Identity and Access Management Standard

Contacts & Dates:

UNIVERSITY STANDARD STATEMENT

This standard establishes expectations for identification, authentication, and access control for university accounts.

REASON FOR STANDARD

The Identity and Access Management (IAM) Standard is critical to ensuring that the right people and job roles can access the tools needed to do their jobs while preventing unauthorized access to university systems and data. It helps provide greater control of user access by identifying, authenticating, and authorizing users, as well as prohibiting unauthorized users.听

In certain circumstances, laws and regulations may apply and call out specific IAM requirements that are more restrictive than what is defined here. In those cases, the requirements listed in the laws and regulations will supersede those in this standard.

The Office of Cybersecurity will review this standard biennially with feedback collected from representatives across VU to understand new concerns and dynamic requirements to best serve the VU community and adhere to VU Information Security Principles listed in the Information Security Policy.

SCOPE AND AUDIENCE

This standard applies to the entire 天美传媒官网 community including, but not limited to, faculty, staff, students, contractors, post-doctoral fellows, temporary employees, and volunteers (collectively called 鈥淰U Community Members鈥�). In instances where institutional data is shared with other parties, this standard extends to the custodians of the shared data. (e.g. Oracle Cloud, VUMC).

听

DEFINITIONS

All Terms

Account Sponsor: An account sponsor is a Vanderbilt paid employee that is responsible for the usage, access, and certification of a Temporary/Affiliate User Account.
Create: The process of creating and activating digital identities.听
Delete: The process of deleting digital identities so that they are no longer exist in the central directory.听
Disable: The process of deactivating digital identities so that they no longer have access to IT assets. They still exist in a central directory but no longer have login access to IT assets.听
Identity Federation: A method of authentication that coordinates and manages a single authentication credential to access different systems within a single organization or across different enterprises.听
Just-in-time Access (JIT): A practice where granted access is limited to a predetermined period of time based on an as-needed basis.
Least Privilege: A method of access control that gives access to IT resources only when needed and only the minimal level of permissions needed for the job and nothing more. This helps reduce the risk of attackers gaining access to critical systems or sensitive data by compromising a low-level user account.听
Legacy Authentication: An older, less secure version of authentication that uses classic username and password exchange with every request and those credentials are often stored or saved on the device.
Lightweight Directory Access Protocol (LDAP): A protocol used to authenticate and authorize access to resources based on a directory server.
Modern Authentication: A method of identity management that uses token-based authentication protocols (e.g., SAML, WS-Federation, OAuth).
Multi-factor Authentication (MFA): An authentication method that requires the user to provide two or more verification factors to gain access to a resource. For example, providing something the user knows (password), something the user has (badge or smart device), or something the user is (fingerprint or facial recognition).听
Password: A secret string of characters that is used to verify an individual or process is who they claim to be for the purpose of permitting access.听
Privileged Account Management (PAM): An identity security solution that helps control and monitor the activity of privileged users (who have access above and beyond standard users) once they are logged into a system.
Remote Access: A method of access that permits an individual from an off-campus location to connect to an on-campus system or application.听
Review: The process of regularly reviewing accounts to determine overall need and making modifications.听
Role-based Access Control (RBAC): A method of standardizing permissions based on job functions rather than individual account access.听
Screensaver Timeout: The amount of idle time that must elapse, after which the computer monitor's screensaver turns on. Applications and programs are still on and running in the background.听
Session Timeout: The amount of time that must elapse, after which the application or program connection is terminated, and user must login again to reinitiate the session.听
Virtual Private Network (VPN): A remote access service that enables an encrypted connection over a public network infrastructure such as the internet and prevents unauthorized people from eavesdropping on the traffic.

STANDARD

A. IDENTIFICATION

All accounts must be in a VUIT central directory (e.g., Active Directory or Lightweight Directory Access Protocol) by default, where technically feasible. Account identifiers (e.g., VUNet ID) must be individually unique and cannot be recycled or reused.

The primary types of accounts at the university are:

Standard User Account - An individual user account that identifies a specific person. This account is federated and allows a user to logon to multiple IT assets with the same account and password. A common example is a VUnet ID.

Alumni Account - An individual faculty member that has retired or student that has graduated from Vanderbilt.

Privileged User Account - An account that has elevated privileges beyond that of a standard user to provide administrative or specialized levels of access. Typically, it allows IT administrators to manage software or hardware. An example is a Three Letter Account (TLA).

