Central Authentication Services Policy

Purpose

The purpose of this policy is to ensure the use of the University's Office of Information Technology central authentication services (e.g., CAS, LDAP, Active Directory). These services must be the primary authenticators of university-provided services.

Scope

This IT security policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

• The University's Office of Information Technology's central authentication services must serve as the primary mechanism for all University-provided applications requiring authentication.
• The University's Office of Information Technology's central authentication services must be centrally managed by the Identity & Access Management team to ensure compliance with IT security policies.
• Authentication transactions must be encrypted using industry-standard protocols (e.g., TLS 1.2 or higher).
• Multi-Factor Authentication (MFA) must be used in conjunction with the Office of Information Technology's central authentication services.
• All applications requiring authentication must integrate with the Office of Information Technology's central authentication services unless formally exempted by Information Security and Assurance and Identity & Access Management groups.
• Application owners must email [email protected] a request for review before integrating with the Office of Information Technology's central authentication services. 
• Users must report suspected unauthorized access or security incidents related to central authentication services to Information Security and Assurance.
• The Office of Information Technology's central authentication services logs must be retained for auditing purposes and monitored for security threats per the Logging Standards Policy and Audit and Accountability Policy.
• Information Security and Assurance conducts periodic reviews and audits of authentication usage. 
• Alternative authentication mechanisms must implement compensating controls where the Office of Information Technology's central authentication services are not feasible and should be approved by Information Security and Assurance and Identity & Access Management. 

Definitions

Central Authentication Service (CAS) is a single sign-on (SSO) protocol that allows authorized users to access multiple applications using one set of credentials. 

IT Resources include computing, networking, communications, applications, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services. 

Multi-Factor Authentication (MFA) is a security system that requires multiple authentication methods to verify a user's identity. 

Role-Based Access Control (RBAC) is a security model that restricts system access based on user roles and permissions. 

Single Sign-On (SSO) is an authentication process that allows users to access multiple applications with one login credential. 

Related Policies and Procedures

• Audit and Accountability Policy
• Multi-Factor Authentication Policy
• Logging Standards Policy 

Implementation Information

Revision History:

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.