Versions Compared

Old Version 14

changes.mady.by.user Unknown User (mgelman)

Saved on

compared with

New Version Current

changes.mady.by.user Jacob Gallion

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel

Document Name: NCSA Identity & Access Management Policy
Version: 1.3
Accountable: Alex Withers
Authors: Adam Slagell, Alex WithersApproved:   Sept 6, 2018

Reviewed: 2023 Aug 22
Approved: IIB approved 2024 March 7

Table of Contents
outlinetrue

...

This policy applies only to NCSA-specific services and accounts, and not those of other University systems or our partners.

 

...

Policy

User Enrollment

Terms of Service and Confidentiality Agreement

Users will be presented an NCSA Terms of Service Acceptable Use Policy when their accounts are created and whenever there are significant changes. The AUP includes a confidentiality agreement that applies to users accessing sensitive data, such as ePHI and CUI, on NCSA systems. New NCSA workforce members acknowledge the AUP as part of the onboarding process.

Group owners may add additional terms for their projects as part of the group enrollment process, however, these must not conflict with University or NCSA policy elsewhere.

User ID Assignment

When an NCSA user account is created, it is automatically assigned a unique identifier, which is a primary key in the NCSA user database. All NCSA logon IDs map to a single such identifier. This allows the database implementation to enforce uniqueness of user account login IDs. 

...

Authentication 

Passwords

NCSA passwords are case-sensitive with the following properties for passwords between 8 and 15 charactershave a minimum length of 12 characters.

Passwords less than 16 characters in length require:

  1. contains at least one uppercase and one lowercase letter
  2. contains at least one number or special character
  3. does NOT contain 4 sequential characters of your logon ID
  4. does NOT contain dictionary words longer than 3 characters
  5. is NOT the same as the previous password

...

NCSA requires multi-factor authentication for system administration, accessing resources with high-risk data, and on shared-user systems providing command line access.

No portion of an approved MFA system can be used or recovered using telephony based methods (eg SMS and phone call)

Because these systems have extra per user costs, they are not made available to all projects. An NCSA project or partner must pay for NCSA multi-factor tokens/licenses for non-staff.

NCSA currently uses Duo to provide multi-factor authentication services.  Duo uses offsite, cloud-based servers to provide the multi-factor capabilities and as such would not function if NCSA was cut off from the internet or if Duo was down.  In these situations, Duo can be configured to fail "open" or "closed".  In the first case, Duo cannot be contacted and would not be required and thus users can authenticate with a single factor (i.e. their passphrase).  In the second case, Duo cannot be contacted and users would not be able to authenticate until Duo could be contacted again thereby locking users out of authenticating where multi-factor is required.

...

NCSA operates a centralized authorization service for systems in the High Performance Data Center  zone zone (See NCSA Network Security Policy). Local password files and other authentication/authorization services can only be used if a formal exception is approved by the NCSA Information NCSA Internal Infrastructure Board (IIB).

Additionally, new NCSA workforce Deprovisioning

Staff are removed from the NCSA staff group during the NCSA exit process as stated in the NCSA Information Security Policy. An automated process to remove staff access is initiated by HR and completed on the date of departure. Automated processes are followed up by NCSA staff to ensure that access is removed.

Group owners are responsible for promptly removing users from other groups as roles and access needs change.

...

  1. For campus identities, map Active Directory group memberships to AWS Roles. An Admin group/role is set up as part of University of Illinois AWS account setup.
  2. For NCSA identities, map LDAP group memberships to AWS Roles (requires custom setup: contact help+idp@ncsa.illinois.edu for assistance).
  3. Access to the AWS User account, for emergencies during illinois.edu outages, is managed via a LastPass Enterprise shared folder, shared only with specific personnel who are responsible for emergency operations.
Excerpt

Policy for Accepting Federated IdPs

Identities from external providers may be used for access to applications with baseline authentication needs, i.e., without requirements for higher level of assurance such as multi-factor authentication or face-to-face identity vetting. Only one account per IdP can be bound to a user's NCSA identity. NCSA resources may choose from the following valid supported identity providers; the default for a resource is to only access NCSA identities and approval is needed from the CISO to allow the use of linked identities:

  • identity providers in the InCommon (incommon.org) federation, including research and education providers in the United States and international providers from eduGAIN (edugain.org) member federations.
  • open access identity providers: Google (accounts.google.com), GitHub (github.com), and ORCID (orcid.org)
  • identity providers operated by NCSA industry partners

Using a Federated IdP does not exempt a system from the NCSA MFA requirements above.

Support for higher level of assurance from external identity providers requires custom configuration. Contact help+idp@ncsa.illinois.edu for assistance with higher level of assurance use cases.  Changes in the list of acceptable federated IdPs is approved by the CISO.


Exporting NCSA Identities

NCSA supports Shibboleth and OpenID Connect/OAuth services to allow other organizations to securely use NCSA identities. New interfaces to NCSA IdM services must be approved by the IIB before being added.


Password Management and Secret Sharing

NCSA requires the use of its official password and secret sharing solution (i.e. Lastpass Enterprise) for storing and sharing passwords and secrets inline with NCSA’s cybersecurity and acceptable use policies.

Old accounts from the password and secret sharing solution will be disabled after HR exit or 1 year of inactivity and removed after 2 years of inactivity.

The service may not use NCSA’s or the U of I’s authentication and authorization infrastructure to provide access to shared passwords or secrets.

The service managers of Password Management and Secret Sharing will have the ability to recover user secrets when necessary.


...

Exceptions Process

There are exceptions and special cases to any policy. Requests for exceptions should be made to the NCSA Security Office and may be approved by either that office or the NCSA Director's Office.

...

This policy is reviewed annually by the Security Office. Feedback is solicited from the Information Infrastructure Internal Infrastructure Board for any recommended changes. New versions are approved by the NCSA Director's Office.

References

...