addition, individuals that will upload content must support the download
                     of a Java applet to support the upload process.



                       1.12


                       Provide information on the current version of your software. Describe the
                       software programming languages used to implement each component of
                       the system?

                      Response: SumTotal 7.2 is the current shipping version of the SumTotal
                      suite. The application is developed in ASP (active server pages) with server
                      side JavaScript. The system also makes extensive use of database stored
                      procedures.




Page 8 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
      SumTotal Architecture and System Requirements Con.
                     1.13


                      Does your company use a software engine (i.e., “black box”), to
                      automatically process content such as data stored in a separate database.
                      If yes, is the software engine proprietary technology?
                      Response: No, the SumTotal application does not use a software engine or
                      “black box”




                     1.14


                      Has your company created any proprietary development languages or
                      models that enable you to reduce the time and cost of program
                      development? If yes, how does that restrict University of California’
                      ownership of source code? Describe University of California’ right to
                      maintain the program on its own or via third parties in the future and
                      indicate if the source code is ever maintained in escrow.

                      Response: SumTotal has developed an intermediary language and tool
                      named “Spanner” that allows for the creation of optimized database stored
                      procedures for multiple database platforms in reduced time. Ownership of
                      the application source code remains with SumTotal but does not impact the
                      University of California’s right to customize the code to meet their needs.
                      The application source can be maintained in escrow at a customer’s request




Page 9 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal System Integration & Administration (SIA)
                     2.1
                     The system has the ability to store content in XML
                     Response: SumTotal's database repository is normalized in database tables.
                     As a result most data is stored within individual database fields and not in
                     XML documents. However there is a facility within our LMS and LCMS that
                     enables customers to create their own metadata fields and store them as
                     XML in the database.




                     2.2


                     The system allows for metadata tags to be easily modified

                     Response: All user interface text elements are stored in resource files to
                     facilitate localization in multiple languages and can be easily changed by
                     customers as desired. The system also supports customer defined meta-
                     tags for various objects in the system such as learning activities and
                     TotalLCMS projects, courses and assets.




Page 10 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal System Integration & Administration (SIA)
                     2.3


                     The system easily integrates with content produced using common course
                     authoring tools including but not limited to Flash, Firefly, Dreamweaver,
                     FrontPage, Authorware, ToolBook, Breeze and Lectora
                     Response: The SumTotal platform provides strong support for third party
                     content, authoring tools and virtual meeting products. With support for any
                     content produced to the AICC/SCORM standards in addition to out-of-the-
                     box connectors for Breeze, Centra, WebEx and Interwise, SumTotal is
                     unsurpassed in content support.




                     2.4


                     The system provides the capacity to manage 15,000 licenses, easily
                     upgradeable to 20,000 licenses.

                     Response: The SumTotal platform is highly scalable with customer
                     implementations with more than 300,000 active users and 4,000 concurrent
                     users. The SumTotal platform easily provides the capability to support
                     20,000 licenses.




Page 11 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal System Integration & Administration (SIA) Con.
                     2.5


                     Describe how the system would integrate with an import of
                     payroll/personnel system data to update learner information (e.g., history,
                     new hires, separations, etc.). Provide similar implementation examples
                     from other companies.
                     Response: SumTotal has a well defined batch integration process to import
                     data from HRIS/Payroll/Personnel systems on a regularly scheduled basis.
                     This batch integration interface supports importing flat files containing
                     user, organization and job/role information and is a standard aspect of just
                     about every SumTotal implementation. This batch integration process has
                     been implemented for the University of Michigan to automatically keep
                     users, organizations and user/organization mappings up to date in
                     TotalLMS
                     2.6


                     Identify any technical implementation hurdles experienced in the past and
                     describe how they were overcome (if possible, provide an example using an
                     educational institution).
                     Response: With customers spanning just about every vertical industry,
                     SumTotal can run into a range of implementation challenges. One example
                     is with the delivery of learning content to low bandwidth environments,
                     which is typical in the retail industry. SumTotal ran into this challenge at
                     one of the largest grocery chains in the country and worked collaboratively
                     with the customer to develop a remote content solution that ultimately
                     became a part of the SumTotal core product offering.




Page 12 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal System Integration & Administration (SIA) Con.
                     2.7


                     Demonstrate how a 3rd party reporting tool integrates into your system by
                     generating a live report
                     Response: SumTotal will provide an example of generating a Microsoft
                     Access based report to demonstrate the openness of the SumTotal database
                     and the ease with which 3rd party reporting tools can be used.




Page 13 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal Security (SCR)
                     3.1


                     Describe, in detail, your system’s ability to use Kerberos.
                     Response: The SumTotal application supports Microsoft IIS running on the
                     Windows 2000 or 2003 server operating system and supports Integrated
                     Windows Authentication between the client browser and IIS. If Active
                     Directory Services is installed on the server and the browser is compatible
                     with the Kerberos V5 authentication protocol, both the Kerberos V5 protocol
                     and the challenge/response protocol are used.




