...
- Getting Started | Overview | Resources | Standards
- Business Requirements of Identity Management and Access Control
- User Access Management
- User Responsibilities
- Operating System and Application Access Control
...
Tip | ||
---|---|---|
| ||
Inter-institutional collaboration, cloud computing, online/distance education, teleworking and portable computing, federation, access from anywhere at anytime, and many other business needs are challenging institutions of higher education to adapt or rebuild their Identity and Access Management (IAM) infrastructures to enable new and secure ways to further their missions as well as meet requirements from Federal and State government, industry standards, and an increasing number of business associates and partners. To get started with IAM projects, big or small:
For alternative, and more comprehensive roadmaps, see:
|
Top of page
Anchor | ||||
---|---|---|---|---|
|
Overview
A basic element of any institution of higher education's information security program Access control is the protection of information resources that support the critical operations of the institution from unauthorized access, modification, or disclosure. Access control is the use of administrative, use of administrative, physical, or technical security features to manage how users and systems communicate and interact with other information resources.
In its essence, access Access is the flow of information between an entity requesting access to a resource or data and the resource. The entity can be a device, process, or a user. Access control is any mechanism by which a system grants or revokes the right to access some data, or perform some an action. Normally, an entity must first login to the resource using some authentication system. If the entity provides proper credentials, they are allowed to login. Next, the Access Control mechanism controls what operations the entity may or may not make by comparing the credentials provided to an access control list.
Examples of access control:
When a user is prompted to provide a username and password to be able to access EDUCAUSE resources (e.g., this guide).
Upon logging in, the user attempts to Edit a resource (e.g., this guide section) and the user is denied
based on the fact since that
the user
is not on a list of users that does not have the
right access to edit an EDUCAUSE resource.
Since the user was denied access, the user requests
the appropriate authority to be given rights to edit the resource. Upon verification of membership in an EDUCAUSE Working Group and establishing the business need, the user is added to the list of users that have the right to edit the resource.
The main topics of Access Control are:
Business Requirement for Access Control
- Access control decisions
- Centralized access control
- Decentralized access control
- Access control policy
- Access control program
User Access Management
- User type and affiliations
- User registration
- Privilege management
- User password management
- Review of user access rights
User Responsibilities
- Password use
System and Application Access Control
- Operating systems
- User identification and authentication
- Single sign-on
- Application and information access control
- Information access restriction
- Sensitive Information Isolation
- Federation
- Cloud Computing and Software as a Service (SaaS)
- Mobile Computing and Teleworking
Top of page
...
Top of page
Anchor | ||||
---|---|---|---|---|
|
Business Requirements of Identity Management and Access Control
Panel | ||
---|---|---|
| ||
Objective: To describe what institutions must consider when |
...
Business Requirements of Access Control
Panel | ||
---|---|---|
| ||
Objective: To describe what institutions need to take into account in establishing and documenting the rules that control the access, authorization, and dissemination of information and restricting the access to institutional networks. |
As depicted below, the business requirements that drive access control needs, practices, and scope are often diverse.
1. Access Control Decisions
Institutions of higher education create, collect, maintain, and makes available large amounts of information in support of their educational, health carehealthcare, and research missions. This information is an institutional asset that must be administered and protected in accordance to their its value, and in conformance with federalgovernment, state, and institutional rules and regulations.
Institutional staff, faculty, students, retirees, alumni, prospective students, student’s parents, and members of the community access and utilize different types of information stored on and accessible via institutional systems to perform the numerous tasks required by their respective roles or seek information about programs and services provided by the institution. Examples include:
- Students
- Learning resources (such as course management systems , library, etc.)or online access to the library
- Online student systemssuch as class schedules and bill payment
- Staff
- Employee directory, webmail
- Online human resources systems (such as timesheets, payroll, and benefits, etc.)
- Faculty and Researchers
- Online course materials and library resources
- Federal research agencies, funding, and data resources
- Alumni and Donors
- Email for life
- Alumni directories and services
- Parents
- Tuition Payments
- All
- Student/Employee directory
- Emergency notification systems
Data owners shall determine, approve University data governance policies and standards should define roles that can evaluate, approve and assign the level of access to institutional systems and data based on the responsibilities, job functions, reporting or outreach requirements of users. The level of access will be based on the confidentiality of the data and to the restrictions imposed by federal, state government and institutional rules and regulations.. Effectively managing this access requires clear methods for documenting who has access to systems at any given time and mechanisms for periodic audit reviews of the users to ensure that access is given only to appropriate individuals.
Related links and additional information:
- For a list
...
- of
...
- common business situations in higher education that call for access management solutions see Access Management Use Cases Organized by Area of Interest
...
- .
- The Aegis Identity Survey White Paper - Trends in Identity & Access Management Solutions in Institutions of Higher Education - 2012 contains a detailed analysis of identity and access management technologies as they relate to
...
- university business drivers
...
- , challenges; strategic approaches towards related technology; and the effects of emerging technologies on identity and access management infrastructure.
- See Electronic Identity: The Foundation
...
- of the Connected Age, for an analysis of the increasing importance of trusted electronic identities in
...
- higher education.
- See
...
- Information Security or Identity and Access Management? for an overview of the overlap that exist between information security and IAM and what the University of Massachusetts and the University of Chicago are doing to bridge the gaps that may exist between the two practices.
- Watch a recording of the ECAR Working Group's Data Stewardship and Governance in Higher Education for an overview of effective practices in establishing institutional data stewards and data governance.
a. Centralized Access Control
...