Temporary/Affiliate User Account - An individual user account for guests, contractors, or other individuals that have a business or academic relationship with the university but are not employees. It could also include an emergency account created on a temporary basis for testing purposes or to remediate an imminent threat to the university. These accounts require sponsorship from a Vanderbilt paid employee.

Resource/Service Account - An account that is not associated to a person but is used by a process to allow a system or application to run services unattended. These accounts must only be used by one system or application. Client credentials stored within cloud or vendor systems (e.g. Entra ID, Oracle Cloud) used to access APIs or other provided services are classified as resource/service accounts. These accounts require a sponsor.

Local Account - An account that is specific to a single IT asset or account created and managed via a 3^rd party application. This account is stored locally on the asset鈥檚 hard drive, is not federated, and allows an individual user to logon to a computer, application, or service.

Shared Account - A single account and password that multiple individuals co-use. These accounts cannot be linked to an individual person or process and lack accountability. These accounts require an exception from Cybersecurity.

If an account matches the description for multiple account types, it should follow the most restrictive criteria for both.

Account lifecycle requirements are listed in the table below:

Table 1. Account Lifecycle Requirements

Type	Example	Create	Review	Disable	Delete
Standard	Staff	Upon hire	Annual	24 hours after separation	30 days after disable
	Faculty	Upon hire or invite	Annual	4 months after separation	30 days after disable
	Undergraduate student	Upon invite or matriculation	Annual	4 months after graduation	30 days after disable¹
	Graduate student	Upon invite or matriculation	Annual	12 months after separation or graduation	30 days after disable¹
	Professional student	Upon invite or matriculation	Annual	12 months after separation or graduation	30 days after disable¹
Alumni	Emeritus faculty	Upon disablement of standard account	N/A	N/A²	N/A²
Temporary/Affiliate	Guest	After VU sponsor approval	6 months	Immediately upon pre-defined date	30 days after disable
	Contractor	After VU sponsor approval	6 months	Immediately upon pre-defined date	30 days after disable
	VUMC Faculty	Upon appointment and request via invite	Annual	Immediately upon end of appointment	30 days after disable
Privileged	TLA	After written supervisor approval	6 months	Immediately after standard account disablement or within 48 hours of role change	30 days after disable
Privileged	Tier 0	After written supervisor approval	6 months	Immediately after standard account disablement or within 48 hours of role change	30 days after disable
Resource/Service	API automation	After administrator approval	Annual	24 hours after notification	30 days after disable
Resource/Service	System to system	After administrator approval	Annual	24 hours after notification	30 days after disable
Local	Default	After IT asset owner approval	Annual	24 hours after notification	30 days after disable
Local	Vendor-specific	After IT asset owner approval	Annual	24 hours after notification	30 days after disable
Shared	Not allowed without an exception and with the password stored in a secure password vault (e.g., PAM). If an exception is granted, lifecycle requirements shall follow the appropriate account type above.

[1] Account deletion does not necessarily eliminate an individual鈥檚 record. See FAQs below.听

[2] University alumni, such as emeritus and postgraduates, may retain perpetual limited application access as defined by the business (e.g., email, Library, YES, AlumnIQ).

In support of security investigations and/or legal proceedings (e.g., litigation hold), an account may be retained beyond the timeframes outlined above.

B. AUTHENTICATION

University passwords must maintain a minimum complexity:
- 3 of 4 characters must be used:
  - Upper Case (ABCD...)
  - Lower Case (abcd...)
  - Number (1234...)
  - Special Character (!@#$鈥�)
- Length and expiration/renewal must align with the following:

Account Type	Minimum Length	Expiration
Standard	12	Annual
Privileged	12	6 months (Unless managed by PAM,³)
Temporary/Affiliate	12	Annual
Resource/Service	32	2 years or upon departure of an individual with knowledge of it
Local	16	6 months (Unless managed by PAM or LAPS)
Shared	N/A

[3] Privileged Account Management (PAM)

Passwords must never be shared and cannot be reused with other non-affiliated accounts (e.g., personal accounts).
Passwords must be encrypted when stored and when transmitted over any network according to the Encryption Standard.
Passwords must be obscured during the logon process and are never permitted to be coded into programs or queries in clear text.
If an IT Asset has a vendor supplied, default password, the IT Asset Owner must change it immediately.听
Accounts cannot reuse any of the past 10 passwords and cannot include 3 consecutive characters from a username.听
Accounts will be granted no more than 5 failed login attempts, with a lockout of at least 5 minutes.
Passwords for Resource/Service accounts should be randomly generated and stored in a password manager.
Authentication methods must utilize modern protocols by default. Legacy or Basic authentication is not allowed.
Where available and technically feasible, Multi-Factor Authentication (MFA) must utilize secure, second verification methods.

