Authentication Policies
Note to the Reader:
This draft paper is being authored by Andrea Bee sing at Cornell
University. Please send comments and suggestions to authnframework-comments@internet2.edu.
Why have policies?
Identification, authentication, and authorization services enable
secure access to resources which are not meant for public use.
Improper use of those services, either by the end user or the
service provider, can result in liability, and loss of prestige
and reputation for the institution. Policy serves as a cornerstone
for an effective identity infrastructure by stating requirements
and responsibilities for its components, including the people
maintaining and using the service.
The primary role of policy is to
state requirements, not to make recommendations. If the information
to be conveyed is really intended as a recommendation, it is best
included in a procedure or best practices document as opposed
to a policy.
Policies, in turn, drive the creation
of processes and technology infrastructure. Processes will need
to be established to create the credentials and ensure that they
are issued to the correct person. These should be done according
to a policy which describes the desired level of assurance and
the steps needed during registration to achieve it. Usually it
is easiest to set up these processes, if they follow already existing
methods for registering people as closely as possible.
Relationship to authorization
Institutions should require explicit authorization for service
access, since authentication in and of itself verifies identity.
Access to services should be granted based on the role of the
individual within the institution; When a person's role changes
access so should his or her access change appropriately. Be sure
to involve data stewards in these discussions to decide who is
responsible for determining authorization policies for a given
service.
Policy issues in the area
of identification:
- The type of IDs/credentials issued and how they are to be used
- Who is eligible for each type of ID
- Whether a single individual can have more than one type of ID
- Handling of exceptions for constituents who don’t fall
into the traditional categories (staff, faculty, student, alumni).
If units can sponsor an individual, what are the sponsors responsibilities?
Who can sponsor a user?
- Escalation process when eligibility is unclear
- Is the ID reusable or is it only issued once to a single individual?
If it is reusable, what is the length of time that must elapse
before it can be assigned to someone else?
- Can the ID ever be changed? If so, under what circumstances?
For legal name changes only? What if the format of the ID constitutes
an offensive word?
Policy issues in the area
of authentication and authorization:
- Does the policy scope include central authentication only or
local authentication infrastructures as well?
- Should the type of data being protected be addressed in this
policy or in a different policy to which it refers?
- What is the Institution’s responsibility for protecting
passwords (physical security of the server, authentication method
for administrative access to server)
- What is the individual’s responsibility for preserving
the confidentiality of the password?
Other policy issues
Other requirements that can be covered in a policy addressing
identification, authentication, and authorization:
- Roles and responsibilities for those managing related services
and processes
- The establishment of a governing body to make or recommend decisions
affecting identity management
Resources
For case studies on how other schools have setup their Password
Policies, See the Educause Effective Practices Guide.
For examples of how other institutions
have addressed authentication in policy, see:
Stanford University
Indiana University
University
of California, Berkeley
Revision 1.0, December 12, 2004
