Authentication Standard-Draft - Information Protection and Security

advertisement

Authentication Standard

I.

Purpose

Rutgers University owns and manages numerous electronic identifiers.

Electronic identifiers and authentication provides the university community access to Information Technology resources and university data. The management and application of authentication processes can occur both centrally and at distributed business units. The purpose of this standard is to identify authentication controls and processes so that both central and distributed units can apply a consistent authentication model. The application of these authentication standards demonstrate that a department or business unit conforms to industry best practices, and in many cases demonstrates regulatory compliance.

II.

Scope

This standard applies to all University IT resources and data. Such data includes, but is not limited to, student records, personnel files, financial information (budget, payroll, etc), student life data, departmental administrative data, police records and legal files, and all other data that pertains to, or supports the administration of the

University.

III.

Types of Authentication

Authentication refers to the process where a person or system identity is verified based upon a credential. In most cases the credential offered is a userid and password, while other methods exist where a greater level of confidence is required. Since the verification of these credentials is the primary access to systems, it becomes a critical part of Rutgers security architecture.

Authentication can involve something the user knows (i.e. password), commonly referred to as single factor authentication. A higher degree of confidence can occur with two-factor authentication, where something the user has (smart card) is combined with something a user knows. A third factor in authentication can be something the user

“is” (fingerprint or voice pattern). Using additional factors reduces the likelihood that a system will be compromised and makes it more difficult for someone to gain unauthorized access to a system.

As the sensitivity of the information required for access increases, the corresponding confidence in the authentication credentials being presented increase. Similarly, the requirements in process by which the credentials are issued and validated, called “identity proofing” increases. The definitions of the four levels of authentication to consider when establishing credential requirements to Rutgers data are as follows.

Levels of Authentication

LEVEL

1

At Level 1, there is little or no confidence that exists in the asserted identity; it is usually self-asserted; and is essentially a persistent identifier. There is typically no identity proofing required

LEVEL

2

LEVEL

3 at Level 1. For example, authentication at this level may be appropriate for self-registration websites.

Successful authentication at Level 2 requires that the claimant prove, through a secure authentication protocol that he or she controls a single authentication factor. Approved cryptography is required to prevent eavesdroppers. At level 2, identity proofing requirements are introduced, requiring presentation of identifying materials or information. The password associated with the

Rutgers NetId is an example of a Level 2 authentication credential.

Successful authentication at Level 3 requires that the claimant prove that he or she controls a minimum of two authentication factors. Eavesdropper, replay, on-line guessing, verifier impersonation and man-in-the-middle attacks are prevented. At

Level 3, there is high confidence in the asserted identity's accuracy. There is a strong identity proofing requirement at this

Level. Strong cryptographic techniques are used to protect all operations. An implementation of one time password system such as a Safeword Card (a token requiring a PIN), biometrics coupled with a password/PIN, and public key technologies (key and passphrase) are potentially appropriate for this Level.

LEVEL

4

Level 4 is intended to provide the highest practical remote network authentication assurance. Level 4 is similar to Level 3 except that only “hard” cryptographic tokens are allowed. By requiring a physical token which cannot readily be copied and requiring operator authentication at Level 2 and higher, this level ensures good, two-factor remote authentication. Eavesdropper, replay, online guessing, verifier impersonation and man-in-the-middle attacks are prevented. Strong, approved cryptographic techniques are used for all operations. Based on the scope of the data types at Rutgers, Level 4 authentication is not required. Acceptable mechanisms include cryptographic smart cards.

* Based on NIST 800-64, “Electronic Authentication Guideline”

IV.

Standard

At Rutgers, there are data types, which we broadly attempt to classify into three categories, “Restricted”, “Limited Access”, and “Public”.

Based on how a data asset is classified, commensurate controls should be implemented to ensure its confidentiality, integrity, and availability.

The following chart presents a representation on how the mapping is applied. For each data classification category, the level of authentication presented is the minimum acceptable. A higher level of authentication may be necessary in certain circumstances.

Level

Data

Classification

Type of Access Examples

1

2

Public Level 1 is for unauthenticated access. There is no knowledge of the user’s identity.

Level 1 is also appropriate for users who are loosely affiliated with the University

Public web sites e.g. www.rutgers.edu

; selfregistration sites

The set of users loosely affiliated with the

University may include

Guests; Group accounts

Limited Access Level 2 is appropriate for users accessing information they created, are the subject of or is intended for them; or because of their work responsibilities have access to information that is not their own.

This includes users of the MyRutgers portal and other portal-like self-service functions.

This includes activities such as: reading/writing email, checking calendar, RIAS, enrolling, SAKAI, etc.

This includes users who have:

 Access to other people’s information (e.g.

3 Restricted registrar staff that can accept tuition payments, but does not have access to data classified as

"restricted"; or an instructor that can enter grades for their students).

 Access to programs/files/data on an INTERNAL system (e.g. developers and

DBA’s)

 Access to an

INTERNAL system as root or admin

(e.g. SysAdmin)

 Access to an internal system that IS NOT subject to regulatory requirements (e.g.

GLBA, HIPAA, PCI etc)

Level 3 is appropriate for users who because of their work responsibilities have access to

restricted information that is not their own. This authority presents a higher risk and thus a higher level of confidence in the

This includes users who have:

 Access to more than one’s own personal or

RESTRICTED information (e.g. an HR person who can view/update records for all personnel in their workgroup (aka functional users).

user’s identity.  Access to programs/files/data on a RESTRICTED system (e.g. developers and

DBA's)

 Access to a

RESTRICTED system as root or admin (e.g.

SysAdmin)

 Access to a restricted system that IS subject to regulatory requirements (e.g.

HIPAA, PCI etc)

V.

Password Requirements

In cases where a moderate or limited degree of authentication is required such as in Level 2, the most frequently presented credentials are a userid and password. Often times, the strength of protection provided for the data is directly related to the complexity and security of the password. To achieve an acceptable level of security when authenticating to IT resources, the university has established the following minimum rules for creating and managing passwords associated with Rutgers electronic identifiers. In some cases, regulatory (i.e. HIPAA, PCI, etc.) or departmental practices may need to be established that exceed these requirements.

Password Expiration – A password expiration over a period of time may help in cases of changes to policy, or where credentials have been stolen. Rutgers considers a standard password expiration of 1 year in support of these purposes.

Password Length - The minimum password length should be set to

10 characters and systems handling passwords should be able to accommodate passwords of up to 60 characters. Systems accepting

passwords should be able to accept at least all printable ASCII characters.

Password Complexity - At Rutgers, the current character set represents sufficient complexity. The complexity along with other password management options should thwart password guessing attacks.

Account Lockout – Account lockout improves systems resilience to guessing attacks. The implementation must assure that the average rate of attempts over the controlled interval does not allow more than one password trial every 30 seconds. An acceptable example would be to lock an account for one minute when 4 failed attempts are seen within the preceding minute.

Download