Authentication, Authorization and Access Controls (S-13)

Standard: S-13
Responsible Executive: Vice President for Information Technology and Chief Information Officer
Responsible Office: Office of the Vice President for Information Technology
Date Issued: July 15, 2019
Date Last Revised: March 5, 2025

Table of Contents

Contacts
Individuals and Entities Affected
Statement of Standard
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
History and Updates
Appendix 

Contacts

Clarification of Standard

Purdue Systems Security (PSS)
765-494-4000 | itpolicyanswers@purdue.edu

Individuals and Entities Affected

University students, faculty, staff and all other individuals or entities using University IT Resources.

Statement of Standard

Controlled access to IT Resources is essential for Purdue University to continue its mission of learning, discovery and engagement. Identification, authentication and authorization are controls that facilitate access to University IT Resources. Purdue University uses access controls and other security measures to protect the confidentiality, integrity and availability of University IT Resources and Information Assets. This standard identifies the requirements supporting these controls.

Identification

The Purdue University identifier (PUID) number is a ten-digit identification number assigned to each person based on the individual’s unique relationship with the University. A person’s PUID number identifies the person to Purdue University’s IT Resources. A PUID number will be assigned to each individual who has a legitimate business, research or educational need to access University IT Resources, but a PUID number alone is not sufficient to access these IT Resources.  Assignment of a PUID number includes reactivating and/or updating an existing PUID number if an individual’s relationship with the University changes (e.g., from student to staff or vice versa).

• A PUID number will be assigned to all prospective students at the time of application to the University.
• A PUID number will be assigned to all employees of the University at the time of employment.
• All contractors, consultants, or other non-employees, who must be granted User Credentials in order to fulfill a legitimate business, education and/or research obligation to or on behalf of Purdue University, must follow the Request for Privileges (R4P) Application instructions. A PUID number will be assigned once that process is complete.
• The PUID number must be used with appropriate authentication credentials. By itself, the PUID number must not be used to gain access to any private information or non-public IT Resource.

Authentication

A PUID number is not the same as a Purdue Career Account or Multi-factor Authentication. A Purdue Career Account and/or Multi-factor Authentication gives an individual electronic access to a number of services. All Purdue students, faculty and staff are assigned a Purdue Career Account with base access that may include different services depending upon the person’s affiliation with the University. Assignment of a Purdue Career Account includes reactivating and/or updating an existing account if an individual’s relationship with the University changes.

• A Purdue Career Account and Multi-factor Authentication will automatically be assigned to all faculty and staff at the beginning of their employment period, and to students upon offer of admission to the University.
• A Purdue Career Account and Multi-factor Authentication may be assigned to an individual who has a legitimate business, research or educational need to access University IT Resources, but is not a faculty, staff, or student at the University. Assignment of account will require the user’s explicit acknowledgement to follow Purdue policies. This access is subject to quarterly review through Human Resource Services.
• A Purdue Career Account and Multi-factor Authentication must be used, where technically possible, for general user authentication purposes for all Purdue IT Resources and those hosted on behalf of Purdue.
• Privileged Access to Purdue IT Resources must utilize Multi-factor Authentication method(s) approved by the CIO.
• All University IT Resources must use only encrypted authentication mechanisms.
• Authentication credentials for Purdue IT Resources will not be coded into programs or queries unless they are encrypted, and only when no other reasonable options exist, and must follow the standard on User Credentials (S-16) for password expiry. A security policy exception request is required in order to code authentication credentials into programs or queries if unencrypted.
• Use of biometric technologies for authentication purposes must follow the standard on Biometric Technologies (S-14).

Authorization

Authorization for University IT Resources depends on the individual’s relationship(s) to the University and the requirements associated with that relationship.

• Only the minimum privileges necessary to complete required tasks will be assigned to an individual.
• Privileged Access may not be assigned to Career Accounts.
• When Privileged Access is needed across systems, separate privileged accounts must be used. For example, Active Directory OU admin, database admin, and application admin will be separate accounts.
• Privileges assigned to each individual must be modified or revoked upon a change in status with the University. When an individual’s status changes (e.g., due to a change in role or responsibilities), access to University IT Resources must be adjusted accordingly.
• Privileged Access accounts on each system must be reviewed at least annually to identify and correct any unnecessary access.
• System users must be permitted to modify production data only when employing a controlled process or system.

General Security Controls

• University servers, end user computers (e.g., laptops and desktops) and other applicable Devices (e.g., virtual machines), unless exempted by the CISO, must have appropriate working Endpoint Protection Software installed prior to any new or continued connection to University IT Resources.
• Mass storage systems, unless exempted by the CIO or CISO, must be periodically backed up in a way that creates indelible copies with verified integrity.
• Networked systems, unless exempted by the CIO or CISO, must send appropriate logs (as defined in IT Resource Logging (S-11) standard) to the central university logging service/aggregator.
• Access controls will be accompanied by mechanisms to detect, record and generate alerts in accordance with IT Resource Logging (S-11) about repeated failed attempts to access University IT Resources.
• Access controls must include account lockout capabilities, including a maximum number of login attempts and a lockout time duration.
• Access control permissions for all non-public Purdue University IT Resources must default to no access, which blocks access by unauthorized users.
• IT Resources must be designed to default to no access (denial of privileges to end-users) in the event of a malfunction.
• Operating system access to IT Resources must use a password-protected session lock after inactivity for 15 minutes or less.
• Testing or attempting to compromise internal controls, when outside of the scope of an individual’s employment duties with Purdue University, is prohibited unless specifically approved in advance and in writing by the CIO.
• All contractors, consultants or other non-employees must only be given Privileged Access to IT Resources when the IT Resource Owner, or designee, determines there is a legitimate business need. These privileges must be enabled only for the time period required to accomplish approved tasks and then promptly disabled upon completion of the approved tasks.