                     3.2


                     The system is password-protected to enforce security at multiple levels
                     including organization, department, learning organization, etc.
                     Response: The SumTotal system provides a standard application login
                     interface that requires that a user enter a valid login/password combination
                     to access the system. In addition, the system can be implemented with
                     other authentication mechanisms such as NT Authentication, LDAP, Active
                     Directory and Siteminder. One a user is successfully authenticate the
                     application is able to determine the users data access permissions based
                     upon their association to security roles, audiences, domains and
                     organizations. SumTotal has not had a customer report of a user being able
                     to access data in the system that violates their access permissions in the
                     system.



Page 14 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal Security (SCR)
                     3.3


                     The system does not utilize root (system administration) access privileges
                     to accomplish application features

                     Response: The SumTotal system does not utilize root or system
                     administration privileges to accomplish application features/tasks.




                     3.4


                     The system uses LDAP to implement system security and can integrate with
                     LDAP for user authentication

                     Response: The standard application does not use LDAP to implement system
                     security. System security is controlled and maintained using the security
                     roles defined within the system. The SumTotal system can be implemented
                     with LDAP for user authentication and is a standard aspect of the product
                     implementation.




Page 15 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal Security (SCR) Con.
                     3.5


                      The system provides an audit trail linking the user or administrator to all
                      transactions updating the database
                      Response: The SumTotal platform complies with CFR 21/Part 11 which is an
                      FDA guidelines that covers the required auditing of training records to be
                      able to prove the validity of that data. This results in the maintenance of a
                      complete audit trail for user, learning activity and learning activity roster
                      records in the system.




                     3.6


                      The system provides the ability to monitor user access and traffic patterns
                      (number of contacts, lengths of activity, peak zones, etc.)

                      Response: The SumTotal platform leverages the industry standard Microsoft
                      IIS web server platforms and as such third party tools such as WebTrends
                      can be easily used to monitor application usage and traffice. The
                      WebTrends tool is used by the SumTotal Systems datacenter to analyze
                      usage traffic by hosted customers.




Page 16 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal Security (SCR) Con.
                     3.7


                      Database login configuration is accomplished by a system administration
                      configuration interface and is protected to prevent unauthorized access
                      Response: The database login information utilized by the SumTotal web
                      server to access the SumTotal database is configured by a system
                      administration configuration setting and is stored in an encrypted format.




                     3.8


                      Describe application compliancy with each of the OWASP Top Ten Minimum
                      Security Standards for Web Application Security.
                      Response: Response to each of the OWASP Top Ten is on the three
                      subsequent slides




Page 17 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    OWASP Top Ten Security Vulnerabilities

             Vulnerability                                 Description                                   SumTotal Response




 Unvalidated Input                      Information from web requests is not validated before    Not an issue – validated by third party
                                        being used by a web application. Attackers can use       security audits
                                        these flaws to attack backend components through a
                                        web application.
 Broken Access Control                  Restrictions on what authenticated users are allowed     Not an issue – validated by third party
                                        to do are not properly enforced. Attackers can exploit   security audits
                                        these flaws to access other users' accounts, view
                                        sensitive files, or use unauthorized functions.
 Broken Authentication and Session      Account credentials and session tokens are not           Not an issue – validated by third party
 Management                             properly protected. Attackers that can compromise        security audits
                                        passwords, keys, session cookies, or other tokens
                                        can defeat authentication restrictions and assume
                                        other users' identities.




Page 18 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
     OWASP Top Ten Security Vulnerabilities

             Vulnerability                                 Description                                  SumTotal Response




 Cross Site Scripting (XSS) Flaws       The web application can be used as a mechanism to       Several identified issues via third party
                                        transport an attack to an end user's browser. A         security audits. Were addressed via a
                                        successful attack can disclose the end user?s           security hotfix for the 7.1 release and now
                                        session token, attack the local machine, or spoof       part of the core product
                                        content to fool the user.
 Buffer Overflows                       Web application components in some languages that       Not an issue – validated by third party
                                        do not properly validate input can be crashed and, in   security audits
                                        some cases, used to take control of a process. These
                                        components can include CGI, libraries, drivers, and
                                        web application server components.
 Injection Flaws                        Web applications pass parameters when they access       No SQL injection vulnerabilities – all stored
                                        external systems or the local operating system. If an   procedures used for DB access. A few
                                        attacker can embed malicious commands in these          exposures to JavaScript “Eval()” function
                                        parameters, the external system may execute those       injection. Were addressed via security
                                        commands on behalf of the web application.              hotfix for 7.1 release and now part of the
                                                                                                core product




Page 19 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
     OWASP Top Ten Security Vulnerabilities

             Vulnerability                                  Description                                   SumTotal Response

 Improper Error Handling                Error conditions that occur during normal operation       Not an issue – validated by third party
                                        are not handled properly. If an attacker can cause        security audits
                                        errors to occur that the web application does not
                                        handle, they can gain detailed system information,
                                        deny service, cause security mechanisms to fail, or
                                        crash the server.
 Insecure Storage                       Web applications frequently use cryptographic             Not an issue – validated by third party
                                        functions to protect information and credentials.         security audits
                                        These functions and the code to integrate them have
                                        proven difficult to code properly, frequently resulting
                                        in weak protection.
 Denial of Service                      Attackers can consume web application resources to        Not an issue – validated by third party
                                        a point where other legitimate users can no longer        security audits
                                        access or use the application. Attackers can also lock
                                        users out of their accounts or even cause the entire
                                        application to fail.

