Identity and Access Management

Application Access Control and User Management 

Identity and Access Management access control is the use of administrative, physical, or technical security features to manage how users and systems communicate and interact with other information resources.

Access is the flow of information between an entity requesting access to a resource or data and the resource. The entity can be a device, process, or a user. Access control is any mechanism by which a system grants or revokes the right to access some data, or perform an action. Normally, an entity must first login to the resource using some authentication system. If the entity provides proper credentials, they are allowed to login. Next, the Access Control mechanism controls what operations the entity may or may not make by comparing the credentials provided to an access control list.

1a. Centralized Access Control

Rather than maintaining separate accounts on each system, some institutions use a central account database that all systems can authenticate against. In many environments, a Windows domain controller functions as the central authentication system. Other institutions use Kerberos because it supports a broader range of applications and operating systems. However, because Windows systems work best in a Windows domain, even institutions that use Kerberos generally maintain a Windows domain controller that is synchronized with the accounts in their Kerberos domain. Lightweight Directory Access Protocol also known as LDAP is another approach to centralized authentication and authorization that is increasingly used in higher education institutions.

1b. Decentralized Access Control

It is not uncommon to find institutions opting for decentralized or distributed user account databases where the verification of authorization is performed by various entities located throughout the campus. Common disadvantages of decentralized access control are that they can be duplicative, require coordinated work of several teams, and administrative overhead is high since changes may need to be implemented by numerous locations. One drawback is that each location may be maintained by local administrators without the input / coordination of the other teams. Decentralized access control implementations do have benefits. A well implemented and coordinated distributed system does not have single point of failure. If one access control point fails, others can balance the load until the problem is resolved.

2. Access Control Policy

Access control policies should clearly communicate the institution's business requirements regarding identification of users, access to institutional information, user access rights, and special access privileges and restrictions. Institutions should ensure that their policies comply with any applicable regulatory requirements such as those currently affecting access to student financial aid information and Controlled Unclassified Information (CUI). Many in the higher education community demonstrate compliance by applying the access control requirements in NIST 800-171. The following could comprise the core of an institutional access control policy framework.

  • Roles and responsibilities

    • Need-to-Know:  Access only to information needed to perform assigned tasks.

    • Need-to-Use:  Access only to information resources needed to perform assigned tasks

    • Access levels and privileges by role

    • Periodic review and removal of access levels and privileges

    • Segregation of duties for requesting, authorizing, and reviewing access levels and privileges

  • What is required to identify users?

    • Requirement for vetting users in person

    • Requirement to archive records concerning user identification and credentialing

  • What criteria is used to determine the types of credentials used?

  • What criteria is used to determine the level of access to applications and services?

    • Identification of roles with privileged access

    • Contractual obligations for limiting access granted to vendors and partners

  • What is required from identity providers and from service providers?

    • Requirement to identify the security requirements of applications - both, purchased and developed internally

    • Requirement to determine the Level of Authentication (LOA) required to access a service based on risk

3. Access Control Program

As data, access, and networks continue to expand, institutions have an increasing need to manage identities and access. The optimum solution for this function may be a well-planned and institution-wide Identity and Access Management (IAM) program. In its simplest form, IAM ensures that only the right people can access the right services at the right time.

We will work with you to implement policies, processes, and technologies that establish user identities and enforce rules about access to digital resources. In a campus setting, many information systems–such as e-mail, learning management systems, library databases, and grid computing applications–require users to authenticate themselves (typically with a username and password). An authorization process then determines which systems an authenticated user is permitted to access. With an enterprise identity management system, rather than having separate credentials for each system, a user can employ a single digital identity to access all resources to which the user is entitled.

  1. Define the challenge and the approach to meet it.
    • Clearly understand and articulate the institution's IAM desired state, target services, target users, and impacted functions (e.g. single-sign on, two-factor, federation, automation of IAM processes, etc.).
    • Define the approach needed to meet the challenge (i.e., high-level description of policies, technology, business processes that need to be addressed).
  2.  Define the business and regulatory drivers and their importance to the institution's missions. Examples include:
    • Federal and State regulations.
    • New constituencies (e.g., online students, student apps and parents, alumni sand retirees, contractors and service providers, patients, peers and collaborators, etc.).
    • Centralization of distributed services including authentication.
    • Improve information security, confidentiality, and user privacy by minimizing the collection, maintenance, and use of identity information.
    • Improved user experience (e.g., reduced sign-on, self-services, remote access and telecommuting, etc.).
  3. Define and document the Institution's current IAM posture.
    • Does the institution have policies for identity and access management, information technology, and information security in place?
    • What is the institution's IAM and policy governance approach?
    • What is the degree of centralization? Are authentication decisions made by system, by application, by department or centralized (e.g., LDAP)?
    • How are users affiliated to the institution? Can they have multiple types of affiliations?
    • How are identifiers and credentials issued to users? Is the provisioning process consistent throughout the institution? In-person vetting? Is self-service capability available for password resets?
    • Are authentication requirements for applications and services risk-based?


