Cornell University CIT

• IT Policy Home
• Policies
• Programs
• Articles
• Issues

Impact Statement
For Proposed Policy: Authentication of Information Technology Resources

Printable version of this impact statement

Submitted: February 16, 2005
Revised: Post-EPRG Meeting - February 18, 2005
Responsible Executive: Vice President for Information Technologies
Representing Office: Office of Information Technologies -- IT Policy and IT Security

Background
Fifteen years ago, in conjunction with twenty-six peer institutions, Cornell Information Technologies (CIT) implemented a centralized, single-sign-on authentication system for administrative applications. Currently, a comprehensive strategy is needed to control access to electronic data and devices. This proposed policy would serve such a strategy by providing university-wide authentication standards.

University Policy 4.12, Data Stewardship and Custodianship requires that data stewards establish rules for authorizing access to data, i.e. determining which roles within their unit have access to what kind of data. Data stewards must also classify their data according to ascending levels of confidentiality, with the highest level reserved for federally-protected information, such as banking, medical and educational records.

This policy establishes rules for data stewards to authenticate access to Information Technology (IT) resources, including administrative data, and supports consistent management of Cornell's IT authentication infrastructure.

Policy Statement
Cornell University establishes rules for issuing Cornell NetID's, use and complexity of associated passwords, and minimum authentication standards for access to Information Technology (IT) resources.

Reason for Policy
By establishing consistent management of Cornell's authentication infrastructure, this policy contributes to the protection of the university's administrative data, while complying with privacy and security regulations governing federally-protected data. In particular, this policy establishes rules for managing access to IT resources, namely electronic data and devices.

Consistency with Cornell University's Mission and Goals and Other Policies
The Cornell University IT Policy Framework includes authentication standards outlined in this policy.

This policy has a particularly complementary relationship with University Policy 4.12, Data Stewardship and Custodianship, which classifies university administrative data and sets forth standards for custodianship.

Related university policies are:

• University Policy 4.4, Access to Cornell Alumni Affairs Information
• University Policy 4.5, Access to Student Information
• University Policy 4.7, Retention of University Records
• University Policy 4.12, Data Stewardship and Custodianship
• University Policy 5.1, Responsible Use of Electronic Communications
• University Policy 5.4.1, Security of Information Technology Resources
• University Policy 5.4.2, Reporting Electronic Security Incidents
• University Policy 5.7, Network Registry

Scope of Policy
This policy will govern the following:

• Definition of a Cornell University community member, sponsor, or guest in relation to the university¹s IT resources
• Rules for issuing NetID's
• Rules for password use and complexity
• Minimum authentication standards for access to IT resources

Entities, Offices and Other Cornell Community Members Affected by this Policy
Endowed Ithaca and Contract Colleges of the University and the Weill Medical College.

Stakeholders Who Will Be Consulted in Developing This Policy

• IT Policy Advisory Group
• IT Manager¹s Council
• IT Security Council
• University Audit
• University Counsel
• Student Academic Services
• Office of Risk Management and Insurance
• College Business Officers/Business Service Center Directors
• Office of Human Resources
• Dean of the Faculty
• Faculty Advisory Board for Information Technology (FABIT)
• Administrative Systems Planning Group (ASP)
• Cornell Computing Directors (CCD)
• Faculty Senate

Impact on University
This proposed policy anticipates the following issues:

• Units may resist this policy because it may require changes to their IT procedures and technologies to comply with its authentication requirements. There may be some initial associated costs. However, full life-cycle costs are likely to be no more than current costs.
• Reduced legal liabilities and risk through higher minimum standards for user authentication and supported authentication infrastructures.

What Compliance Mechanisms Exist or Will Be Created?
University Counsel will oversee compliance with legal standards.
University Audit Office will continue to monitor IT safeguards.
IT Policy and IT Security offices will coordinate implementation of and training for this policy.

Timing Requirements for This Policy
This policy should be issued and promulgated as soon as possible for timely achievement of its goals.

Appendix: Details of Authentication

The Single-Sign-on Method
Cornell University uses the single sign-on method for authentication to IT resources. The single sign-on is comprised of the combination of a network identifier ("NetID") and NetID associated password.

Network Identifiers' Rules of Issuance
NetID's are for the exclusive use of the individuals to whom they are assigned. Once assigned, a NetID will not be reissued to another individual. Only with rare exceptions and under extreme circumstances can an individual change the NetID assigned to him or her.

Rules for Using NetID Passwords

1. The NetID password must never be shared.
2. NetID passwords must not be written down or stored anywhere in unencrypted form.
3. NetID passwords transmitted over the network must be encrypted.
4. NetID passwords must not be used with any other authentication infrastructure except for the central, Kerberos infrastructure, whether the account is for an internal or external system.

Rules for Password Complexity

1. NetID passwords must consist of:
   • at least 8 characters
   • at least one digit or punctuation character and upper and lower case letters
2. NetID passwords cannot constitute:
   • a word in any dictionary or language, spelled forward or backward
   • names or nicknames of people, pets, or places
   • personal information that can be found out easily, such as addresses, birth dates, or hobbies
   • common keyboard sequences, such as qwerty1 or abc123

November 2005 Update: OIT has requested that the two sections below be removed from this impact statement, and that revised standards for authentication servers and levels of authentication be placed in an impact statement for a proposed revision of University Policy 5.1, Responsible Use of Electronic Communications, to be renamed Responsible Use of Information Technology Resources.

Minimum Operational Standards for Authentication Servers
Despite the resulting level of authentication as described below, all authentication infrastructures that support Cornell University business must meet the following minimum standards:

• Passwords must be transmitted in encrypted form
• Server(s) must be housed in a secure machine room
• Server(s) must adhere to standardized system hardening procedures
• System administration must be performed by qualified staff only
• Two-factor authentication (token and a password, such as SecurID or similar technologies) must be used to access the system

Levels of Authentication for Access to IT Resources
University Policy 4.12, Data Stewardship and Custodianship, requires that data stewards establish policy for the data under their purview. In other words, data stewards must establish "authorization" rules, i.e. the rules regarding which roles within their unit have access to what kind of data. Data stewards must also classify their data according to ascending levels of confidentiality, with the highest level reserved for federally protected information such as banking, medical and educational records. This policy establishes the rules for authentication (access) to IT resources storing and transmitting that data, and requires data custodians to apply these rules when providing access to administrative data.

The table below exemplifies the minimum authentication standards for authorized access to IT Resources.

Levels of Authentication	Rules for Authentication
3 — Most secure	Standard user prompt presented Authentication keys stored centrally Full application and OS auditing performed to a central log server and regular log analysis performed Service access acknowledged by audit logs Credentials issued to Cornell community members only Two-factor authentication based on cryptographic keys, not NetID and password
2 — Very secure	Standard user prompt presented ID and password authentication used Password complexity standard enforced Full application and OS auditing performed to a central log server and regular log analysis performed Service access acknowledged by audit logs Single central password infrastructure employed Credentials issued to Cornell community members only Password encrypted or not transmitted over the network Additional authentication servers allowed on an exceptional basis only and subject to minimum standards
1 — Minimally Secure, subject to more well-known "hacker" attacks or exploits	ID and password authentication used Service access acknowledged by audit logs Credentials issued to Cornell community members, sponsored individuals or guests Authentication requirements not integrated into the Cornell authentication infrastructure (Corporate Time, for example)
0 — Not secure	Authentication not required for information available publicly