C. ACCESS CONTROL

A computer monitor screensaver must initiate after 15 minutes of idleness, forcing the user to log back in to wake it up.
A session must terminate after a defined period of idleness (e.g., 60 minutes for applications, 12 hours for Single Sign-On), where applicable and technically feasible, to prevent exploitation if the user forgot to log out.
The 鈥渞emember me鈥� functionality for an application or program that allows a user to stay authenticated for long periods without asking for credentials again, should not be more than 7 days, where technically feasible.
Virtual Private Network (VPN) and other remote connections must time out at least once per 18 hours. Enterprise secure remote access that extends security protection to university IT Assets when not on the campus network may have extended session times when it is secured by MFA. For complete remote access requirements, see the Network Security Standard.
Privileged account owners must use their standard user account for day-to-day activities, and only elevate to their privileged account when needed. Privileged access should leverage just-in-time access such that elevated permissions are revoked after no more than 8 hours.
Privileged access to applications should not allow users to stay authenticated for more than 24 hours.
Privileged local accounts should be used strictly in emergency situations, with access tightly controlled, monitored, and audited to prevent unauthorized use. Prioritizing least privilege minimizes potential vulnerabilities while ensuring break-glass accounts remain a last-resort measure.

The Office of Cybersecurity shall maintain authority to restrict requirements further than what is defined above based on risk exposure (e.g., shorten timeout periods when user location is abroad). They are authorized to take mitigating actions such as disabling an account without warning if it is in violation of university policy, state, or federal regulations, or in response to a security incident that poses an imminent threat to the university.

EXCEPTIONS

On a rare occasion, a security policy exception may be considered depending on the impact to the university mission and security risk(s) introduced. Those seeking an exception must submit a request to the Office of Cybersecurity for evaluation and risk assessment. Based on the level of risk, requests will be granted or denied by the CISO and Chief Information Officer (CIO).

ENFORCEMENT

The Chief Information Security Officer will refer violations to university units (e.g., Student Accountability Office, Human Resources, and Deans) as appropriate. Violations may also constitute a violation of state or federal law and individuals shall be accountable as applicable.

FORMS AND TOOLS

Identity Services:

FREQUENTLY ASKED QUESTIONS

If a user account is deleted, will the individual鈥檚 record also be deleted?

No. Even if the VUNet ID is deleted, the person鈥檚 record will still be maintained. For example, transcripts will still be available for a graduated student, employment record for a terminated employee will still be on file.
If an individual returns to VU after their account is deleted, will they get assigned a new VUNet ID or will they get the old one?

The individual will be assigned the original VUNet ID. For example, if a student graduates but they return to VU as an employee, upon verification of identity, the individual will get the original VUNet ID.
What is the difference between a password and passphrase, and which is more secure?

A password is typically a short string of characters containing random letters/numbers/symbols. A passphrase is usually a longer sequence of whole words resembling a sentence or phrase. While both can be secure, a passphrase is recommended because it is often longer (and therefore harder to crack) and easier for the user to remember.

What are examples of modern vs. legacy authentication protocols?

This listing is non-exhaustive but illustrative:

Modern Authentication Protocols	Legacy or Basic Authentication Protocols
OAuth 2.0	POP
SAML	MAPI over HTTP
OpenID Connect	Exchange ActiveSync and Autodiscover
Certificates	SMTP
Kerberos	Exchange Web Services
听	Offline Addressbook
听	Outlook Anywhere or RPC over HTTP
听	Reporting Web Services
听	Universal Outlook
听	Protocols deemed end-of-life

What are examples of second verification methods for MFA?

This listing is non-exhaustive but illustrative.

Secure MFA Verification Methods	Disallowed MFA Verification Methods
Hardware Token	Phone callback
Push Notification	Short Message Service (SMS)
WebAuthn	HMAC-based One-Time Password (HOTP)
TOTP	听
Bypass code (with approval)	听

RELATED INFORMATION

HISTORY

Review Date	Summary of Changes
N/A	听