  1. Determine the gaps between the Institutions current IAM posture and the desired state, target services, and target users.
    • Map a matrix of the target users and target services and determine the required policies, processes, and technology considering the risk and the business and regulatory requirements.
  2. Identify project stakeholders and determine who should be involved and the level and timing of their involvement.  Training and communication early and often are critical.
  3. Develop the policy framework.
    • Roles and responsibilities.
    • What is required to identify users?
    • What criteria is used to determine the types of credentials used?
    • What criteria is used to determine the level of access to applications and services?
    • What is required from identity providers and from service providers?
  4. Develop the required business processes. What steps are required to:
    • Identify and register a user? 
    • To provision and de-provision credentials?
    • To provide support and training?
    • To request, grant, and modify access to applications and services?
  5. Develop the technology framework.
    • Source of Authority systems.
    • Authentication protocols and technologies.
    • Approaches and products.
    • Staff and skill sets.
  6.  Privilege Management

    Privilege management is the set of processes for managing user attributes and policies that determine a user's access rights to an information resource. In other words, the user attributes, job functions, and organizational affiliations can serve as the basis for access authorization decisions. Users should be granted access based on least privilege - the most restrictive set of permissions or access rights - needed to perform assigned work tasks.

    Some data may be restricted from general access by users and may require additional levels of approval before being made available. Users are granted access to this data on a need-to-know basis - when there are justified work-related reasons for access or the need to know. An important characteristic of need-to-know access is that access is granted for a limited period of time. When the reasons for access are no longer valid, access to the data is (or should be) revoked.

    Two common problems related to privilege management are excessive privilege and creeping privilege. The former happens when a user has more access or permissions than the assigned work tasks and/or role requires. The latter happens when a user account accumulates privileges over time as roles and assigned work tasks change. Both problems are addressed by periodic review of user access rights.

    Management of Administrative privileges is important since common cyberattack techniques take advantage of unmanaged administrative privileges. An attacker can trick a user into downloading an application from a malicious website or opening a malicious email attachment which contains executable code that installs and runs on the user's device. In cases where users have administrative rights to their devices, the attacker can take over the device and install keystroke loggers, sniffers, etc. to find administrator passwords and other confidential data. Another common attack involves domain admin privileges in Windows environments potentially giving an attacker significant control over numerous devices and access to the data they contain.

    See Privilege Management Recipe for best practices and processes for establishing a privilege management system.

    7. Password Management

    Good Password Practices

  • Use strong passwords or long passphrases
  • Do NOT write passwords down
  • Do NOT share passwords
  • Use different passwords for different applications (e.g., work vs personal; shopping, and banking vs casual email and Facebook; applications that contain confidential information vs those that do not, etc.


        8. W hat is a Strong Password?

  1. The strength of a password is determined by several factors such as password length, password age, case usage, numeral usage, use of special characters, and reuse restrictions. These factors help to reduce the average number of guesses an attacker must try to guess the password and ease with which the attacker can test the validity of the guessed password.

    Password entropy is a mathematical way to measure the difficulty of guessing or determining a password. As applied to passwords, guessing entropy is the estimate of the average amount of work needed to guess a password. Min-entropy is the measure of difficulty of guessing the easiest single password to guess in the population. Password entropy is expressed in bits.  

    In recent years, there has been a significant shift in perspective and guidance on effective password composition requirements. These changes have been brought forth by research on how users actually use highly predictable strategies to achieve mixed-character set passwords and  unique passwords. In 2017, NIST published a significant number of revisions to their Guidance on Management of Digital Identities series (NIST 800-63-3). This publication certainly warrants consideration and review as you review or revisit password requirements for your institution. Some significant elements of this guidance include:

  • Emphasis On Password Length vs Mixed-Case or Varied Character Set Constructions
    • Passwords That Are Least 8 Characters
  • No Need For Periodic Password Resets
    • Users regularly  defeat this control  by using predictable passwords
  • Disallowing Dictionary Terms
    • Ensuring inclusion of Dictionary Checks For Password Creation
  • Don’t use Password Hints or Knowledge Based
    • These measures are often easy to defeat with poor hint selection or use of information that can be found.
  • Effective Deployment of Multi-Factor Authentication Solutions

The important take away here is that determining effective password strength requirements must also take into consideration the context of the security risks you are trying to manage, the inevitable predictable workarounds your users will employ, and the overall effectiveness and cost of associated password management activities.


