Authentication

RATIONALE

Authentication is a process in itself.  Before authenticating to a system, an account or identity must be authorized, provisioned, and when no longer needed, de-provisioned.  Each step is as important as the other.  Approval of accounts or identities must occur so unnecessary access is not given.  Provisioning accounts to have the correct access is necessary so an identity only has access to the data or systems that is related to their role and job.  When an account, access, or identity is no longer needed it is important for an institution to utilize secure de-provisioning methods.  If there is a step skipped in the process, data can be at risk of exposure or unauthorized access.

Best Practice:  Operate under the mode of least privileges
When performing tasks on a system, always perform them using the least privileged level needed to accomplish the task.  If a normal user type account can perform the task, use a normal user account.  If something requires administrative privileges to complete, promote yourself to an administrative level only long enough to complete the task, then relinquish the administrative privileges.

Best Practice:  Operate in a deny and then allow mode
When setting up access control to either a system or services running on a system, it is better to start in a mode where everything and everyone is denied access, and then add back in those people and systems that need access.  This way there is a clear, known list of people and systems that have access.

Best Practice:  Enforce the use of strong passwords
When passwords are created for and/or by users, the password creation facility should enforce the creation of strong passwords. Ideally the facility should provide feedback regarding the relative strength of that given password as it is being entered.

Best Practice:  Utilize Identity Management
Identity Management refers to the policies, processes, and technologies that establish user identities and enforce rules about access to digital resources. In a campus setting, many information systems (such as e-mail, learning management systems, library databases, and grid computing applications) require users to authenticate themselves (typically with a username and password). An authorization process then determines which systems an authenticated user is permitted to access. With an enterprise identity management system, rather than having separate credentials for each system, a user can employ a single digital identity to access all resources to which the user is entitled.


UNL GUIDELINES
The University of Nebraska-Lincoln has several resources that support the use of best practices:
To learn more about the UNL identity management, click here.