Ulster University Standard Cover Sheet

Transcription

1 Ulster University Standard Cover Sheet Document Title AUTHENTICATION STANDARD 2.5 Custodian Approving Committee Deputy Director of Finance and Information Services (Information Services) ISD Committee Policy approved date Policy effective from date Policy review date Changes to previous version Page 1 Change Un-Acceptable to unacceptable. Page 2 Change computer or information service to network, system or service. Page 4 Update hyperlink Page 5 Added, or numeric token/pin

2 INTRODUCTION AND BACKGROUND To help to ensure information security, authentication of individual user and system accounts to the University s networks, systems and services is required. Authentication both allows access, and helps to enforce the privileges granted to each individual user and system accounts, while also protecting against unauthorised access and malicious activity. Further information on ISD policies, standards and guidelines is available at: RELEVANT LEGISLATION The University will comply with all legislation and statutory requirements relevant to information and information systems, including: Computer Misuse Act 1990; Data Protection Act 1998; Communications Act 2003; Copyright, Designs and Patents Act 1988; Freedom of Information Act 2000; Human Rights Act 2000; Regulation of Investigatory Powers Act 2000; Police and Justice Act 2006; The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 ( the Lawful Business Regulations ) PURPOSE The purpose of this document is to define University standards for Authentication of individuals and systems when accessing or manipulating University Information Assets and/or Information Services, with a view to reducing Information Assurance and unacceptable use risks. The aim of establishing such a standard is to: 1. Establish a coherent authentication process for user and system accounts; 2. Define an approach to authentication which is consistent with the Information Assurance requirements of the University. Page 1 of 5

3 3. Support the implementation of other aspects of Information Assurance Policy and Strategy SCOPE The scope of this standard is University wide and includes all Computer Users, all University owned computers and all data networks owned and/or operated by the University. DEFINITIONS User Account is used to refer to an established relationship between a user (individual) and a network, system or service. User Accounts are normally identified by a Username or account identifier which is unique to the network, system or service. System Account is used to refer to an account that is not associated with an individual, but could be used by multiple users for specific functions, or used by automated systems. These can consist of: Application/Database Accounts Administrator Account Ultimately, an individual or automated process can be identified with a specific individual use of the account through system logs. Application/Database Account is used to refer to an application or database account used by an application to connect to another application, web service or database. Administrator Account is used to refer to an account with sufficient privileges to enable necessary systems management, systems administration or engineering activities. Password is used to refer to a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource. With regard to Information Services, a password is normally used in conjunction with a Username or other account identifier which (in the case of User Accounts) uniquely identifies the person and/or role associated with user account. Authentication is used to refer to the process of verifying the use of an account. University Information Service is used to refer to any information system or service that resides on a University of Ulster owned or operated data communications network. Associates is used to refer to all individuals who are not staff, students or visitors, and who are given a user account on one or more networks, systems or services. Page 2 of 5

4 Associates include contractors, vendors and other third parties conducting business with the University. Enterprise class is used to refer to information systems and services which provide services which are consumed by a broad range of users across the University and which are deemed to be important to the operations and/or strategic aims and objectives of the University. IMPLEMENTATION There are two main types of accounts: User Accounts these establish a relationship between a user (individual) and a computer or information service. System Accounts these refer to an account that is not associated with an individual, but could be used by multiple users for specific functions, or used by automated systems. Authentication User Accounts 1. Each IT service will provide each user with an individual User Account; a. The User Account identifier for staff will be the user s staff number, commonly referred to as the e code; b. The User Account identifier for students will be the user s student number, commonly referred to as the b code; c. The User Account identifier for associates will be the user s associate number, commonly referred to as the a code; d. The User Account identifier for visitors will be the user s visitor number, commonly referred to as the v code; 2. The authentication process must achieve attribution to an individual, therefore shared User Accounts are explicitly dis-allowed. Authentication System Accounts 1. System Accounts may exist to allow automated access to connection and use of an application, web service or database, or to allow for specific systems management, engineering purposes, or for other specific administrative functions. 2. Where Application/Database Accounts exist, they should: Have the minimal privileges necessary Be associated by name with a specific single application where possible for easy identification and diagnostics Be linked to a user account through logs when used Page 3 of 5

5 3. It is policy that wherever technically possible a systems manager, systems administrator or engineer will authenticate with their individual user account and once authenticated as an individual will assume sufficient privileges to complete the necessary systems management, systems administration or engineering activities e.g. Software installation, Account Management, System Shutdown etc. 4. Where Administrator Accounts exist, they should: Be used in a way consistent with the University System Administrators Code of Practice Be linked to a user account through logs when used. The Single Password Domain The University strategy shall have an integrated single password domain structure implemented by storing and managing authentication credentials in a single directory and authentication service structure.. The centrally managed, auditable authentication service (ISAS) shall be managed by the Information Services Directorate on behalf of the University and shall comprise the following elements: 1. A directory and authentication service based on Microsoft Active Directory with the following domains; a. The Staff, Associates and Visitors domain named AD ; b. The Student domain named SD ; 2. A Password Change/Reset Service, delivered through the Staff Web Portal, which will facilitate all users within the University, irrespective of the Client Operating System used, to manage their ISAS Password. Computer Access Controls All University owned computers are required to implement access controls to authenticate users of the computer. Information Services Access Controls All Information Services shall implement Access Controls to authenticate the individual being granted access. Enterprise Class Information Systems and Services shall adopt use of the ISAS unless a deviation to use an alternative service is granted by the Deputy Director of Finance and Information Services (Information Services). Reasons for granting a deviation may include: 1. Technical infeasibility; 2. Information Assurance risk where it is infeasible to use a second factor. Page 4 of 5

6 Internet Access Controls The Internet shall require authentication before access is granted. Single Sign On (SSO) There shall exist a SSO domain for Enterprise Class Information Systems and Services. For services within the SSO domain a user will be required to authenticate once. Thereafter the user will achieve access to other services within the SSO without being challenged to authenticate again. The SSO domain shall: 1. Be designed, implemented and operated by the Information Services Directorate; 2. Have an audit trail of authentications; 3. Shall use the ISAS, defined above, to authenticate users. Decision to Include/exclude any individual Enterprise Class Information System or Service in the SSO domain shall be the responsibility of the Chief Finance and Information Officer. Multiple Factors Some Information Systems/Services which are considered to be of high information assurance risk shall be required to use additional authentication factors, normally one additional factor. In multi-factor authentication the normal process is to use a) Something one knows, b) Something one has, and/or c) Something one is. The standard for 2 factor authentication shall be: 1. Something one knows: The user s ISAS password; 2. Something one has: A registered Cryptocard authentication token, or numeric token/pin. Something one is (biometric information) is not currently used. Decision to require 2 factor authentication shall be the decision of the Deputy Director of Finance and Information Services (Information Services). Secure Transmission of Credentials Authentication credentials to and from University networks, systems and services shall not be transmitted across University networks in clear text except by express permission from the Director, Information Services. This is ordinarily only granted for unsophisticated low-level sensor equipment. Page 5 of 5