Introduction
Safeguard 6 - Access Control Management
Instructions
6.1 - Establish an Access Granting Process
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.
Virginia Tech manages access controls via its single sign-on (SSO) service and Duo 2-factor authentication (2FA). For procedures regarding integrating the SSO service, refer to Middleware Services' 2FA Directory. For procedures regarding setting up Duo as a user, see the Authenticating using Duo 2-Factor Authentication knowledge base article.
6.2 - Establish an Access Revoking Process
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.
6.3 - Require MFA for Externally Exposed Applications
All externally-exposed applications should enforce multi-factor authentication (MFA) wherever possible. Virginia Tech does this via Duo 2-factor authentication.
2FA via LDAP for Applications
Sometimes applications cannot directly support 2-factor authentication. In this case, Duo provides an alternative authentication proxy for applications that use LDAP for authentication. For more information regarding Duo 2FA via LDAP authentication, please visit Virginia Tech's Middleware Services.
Requesting a Duo Consultation
If you need a non-standard Duo integration for your application, you may request a consultation.
- Login to 4Help.
- Go to the Duo Integration Consultation knowledge base (KB) article.
- Click Request this service.
- Fill out the request form.
Requesting a Standard DUO Integration
Virginia Tech offers free 2-factor security for its departments and workgroups. This is ideal for applications that cannot utilize the Virginia Tech Login service.
Standard Duo integrations can only be requested by Active Directory Organizational Unit (OU) admins.
- Login to 4Help.
- Go to the Duo Integration KB article.
- Click Request this service.
- Fill out the request form.
By default, the application name is the department short name and the integration type, and the Duo group name is the application name and role of the Duo group. Duo Groups are required for Duo integration requests and limit the integration access to the members of the groups.
6.4 - Require MFA for Remote Network Access
Multi-factor authentication should be required for remote network access. Please see the procedures in Safeguard 6.3 for information about setting up Duo for multi-factor authentication.
6.5 - Require MFA for Administrative Access
Multi-factor authentication should be required for administrator access. Please see the procedures in Safeguard 6.3 for information about setting up Duo for multi-factor authentication.
6.6 - Establish and Maintain an Inventory of Authentication and Authorization Systems
- Create an inventory of all authentication and authorization systems, including those hosted on-site or at a remote service provider.
- Review and update the inventory, at least annually, or more frequently.
6.7 - Centralize Access Control
Centralize access control for university assets through a university directory or identity service, where supported.
Access control can often be centralized via the Virginia Tech Single Sign-On Service (SSO), which is a service that supports SAML1/SAML2, CAS/v2, and OIDC (Gateway). For more information regarding SSO, refer to Middleware Services’ Login Service Single Sign-On page.
Other
If you have questions that are not covered in these procedures, please contact the VT IT Security Office itso@vt.edu for a consultation.