Authentication Requirements for University Software Applications

Audience:

All members of the University community

Policy Statement:

Computer applications deployed to members of the University community should use the University NetID as the person’s electronic identifier, and the corresponding password as a necessary (but not always sufficient) credential to authenticate each person.

This policy applies to all computer applications regardless of the location or ownership of the service platform(s). This requirement should be included in all bid specifications when acquiring applications. NUIT provides a document for this purpose.

Where appropriate, and in keeping with policies, software applications may require additional credentials beyond the NetID and its password.

If a Web-based application cannot be modified to conform to this policy, then NetID-based access control should be implemented by use of the Web SSO system (Online Passport), which will authenticate the user before passing control to the application.

This policy does not apply to administrator accounts used to configure and maintain server computer systems (so called “super user” accounts).

Exceptions to this policy are granted by the Office of the Vice-President for Information Technology. Exceptions will be considered when the computer application does not manipulate or store information that the University has classified as “LEGALLY/CONTRACTUALLY RESTRICTED” and either:

  1. The community of users numbers less than thirty (30) and the users are within a single University department and the application has a named administrator; or
  2. When the computer application is of a strictly academic nature; or
  3. The computer application is embedded within a larger system and cannot be modified by the vendor (a statement from the vendor is required), or
  4. When the computer application has been budgeted for replacement in the near future.

Applications for exceptions should be sent to the Office of the Vice President for Information Technology: vp-infotech@northwestern.edu

Background Issues:

University strives to create and maintain an information processing environment that is both secure and convenient to use. A key aspect of this effort is to eliminate the use of multiple identifiers and passwords for a single person – a practice that has been demonstrated to weaken personal security practices. Furthermore, a common identifier and authentication practice is required for integration of applications into the University portal.

Security is further enhanced when the single identifier for a person is linked to his or her standing within the institution, as it is with the University NetID. When there is a change in the person’s standing, it can be rapidly propagated across the institution, modifying or removing access and thus enhancing the security of information. For some systems and types of information, this level of security integration is a regulatory requirement.

Financial Issues

All costs to comply with this policy are borne by the business unit responsible for the software acquisition. Compliance to University policies should be a requirement of the vendor selection process and should not result in any add-ons by the vendor.

Identifying a vendor-of-choice should require vendors to address the requirements laid out in the document “Northwestern University User Authentication Requirements” available on the NUIT Web site.

Question/Answers

Does this policy apply to new systems or both new and existing systems?

It is important that new software purchases comply with this policy. Existing software systems should be brought into compliance as soon as possible, or as required by regulations.

Is there a target date for modifying current University software applications to comply with this policy?

No; however, if technically possible, current systems should be brought into compliance at the next major revision, upgrade, or replacement.

If a software vendor of interest says that compliance with University policy will be an extra-cost item, who will pay for the cost to comply?

The purchasing unit pays the total cost for the system in its compliant form. Compliance to University policies should be a requirement of the vendor selection process and should not result in contract add-ons by the vendor.

If the system serves both University NetID holders and others outside the University, how should security be structured?

University NetID holders must be authenticated minimally via NetID and password. Other persons could be authenticated through federated authentication or by issuing NetIDs to them. An exemption to this policy is required if you wish to separately-manage credentials for non-community members.

Is there a document that describes the technical requirements to comply with this policy?

Yes. The document is intended to be an appendix to a bid specification and is available on the NUIT policies Web site.

Last Review Date:

December 2013

Original Issue Date:

August 2007

Revision Dates:

August 2007
December 2009

Related Policies: