Versions Compared

Old Version 52

changes.mady.by.user Valerie Vogel

Saved on

compared with

New Version 53

changes.mady.by.user Valerie Vogel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

Tip
titleGetting Started

Inter-institutional collaboration, cloud computing, online/distance education, teleworking and portable computing, federation, access from anywhere at anytime, and many other business needs are challenging institutions of higher education to adapt or rebuild their Identity and Access Management (IAM) infrastructures to enable new and secure ways to further their missions as well as meet requirements from Federal and State government, industry standards, and an increasing number of business associates and partners. To get started with IAM projects, big or small: 

  1. Define the challenge and the approach to meet it.
    • Clearly understand and articulate the institution's IAM desired state, target services, target users, and impacted functions (e.g. single-sign on, two-factor, federation, automation of IAM processes, etc.).
    • Define the approach needed to meet the challenge (i.e., high-level description of policies, technology, business processes that need to be addressed).
  2.  Define the business and regulatory drivers and their importance to the institution's missions. Examples include:
    • Federal and State regulations.
    • New constituencies (e.g., online students, student apps and parents, alumni sand retirees, contractors and service providers, patients, peers and collaborators, etc.).
    • Centralization of distributed services including authentication.
    • Improve information security, confidentiality, and user privacy by minimizing the collection, maintenance, and use of identity information.
    • Improved user experience (e.g., reduced sign-on, self-services, remote access and telecommuting, etc.).
  3. Define and document the Institution's current IAM posture.
    • Does the institution have policies for identity and access management, information technology, and information security in place?
    • What is the institution's IAM and policy governance approach?
    • What is the degree of centralization? Are authentication decisions made by system, by application, by department or centralized (e.g., LDAP)?
    • How are users affiliated to the institution? Can they have multiple types of affiliations?
    • How are identifiers and credentials issued to users? Is the provisioning process consistent throughout the institution? In-person vetting? Is self-service capability available for password resets?
    • Are authentication requirements for applications and services risk-based?
    • Does the institution have an information technology roadmap? (e.g., EDUCAUSE Identity and Access Management (IAM) Tools and Effective Practices, NMI-EDIT Enterprise Directory Implementation Roadmap, or NMI-EDIT Enterprise Authentication Implementation Roadmap)
  4. Determine the gaps between the Institutions current IAM posture and the desired state, target services, and target users.
    • Map a matrix of the target users and target services and determine the required policies, processes, and technology considering the risk and the business and regulatory requirements.
  5. Identify project stakeholders and determine who should be involved and the level and timing of their involvement.  Training and communication early and often are critical.
  6. Develop the policy framework.
    • Roles and responsibilities.
    • What is required to identify users?
    • What criteria is used to determine the types of credentials used?
    • What criteria is used to determine the level of access to applications and services?
    • What is required from identity providers and from service providers?
  7. Develop the required business processes. What steps are required to:
    • Identify and register a user? 
    • To provision and de-provision credentials?
    • To provide support and training?
    • To request, grant, and modify access to applications and services?
  8. Develop the technology framework.
    • Source of Authority systems.
    • Authentication protocols and technologies.
    • Approaches and products.
    • Staff and skill sets.

 For alternative, and more comprehensive roadmaps, see:

 

Top of page

Anchor
Overview
Overview

Overview

A basic element of any institution of higher education's information security program Access control is the protection of information resources that support the critical operations of the institution from unauthorized access, modification, or disclosure. Access control is the use of administrative, use of administrative, physical, or technical security features to manage how users and systems communicate and interact with other information resources.

In its essence, access Access is the flow of information between an entity requesting access to a resource or data and the resource. The entity can be a device, process, or a user. Access control is any mechanism by which a system grants or revokes the right to access some data, or perform some an action. Normally, an entity must first login to the resource using some authentication system. If the entity provides proper credentials, they are allowed to login. Next, the Access Control mechanism controls what operations the entity may or may not make by comparing the credentials provided to an access control list.

Examples of access control:

  • When a user is prompted to provide a username and password to be able to access EDUCAUSE resources (e.g., this guide).

  • Upon logging in, the user attempts to Edit a resource (e.g., this guide section) and the user is denied

    • based on the fact

  • since that

    • the

  • user

    • is not on a list of users that

  • does not have the

    • right

  • access to edit an EDUCAUSE resource.

  • Since the user was denied access, the user requests

    • the appropriate authority

  • to be given rights to edit the resource. Upon verification of membership in an EDUCAUSE Working Group and establishing the business need, the user is added to the list of users that have the right to edit the resource.

The main topics of Access Control are:

Business Requirement for Access Control

  1. Access control decisions
    1. Centralized access control
    2. Decentralized access control
  2. Access control policy
  3. Access control program

User Access Management

  1. User type and affiliations
  2. User registration
  3. Privilege management
  4. User password management
  5. Review of user access rights

User Responsibilities

  1. Password use

System and Application Access Control

  1. Operating systems
    1. User identification and authentication
    2. Single sign-on
  2. Application and information access control
    1. Information access restriction
    2. Sensitive Information Isolation
    3. Federation
    4. Cloud Computing and Software as a Service (SaaS)
    5. Mobile Computing and Teleworking

Top of page

...

Top of page

Anchor
Requirements
Requirements

Business Requirements of Identity Management and Access Control

Panel
bgColor#FFFFCE

Objective: To describe what institutions must consider when

...

Business Requirements of Access Control

Panel
bgColor#FFFFCE

Objective: To describe what institutions need to take into account in establishing and documenting the rules that control the access, authorization, and dissemination of information and restricting the access to institutional networks.

As depicted below, the business requirements that drive access control needs, practices, and scope are often diverse.

Image Added

1. Access Control Decisions

Institutions of higher education create, collect, maintain, and makes available large amounts of information in support of their educational, health carehealthcare, and research missions. This information is an institutional asset that must be administered and protected in accordance to their its value, and in conformance with federalgovernment, state, and institutional rules and regulations.

Institutional staff, faculty, students, retirees, alumni, prospective students, student’s parents, and members of the community access and utilize different types of information stored on and accessible via institutional systems to perform the numerous tasks required by their respective roles or seek information about programs and services provided by the institution. Examples include:

  • Students
    • Learning resources (such as course management systems , library, etc.)or online access to the library
    • Online student systemssuch as class schedules and bill payment
  • Staff
    • Employee directory, webmail
    • Online human resources systems (such as timesheets, payroll, and benefits, etc.)
  • Faculty and Researchers
    • Online course materials and library resources
    • Federal research agencies, funding, and data resources
  • Alumni and Donors
    • Email for life
    • Alumni directories and services
  • Parents
    • Tuition Payments
  • All
    • Student/Employee directory
    • Emergency notification systems

Data owners shall determine, approve University data governance policies and standards  should  define roles that can evaluate,  approve and assign the level of access to institutional systems and data based on the responsibilities, job functions, reporting or outreach requirements of users. The level of access will be based on the confidentiality of the data and to the restrictions imposed by federal, state government and institutional rules and regulations.. Effectively managing this access requires clear methods for documenting who has access to systems at any given time and mechanisms for periodic audit reviews of the users to ensure that access is given only to appropriate individuals.

Related links and additional information:Image Removed

  • For a list

...

  • of

...

...

...

  • university business drivers

...

  • , challenges; strategic approaches towards related technology; and the effects of emerging technologies on identity and access management infrastructure.
  • See Electronic Identity: The Foundation

...

  • of the Connected Age, for an analysis of the increasing importance of trusted electronic identities in

...

  • higher education.
  • See

...


a. Centralized Access Control

...