Resources for IT Partners

Authentication, Access, and Account Management

Standard and Process

See the specific requirements in the Authentication, Access, and Account Management Standard in the University Policy library. The following supplements the requirements in University policy.

Authentication

Authentication is a verification that confirms that a person/account is who the person/account says they are. There are three common factors of authentication:

  • something you know (e.g., knowledge of something such as password, passphrase, pin),
  • something you have (e.g., ownership of something such as smart card, digital certificate), and
  • something you are (e.g., characteristic of the person such as fingerprint, retinal pattern).

Single-factor authentication uses a single factor of authentication (e.g., something you know) to verify the identity of the user/account requesting access to resources. User login ID with a password, passphrase, or pin is single-factor authentication. Using multiple passwords without additional factors is still considered single-factor authentication.

Multi-factor authentication (also known as two-factor authentication) uses two or more factors of authentication (e.g., something you know and something you have) to verify the identity of the user/account requesting access to resources. User login ID and password with a hardware token/phone is considered multi-factor authentication.

Use multi-factor authentication whenever possible and in situations that need a stronger form of authentication (e.g., remote access to systems in a data center).

Use complex passwords. Complex passwords are:

  • 16 or more in length AND contain
  • Two or more types of characters:
    • lower case letters
    • upper case letters
    • numbers
    • symbols/ special characters

Other authentication controls include:

  • secure logon procedures;
  • minimize access to or disclosure of access information; and
  • session timeouts.

IT staff are responsible for working with users, data owners and service directors to identify where multi- factor or single-factor authentication is needed.

Users, data owners and service directors are responsible for working with IT staff to properly use the appropriate authentication(s) for their support or user role(s).

Access

Access controls include:

  • disable/remove or limit system utilities that are capable of overriding application or system controls;
  • control system access rights of other applications;
  • manage the use of privileged access;
  • remote access to systems.

Privileged access is often referred to as the use of the administrator or root account on the system or application. Where possible, users should authenticate with a user-level account and then elevate to an account with privileged access when needed to complete specific functions.

Restrict remote access to systems. Use University VPN, proxy server, or bastions that are utilize multi-factor authentication.

Document the access controls used.

Account Management

Manage accounts in all stages of the access life-cycle:

  • authorizing access based on current role and responsibilities;
  • granting initial access;
  • periodically reviewing access granted;
  • changing access as user roles change (e.g., job responsibilities change);
  • removing access from users who no longer require access (e.g., termination, transfer to another University unit); and,
  • establishing, resetting, and expiring authentication.

Account management includes:

  • documentation of account and authentication management procedures;
  • segregation of duties from authorization to managing accounts;
  • communication to user about use and responsibilities for maintaining the account and authentication; and,
  • periodic review of accounts.

Store authorization of access requests in a location that is accessible by multiple responsible individuals.

Change default passwords on accounts (e.g., guest, administrator, guest) during implementation, as the passwords associated with these accounts may be commonly known.

Shared and Group Accounts

Use of shared or group accounts should be limited and your unit must develop and follow procedures to protect the data and systems where used. At a minimum, the procedures should include:

  • change passwords anytime someone with knowledge of the password changes job responsibilities or terminates employment;
  • limit account to view only access;
  • log all use of the account in the application or system.

Document where the account is used and controls used to protect the data and system.

System-Level and Service Accounts

Use of accounts such as root and Administrator should be limited. Use of administrative privileges should be associated with an individual. Use sudo instead of root. Create unique accounts to use only for Windows administration (e.g, [username]-admin).

  • Use of shared system-level/service account should be limited and your unit must develop and follow procedures to protect the data and systems where used. Shared service accounts provide an elevated level of access. System-level accounts, such as root or Administrator, provide complete control over a system. At a minimum, the procedures should include:
  • use of longer password with more than two types of characters;
  • change passwords anytime someone with knowledge of the password changes job responsibilities or terminates employment;
  • log and monitor all use of the account in the application or system;
  • use an approved change management process.

Document where the account is used and controls used to protect the data and system.

Vendor Accounts

Enabling vendor account only when vendor access is needed and monitoring of vendor access provides assurance that vendors are accessing only the systems necessary and only during approved time frames.

Documentation

Include in the procedure document the roles of data owners, data custodians, and others involved for account authorization, provisioning and deprovisioning, and user communication, including which role is responsible for each task:

  • define types of accounts and their use (individual, group, system, application, guest/anonymous, temporary);
  • check that the level of access requested is appropriate for the business purpose and does not compromise segregation of duties;
  • provide information needed to document account provisioning, account deprovisioning, type of confirmation of access rights for user, storage of the requests, granting of access after authorization is complete;
  • type of authentication used (e.g., single-factor or multi-factor) and password complexity rules;
  • verify the identity of a user prior to providing a new, replacement or temporary authentication/password;
  • document that a password has been changed and by whom;
  • educate users on their responsibilities related to their account and authentication/password (see User Education section);
  • remove or block access when the user changes position, role, or has left the University;
  • maintain a general document that classifies users/user groups and explains their need for administrative level privileges, and periodically review the document to evaluate the continuing need for and risks of administrator privileges; and,
  • conduct periodic reviews for appropriate user access, inactive/active accounts, redundant use of user IDs, shared accounts.

User Education

Communication to users about access should include:

  • process for requesting, changing, and terminating access;
  • requirements for password complexity (e.g., length, types of characters);
  • authentication/password resets and expiration;
  • confidentiality of authentication/passwords;
  • notifying University Information Security (security@umn.edu) of security incidents, including potential compromises of authentication, password, secret, or access; and
  • notifying users who have administrative privileges on IT resources that the University reserves the right to revoke administrative privileges granted to any user on a University owned system and that they are responsible for the following:
  • using the account with administrative privileges only when that privilege level is required;
  • not blocking, disabling or otherwise circumventing any services which were included in the initial configuration of the device to install operating system updates/patches, application software patches and anti-virus updates;
  • maintaining software licensing information for any user installed software; and
  • maintaining and patching for user installed software.

Individuals should use different passwords for their user level and system administrator accounts on multi-user systems (e.g., sudo for Unix, or local admin for Windows).

Technical staff are responsible for working with users, data owners, data custodians, and service owners

  • on establishing account and authentication/password management;
  • to identify where multi- factor or single-factor authentication is needed;
  • on establishing access controls.

Users, data owners, data custodians, and service owners are responsible for working with technical staff

  • to properly use the appropriate authentication(s) for their support or user role(s); and
  • to properly use the access controls in the roles they perform supporting or using the system or application.

See the Information Security policy appendices for additional information security standards that also apply.

More Information