 Insecure Configuration Management      Having a strong server configuration standard is          Not an issue – validated by third party
                                        critical to a secure web application. These servers       security audits
                                        have many configuration options that affect security
                                        and are not secure out of the box.




Page 20 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal Security (SCR) Con.
                     3.9


                      Describe audit capability for monitoring and reporting on application
                      configuration changes.
                      Response: SumTotal does




                     3.10


                      Describe how vendor test and release schedule for maintaining
                      compatibility with server and end-user operating system, application
                      and/or database security patch releases.
                      Response: SumTotal typically releases a new major or minor application
                      version every six months and the goal of each release is to support new
                      server/client operating system versions, browser versions and
                      application/database patch releases. In addition, SumTotal has a dedicated
                      performance and compatibility testing lab where every attempt is made to
                      support the latest versions of software platforms for existing SumTotal
                      releases based upon customer demand.




Page 21 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal Security (SCR) Con.
                     3.11


                      Describe any required vendor remote access to application for support
                      purposes. What measures are available to ensure secure vendor
                      authentication and authorization?
                      Response: SumTotal does not typically require remote access to customer
                      server environments to address issues but there are times where having
                      such access can assist in resolving an issue in a more timely manner. In
                      such instances such remote access is controlled by the customer. In
                      instances where the application is hosted by SumTotal, all remote access to
                      the customer environment by SumTotal occurs via CheckPoint SecuRemote
                      authentication.



                     3.12


                      Describe how restricted personal information will be transported between
                      application servers and application users.

                      Response: For most customers the data stored in the SumTotal platform is
                      not considered restricted personnel information. The SumTotal platform
                      does support the use of SSL to encrypt all application data traffic that flows
                      between application users and the SumTotal web server.




Page 22 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal Security (SCR) Con.
                     3.13


                      Describe vendor response system and escalation process for client report of
                      security and/or technical application issues.
                      Response: SumTotal Systems currently has over 100 people dedicated to
                      some aspect of customer support in our global organization. Our Standard
                      Support program operates on a queue basis where the next available
                      engineer is assigned a new support request. Issues can be escalated
                      directly to Customer Support Management or through your SumTotal
                      Account Executive or Professional Services Project Manager. Escalated
                      issues are elevated to SumTotal executive management as necessary (no
                      less than weekly) and there is a dedicated Customer Advocacy function to
                      assist in the tracking and resolution of particularly important or complex
                      customer issues.

                     3.14


                      Describe your system’s reporting capability regarding usage log files and
                      traffic patterns.
                      Response: The SumTotal platform leverages the industry standard Microsoft
                      IIS web server platforms and as such third party tools such as WebTrends
                      can be easily used to monitor application usage and traffice. The
                      WebTrends tool is used by the SumTotal Systems datacenter to analyze
                      usage traffic by hosted customers.




Page 23 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal Support/Upgrades
                     4.1


                      Provide information on how client reported defects are identified, tracked,
                      and resolved.
                      Response: Product support is initiated by a request from a customer file via
                      phone or over the web. The request comes into our Tier 1 representative,
                      whose primary responsibility is to log the issue into our ticket tracking
                      system and perform a basic level of troubleshooting. If the issue is not
                      immediately resolved, it is assigned to a Tier 2 representative with
                      functional expertise in the product area in question. At any point, the
                      support engineer is empowered to escalate the issue to other functions
                      within our organization to facilitate swift resolution.



                     4.2


                      Describe the extent to which University of California can customize code
                      and still receive timely and efficient upgrades. Additionally, use this time
                      to review your normal upgrade process and an atypical upgrade (to a
                      customization system). Also, address required training related to
                      customization of the system.
                      Response: SumTotal’s recommended approach for extending the
                      applications features is to leverage our SOAP-based web services interface.
                      This model abstracts customers from database schema and application
                      changes in future release. SumTotal provides detailed web services
                      documentation and can provided tailored training and consulting on the
                      user of web services to meet specific customer needs.




Page 24 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
    SumTotal Support/Upgrades
                     4.3


                      Describe any shortcomings of your system and explain your plan to resolve
                      them in upcoming releases.
                      Response: Three functional shortcomings in the current shipping product
                      are scheduled to be addressed in a release in 2007. They are:

                              The ability to assign required training to an audience
                              The ability for a manager to define a delegate or proxy
                              The ability to define email attachments for notifications




Page 25 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL
                                                              University of CA Technical
                                                           Presentation, November 15, 2006

                                                             Presented by: Bill Docherty, Senior
                                                               Director, Product Management




Page 26 - August 12, 2011 – PROPRIETARY AND CONFIDENTIAL

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:62
posted:8/12/2011
language:English
pages:26