Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

GatorLink Password Management Policy

advertisement 
GatorLink Password
Management Policy
March 31, 2004
What is GatorLink?
• Under development since 1996
• Conceived as a single sign on solution – the
electronic equivalent of the Gator 1 card
• “GatorLink” is an adjective – used to describe a
collection of services:
–
–
–
–
–
–
Email
Web hosting
Dial-up
Authentication services for web servers
Kerberos authentication services
Username and password
PeopleSoft
• PeopleSoft will be the system of record for
information about people (directory
information). Directory services will be
implemented in PeopleSoft Campus
Community by 2006
• PeopleSoft will be the system of record for
identity management
• PeopleSoft will be the system of record for
authorization information
PeopleSoft and GatorLink
• GatorLink usernames and passwords adopted
as the university standard for enterprise
authentication
• GatorLink used to authenticate access to the
portal, and all portal-based services
• GatorLink used to authenticate access to
Cognos and Enterprise Reporting
• GatorLink used to authenticate access to ISIS
and Admin Menu
• Single sign-on via GLAuth – cookie-based
system developed at UF
Password Policy Needs
• One size does not fit all. The same password
policy used for undergraduate students would
not be appropriate for central payroll.
• Simultaneously heard that GatorLink password
policy was too “strict” and “not strict enough”
• 75% of all Help Desk calls involve GatorLink
passwords
• General need to improve security
• Need to recognize diversity of use of GatorLink
user base (>100,000)
The Idea
• Have multiple GatorLink password policies
• Tie GatorLink password policy to the
authorizations of a user.
– If a user is authorized to do work requiring
high levels of security, have a highly secure
password policy.
– If a user is not authorized to do such work, do
not require a highly secure password policy
• In all cases, insure strong passwords and
best practices for password management
The Process
• Define a password policy as a collection of
attribute/value pairs (eg, Expiration in days = 90)
• Create a sufficient number of password policies,
each with the same attributes to span the needs
from casual to highly secure
• ITAC-DI&ADM and ITAC-ISM recommend
attributes and values
• Refine, review, present, discuss, refine, review,
present, finalize
The Policy
The University of Florida (UF) is committed to a secure information technology
environment in support of its missions. With the implementation of new
integrated, real-time computer systems and single sign-on accessibility via the
myUFL portal, the need for a strong password policy is greater than ever.
The GatorLink username and password is the University standard username and
password for authentication for all new information systems. The University
uses a role-based approach for providing access to these systems. Each
person affiliated with UF has one or more security roles. Each security role
has an associated password policy. If an individual has several roles, with
conflicting password policies, the “strongest” policy applies.
This policy is guided by the following principles:
•
Five levels of password policy are necessary, each with a different set of
requirements for password creation and reset. (See Attachment A).
•
The assignment of a password policy is based on an individual’s security
role(s) and is not an automatic result of an affiliation or staff position.
•
Passwords must include three of the following four elements—upper case
letters, lower case letters, digits and punctuation. Passwords may not contain
words found in a dictionary.
•
Passwords will expire during UF Help Desk business hours.
•
GatorLink passwords and security roles—and the resulting association of
password policy to a user—are held in the PeopleSoft Enterprise Portal
system (myUFL) and managed by UF Bridges
The Matrix
P1: Entry. For example: Vendors, guests, student applicants, HR applicants
P2: Low. Example: Access to information only about yourself.
P3: Medium. Example: Access to information about others. Provide data at unit level.
P4: High. Example: Access to information at the institutional level
P5: Rigorous. Example: Control institution systems.
Attribute
1. Minimum length of password
2. Password is character checked
3. Maximum age of password (in days)
4. Days of daily expiration warnings
5. Password minimum age for reset (in days)
6. Password uniqueness/history
7. Failed attempts before lockout
8. Lockout duration in minutes
9. May reset via Self-service web
10. May reset via Help Desk phone
11. May reset In person
12. Must read AUP on reset
13. Must take quiz once per year
14. Must complete security class before account is
issued
15. Must use 2-factor authentication
16. Account is expired if password is cracked
P1
8
Yes
365
14
1
200
20
30
Yes
Yes
Yes
Yes
No
P2
8
Yes
365
14
1
200
20
30
Yes
Yes
Yes
Yes
Yes
P3
8
Yes
180
14
1
200
20
30
No
Yes
Yes
Yes
Yes
P4
9
Yes
90
14
1
200
20
30
No
No
Yes
Yes
Yes
P5
9
Yes
90
14
1
200
20
30
No
No
Yes
Yes
Yes
No
No
No
No
No
No
No
No
No
Yes
No
Yes
Yes
Yes
Yes
Authentication Architecture
Registry
PeopleSoft
LDAPUSER
GLUSER
PeopleSoft is the system of
record for information about
identity, authentication and
authorization. By housing
these together we insure
consistency. Currently the
registry exists outside
PeopleSoft but will be
migrated to Campus
Community.
ADUSER
NDS
UF LDAP
GatorLink
Kerberos
Active
Directory
Implementing the Policy
• Software analysis and design began in
January
• Development of code for self-service
reset, management of questions, Help
Desk functionality in Feb
• Active Directory synch in Feb
• Additional coding in March
• Testing of software in April
• Production go-live May 5, 2004
The Go-Live
• On May 5, GatorLink users with P4 and P5 will have
their passwords expire and will come under the new
policy
• All other users will be grandfathered in. Passwords will
expire under current policy. When password expires,
password will come under new policy.
• Password changes will be done through the portal (“My
Account/Change Password”)
• Live password synchronization will be in place – a
password updated at myUFL will update in Kerberos, AD
and NDS
• Self-service password reset will be strongly encouraged
Future Work
• By November 5, all GatorLink accounts
will be under the new policy
• LDAP will no longer be used to
authenticate the portal
• 2-factor authentication standards for LAN,
web and enterprise authentication
Managing the Policy
• ITAC-ISM and ITAC-DI&ADM will continue
to have a strong role in the management
of the policy.
• ITAC makes final recommendation
• Dr. Frazier chooses final policy
Effect of the Policy
• Users will have strong passwords
• User password policy will be determined by
user’s security roles
• Users at P4 and P5 will be required to have
security training
• Users will be able to use their single GatorLink
credential for authentication to enterprise, web
and LAN services
• Users will have consistent password policy
across services
• GLAuth services will be unaffected
More Information
• Subscribe to the IT News pagelet in the
portal
• Subscribe to the UF Bridges pagelet in the
portal
• Additional information sessions for
department administrators, support
personnel in April
• Policies are posted at
http://www.it.ufl.edu/policies
Related documents
TPR O-chem Chapter 2
TPR O-chem Chapter 2
How to start Whitepins - AMAS-Team
How to start Whitepins - AMAS-Team
Slide 1
Slide 1
Download
advertisement