Identity and Access Control

Centrally managed groups are used as both the basis for group collaboration tools and to govern access to online assets. As online threats to Stanford's reputation, intellectual productivity, and legal commitments increase, the IT Services must respond accordingly to manage information risk to the institution.

Centralized enterprise identity and access management technologies allow for enterprise-wide control of authentication to Stanford as well as to inter-institutional and online software vendor service offerings. This direction offers enormous efficiencies to Stanford while simultaneously managing growing information security risks. Stronger authentication technologies will be available where the security threat or level of auditability requirements demand higher levels of identity assurance.

More work remains in access control infrastructure to realize the same potential in improving authorization decisions by applications. Like authentication, the vision for central access control will also be based on existing and emerging open standards. Based on institutional priorities, IT Services will work with Administrative Systems to increase the online information available to applications in order to make smarter access control decisions. This vision will also require improvements in the lifecycle and auditability of group memberships and entitlements.

Technology trends that IT Services is tracking as it develops its strategy are: federated authentication, principally around the SAML (Security Assertion Markup Language) standard; the proliferation of online identity providers, using OpenID and OAuth technologies; virtual directories that offer multi-sourced data rendered to applications automatically; and the stabilization of technical standards and lowering prices in the smartcard sector.

Technologies in this section

Goals

  • Offer two-factor authentication, along with strong identity binding processes, to create a level of assurance sufficient to meet non-repudiation standards.
  • Expand the person and group attributes in the central directory to include a richer set of data for more fine-grained access control decisions.
  • Deploy smartcard technology in the Stanford ID card for the principal purpose of logical access control, as opposed to physical access control.
  • Improve auditability and lifecycle of group memberships and account access to services.
  • Leverage an updated federated authentication infrastructure to support a wide array of inter-institutional collaborations and online vendor services.
  • Support test user identities to support pre-production development, testing and monitoring functions.
  • Better integrate directory services and improve data quality between Stanford University and Stanford Medicine.
  • Sign up for the InCommon certificate service.

Roadmap

  • Update Shibboleth infrastructure to support SAML 2.0; including WebAuth via SAML, on Microsoft Windows servers.
  • Extend Account Services infrastructure to include additional person attributes.
  • Improve auditability and lifecycle around sponsorships.
  • Work with central offices and Administrative Systems to specify and implement group and access data richness.
  • Pilot X.509-based contact smartcard technology, leveraging standard Stanford ID card platform; build out middleware to tie into identity management infrastructure.
  • Investigate extensible directory services technologies in preparation to allow department-originated attributes.
  • Investigate centrally managed authentication technologies for use on mobile devices.
  • Investigate weak multi-factor authentication for campus.
  • Support issuing short-lived digital certificates.
  • Broader use of digital certificates for web service authentication.

Measures of success

  • Continued relevance and use of central identity infrastructure on campus.
  • Increased use of authentication and access control infrastructure for external services.
  • Meeting internal audit and other compliance standards.
  • Operational stability and ease of integration.