Custodian / Deputy Director of Finance and Information Services (Information Services)
Approving Committee / ISD Committee
Policy approved date / 2017 – 11 – 02
Policy effective from date / 2017 – 11 – 02
Policy review date / 2018 – 11 – 02
Ulster University Standard Cover Sheet
Changes to previous versionPage 3 – Addition of “The University is moving toward the implementation of a single name for user accounts on all systems/services.”
Page 5 – Removal of “are considered to be”
Authentication Standard 2.7
INTRODUCTION AND BACKGROUND
To help to ensure information security, authentication of individual user and system accounts to the University’s networks, systems and services is required. Authentication both allows access, and helps to enforce the privileges granted to each individual user and system accounts, while also protecting against unauthorised access and malicious activity.
Further information on ISD policies, standards and guidelines is available at:
RELEVANT LEGISLATION
The University will comply with all legislation and statutory requirements relevant to information and information systems, including:
- Computer Misuse Act 1990;
- Data Protection Act 1998;
- Communications Act 2003;
- Copyright, Designs and Patents Act 1988;
- Freedom of Information Act 2000;
- Human Rights Act 2000;
- Regulation of Investigatory Powers Act 2000;
- Police and Justice Act 2006;
- The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (‘the Lawful Business Regulations’)
PURPOSE
The purpose of this document is to define University standards for Authentication of individuals and systems when accessing or manipulating University Information Assets and/or Information Services, with a view to reducing Information Assurance and unacceptable use risks. The aim of establishing such a standard is to:
1. Establish a coherent authentication process for user and system accounts;
2. Define an approach to authentication which is consistent with the Information Assurance requirements of the University.
3. Support the implementation of other aspects of Information Assurance Policy and Strategy
SCOPE
The scope of this standard is University wide and includes all Computer Users, all University owned computers and all data networks owned and/or operated by the University.
DEFINITIONS
“User Account” is used to refer to an established relationship between a user (individual) and anetwork, system or service. User Accounts are normally identified by a Username or account identifier which is unique to thenetwork, system or service.
“System Account” is used to refer to an account that is not associated with an individual, but could be used by multiple users for specific functions, or used by automated systems. These can consist of:
- Application/Database Accounts
- Administrator Account
Ultimately, an individual or automated process can be identified with a specific individual use of the account through system logs.
“Application/Database Account” is used to refer to an application or database account used by an application to connect to another application, web service or database.
“Administrator Account” is used to refer to an account with sufficient privileges to enable necessary systems management, systems administration or engineering activities.
“Password” is used to refer to a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource. With regard toInformation Services, a password is normally used in conjunction with a Username or other account identifier which (in the case of User Accounts) uniquely identifies the person and/or role associated with user account.
“Authentication” is used to refer to the process of verifying the use of an account.
“University Information Service” is used to refer to any information system or service that resides on a University of Ulster owned or operated data communications network.
“Associates” is used to refer to all individuals who are not staff, students or visitors, and who are given a user account on one or morenetworks, systems or services. Associates include contractors, vendors and other third parties conducting business with the University.
“Enterprise class” is used to refer to information systems and services which provide services which are consumed by a broad range of users across the University and which are deemed to be important to the operations and/or strategic aims and objectives of the University.
IMPLEMENTATION
There are two main types of accounts:
- User Accounts – these establish a relationship between a user (individual) and a computer or information service.
- System Accounts – these refer to an account that is not associated with an individual, but could be used by multiple users for specific functions, or used by automated systems.
Authentication – User Accounts
1. Each IT service will provide each user with an individual User Account;
a. The User Account identifier for staff will be the user’s staff number, commonly referred to as the “e” code;
b. The User Account identifier for students will be the user’s student number, commonly referred to as the “b” code;
c. The User Account identifier for associates will be the user’s associate number, commonly referred to as the “a” code;
d. The User Account identifier for visitors will be the user’s visitor number, commonly referred to as the “v” code;
The University is moving toward the implementation of a single name for user accounts on all systems/services.
2. The authentication process must achieve attribution to an individual, therefore shared User Accounts are explicitly dis-allowed.
Authentication – System Accounts
- System Accounts may exist to allow automated access to connection and use of an application, web service or database, or to allow for specific systems management, engineering purposes, or for other specific administrative functions.
- Where Application/Database Accounts exist, they should:
- Have the minimal privileges necessary
- Be associated by name with a specific single application where possible for easy identification and diagnostics
- Be linked to a user account through logs when used
- It is policy that wherever technically possible a systems manager, systems administrator or engineer will authenticate with their individual user account and once authenticated as an individual will assume sufficient privileges to complete the necessary systems management, systems administration or engineering activities e.g. Software installation, Account Management, System Shutdown etc.
- Where Administrator Accounts exist, they should:
- Be used in a way consistent with the University System Administrators Code of Practice
- Be linked to a user account through logs when used.
The Single Password Domain
The University strategy shall have an integrated single password domain structure implemented by storing and managing authentication credentials in a single directory and authentication service structure.
The centrally managed, auditable authentication service (ISAS) shall be managed by the Information Services Directorate on behalf of the University and shall comprise the following elements:
1. A directory and authentication service based on Microsoft Active Directory.
2. A Password Change/Reset Service, delivered through the Web Portal, which will facilitate all users within the University, irrespective of the Client Operating System used, to manage their ISAS Password.
Computer Access Controls
All University owned computers are required to implement access controls to authenticate users of the computer.
Information Services Access Controls
All Information Services shall implement Access Controls to authenticate the individual being granted access.
Enterprise Class Information Systems and Services shall adopt use of the ISAS unless a deviation to use an alternative service is granted by the Deputy Director of Finance and Information Services (Information Services). Reasons for granting a deviation may include:
1. Technical infeasibility;
2. Information Assurance risk where it is infeasible to use a second factor.
Internet Access Controls
The Internet shall require authentication before access is granted.
Single Sign On (SSO)
There shall exist a SSO domain for Enterprise Class Information Systems and Services. For services within the SSO domain a user will be required to authenticate once. Thereafter the user will achieve access to other services within the SSO without being challenged to authenticate again.
The SSO domain shall:
1. Be designed, implemented and operated by the Information Services Directorate;
2. Have an audit trail of authentications;
3. Shall use the ISAS, defined above, to authenticate users.
Decision to Include/exclude any individual Enterprise Class Information System or Service in the SSO domain shall be the responsibility of the Deputy Director of Finance and Information Services (Information Services).
Multiple Factors
Some Information Systems/Services which of high information assurance risk shall be required to use additional authentication factors, normally one additional factor. In multi-factor authentication the normal process is to use a) Something one knows, b) Something one has, and/orc) Something one is. The standard for 2 factor authentication shall be:
1. Something one knows: The user’s ISAS password;
2. Something one has: A registered Cryptocard authentication token, or numeric token/PIN.
Something one is (biometric information) is not currently used.
Decision to require 2 factor authentication shall be the decision of theDeputy Director of Finance and Information Services (Information Services).
Secure Transmission of Credentials
Authentication credentials to and from University networks, systems and services shall not be transmitted across University networks in clear text except by express permission from the Deputy Director of Finance and Information Services (Information Services). This is ordinarily only granted for unsophisticated low-level sensor equipment.
Page 1 of 5