9. Password Sharing Policy

It is important to realize that people will share or reuse their passwords on multiple accounts unless you provide them with some other method of allowing specific individuals to access information in their accounts. For instance, individuals in upper management often ask an administrative assistant to check their e-mail. Also, when people go on vacation, they may need to give someone temporary access to data on their computers, in e-mail, and on other systems. Password sharing policies should be put in place along with solutions that provide needed functionality with accountability for the shared resource.

10. Operating System Access Control

1a. Authentication

Authentication is the process to confirm the identity of an entity requesting access to an information resource. To be properly authenticated, the entity is required to provide credentials - a unique identifier such as a username and a password, passphrase or token. The credentials are compared to the identifying information previously stored on the entity and if the credentials match the stored information, the entity is authenticated.

Most institutions of higher education require all members of their communities to have their own unique username and password to access certain resources. In addition, institutions authenticate these individuals before allowing them to connect to the campus network or Internet. This approach not only enables institutions to attribute network activities to individual accounts, it also gives institutions the opportunity to scan systems for vulnerabilities before they connect to the network.

1b. Single Sign-On

Single Sign-On, also known as SSO, is an authentication process that allows a user to access multiple applications with one set of login credentials. In other words, a user’s username and password associated with the institution, would allow access to many or all institution systems that the user is authorized to access. Single Sign-on makes signing in to multiple services easier for the end user since they are not required to remember multiple passwords for use with institution resources.

Although having a central authentication system makes account management easier, the exposure of one stolen account is greater when it gives the attacker access to multiple systems on the network. Therefore, single sign-on is not necessarily desirable in higher education environments where password theft is a common risk. Less sign-on is ideal - using centralized authentication for most systems but maintaining separate accounts on computer systems that contain particularly sensitive data and require added protection and overall maintenance.

2a. Sensitive System Isolation

Information resources that are critical to the institution’s mission performance, resources that contain confidential information, or information that is otherwise considered sensitive should be segregated into its own environment based on sensitivity and risk. The segregation of information resources can be accomplished by:

  • Creating network domains – a collection of devices and subjects that share a common security policy. Also by creating domain trusts - a security bridge between network domains to enable users of one domain to access resources from another.  Domains are defined based on risk and the specific security requirements of the domain.

  • Implementing virtual local area networks (VLAN) and/or virtual private networks (VPN) for specific user / application groups. Example, students may be placed on a separate VLAN from faculty and staff.

  • Controlling network data flows using network routing and switching capabilities – e.g., access control lists (ACLs)

2b. Federation

A federation is an association of organizations that come together to exchange information, as appropriate, about their users and resources in order to enable collaborations and transactions.

2c Drivers

  • Increasingly, people must easily and securely exchange information across the internet, among known individuals and be trusted to access restricted resources, without having to struggle with numerous and onerous security processes.
  • Ideally, individuals would each like a single digital credential that can be securely used to authenticate his or her identity anytime authentication of identity is required to secure any transaction. (William Weems, Ph.D. UT Health Science Center at Houston: Sharing Restricted Resources Across Organizational Boundaries)
  • Traditional forms of authentication and authorization are no longer sufficient or the level of assurance needed by modern internet-based applications
    • Increase security
    • Compliance with federal and state rules
  • Application security is becoming increasingly onerous (multiple applications, multiple enterprises, and multiple user roles in multiple contexts)
    • Inter-institutional collaboration
    • Operational efficiencies and cost control
  • Examples:
    • Institution wants to offer services to their constituents but doesn't want to host them.
    • Vendor wants to offer a service to institutions but doesn't want the burden of managing user credentials and authentication.
    • User wants seamless access to services. "Single Sign-On".
    • Security officer wants to protect organisation assets, user identity information, and passwords.
  • 2d. Cloud Computing and Software as a Service (SaaS)

    Cloud Computing is the use of a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or local computer.

    Software as a Service (SaaS) is the capability provided to a user by a third party, to use a provider's applications running on a cloud infrastructure, which is accessible from client devices through a web browser or other means of remote connection such as a thin client.

    Managing security and privacy is an ongoing challenge, compounded by the expanding interest in software as a service (SaaS) and cloud computing. Specifically, the concept and benefits of participating in policy requirements, preparing institution identity management infrastructure, choosing and installing the appropriate standards-based software, and collaborating with other institutions of higher education and with resource providers.