Remote Access Controls

Remote Users accessing non-public University IT Resources must follow these requirements for any Remote Host accessing IT Resources, as well as any guidelines, procedures or other requirements issued by their departmental IT units and/or the owners of the IT Resource to be remotely accessed:

• Remote Access to Purdue IT Resources must use one of the following:
  1. An encrypted virtual private network (VPN) approved by the CIO or CISO, or
  2. Another encrypted connection approved by the CIO or CISO.
• Ensure the Remote Host meets the security expectations specified in the End User Security Guidelines.
• Take reasonable precautions to ensure Remote Access connections are secured from interceptions, eavesdropping or misuse including, but not limited to, shielding their screen from view in a public area when accessing sensitive or restricted data and not sharing the Remote Host with another party for use while it is remotely connected.
• Follow University Data Handling Procedures and any departmental requirements including, but not limited to, those associated with federal, state or local laws, such as HIPAA, FERPA, etc.

Terminating Access to IT Resources

In accordance with the policy on Acceptable Use of IT Resources and Information Assets (VII.A.4), use of IT Resources is a privilege and not a right, and violations of this policy or any other University policy or regulation may result in revoked or limited IT Resource privileges.

Access to IT Resources must be immediately terminated when an employee separates from the University and when a non-employee, such as a student, vendor, contractor or consultant, no longer has a legitimate business or educational need.

Responsibilities

Centralized and Departmental IT Units and IT Resource Owners (and designees)

• Implement and monitor compliance with this standard and any related policies, standards and best practices for University IT Resources within their areas of responsibility.
• Establish additional guidelines, procedures or other requirements that exceed this standard, as necessary, to secure University IT Resources

Purdue Systems Security Identity and Access Management Office (IAMO)

• Provide identification, authentication and authorization services to departments and academic units.

Remote IT Resource Users

• Comply with this standard and any related policies, standards or security guidelines and procedures that may be issued by their departmental IT units and/or owners of the IT Resource(s) to be remotely accessed.
• Comply with University Data Handling Procedures and any departmental requirements including, but not limited to, any guidelines issued by the HIPAA Privacy Compliance Office for Remote Access to Protected Health Information or those associated with federal, state or local law.

University students, faculty, staff and all other individuals or entities granted use of University IT Resources

• Comply with the requirements of this standard and any related policies, standards or security guidelines and procedures that may be issued by their departmental IT units and/or owners of the IT Resource(s) they access.

Definitions

All defined terms are capitalized throughout the document. Additional defined terms may be found in the policy on Information Security and Privacy (VII.B.8) and in the central Policy Glossary.

Career Account
A general user account assigned at first affiliation with the University that gives an individual electronic access to a number of services at Purdue University, including but not limited to, services for email, instructional, research and departmental use with basic access to these different services based on the individual’s affiliation with the University. 

Endpoint Protection Software
Software used to protect servers, workstations, smart phones and other end user Devices against attack (e.g., antivirus and antispyware).

Privileged Access
Elevated or administrative access privileges beyond those of a general user Career Account. For example, accounts such as root, local administrator, domain administrator, OU admin, super user, and emergency or “break glass” have Privileged Access. 

Remote Access
Access to Purdue University IT Resources from an electronic or other device not directly connected to the Purdue University wired or wireless networks, but not including access to publicly available IT Resources. For example, use of a web browser to remotely access a publicly available Purdue University webpage is not covered by this standard. 

Remote Host
An electronic or other device used for Remote Access. 

Remote User
Any user of IT Resources from a Remote Host. 

Multi-factor Authentication
Multi-Factor Authentication (MFA), also referred to as two-step verification, or two-factor authentication (TFA, 2FA), is a security mechanism requiring two types of credentials for authentication designed to provide an additional layer of validation, minimizing security breaches. Typically, one is something you have, such as a physical token or software token on a mobile device, and the other is something you know, such as a PIN (personal identification number). The combination of the token and the PIN authenticates users to the system.

User Credentials
A computer or software user’s authentication information, typically a password, token or certificate in combination with a username. 

Related Documents, Forms and Tools

This standard is issued in support of the policy on Information Security and Privacy (VII.B.8), as amended or superseded.

Other related policies, standards and procedures

• Access to Student Education Records (VIII.A.4)
• Acceptable Use of IT Resources and Information Assets (VII.A.4)
• Biometric Technologies (S-14)
• Privileged Accounts and Service Accounts (S-15)
• Security Policy Exception Procedures
• Request for Privileges (R4P) Application instructions (PDF)
• User Credentials (S-16)

Health Insurance Portability and Accountability Act of 1996 (HIPPA) 

Family Rights and Privacy Act of 1974 (FERPA)

History and Updates

March 5, 2025: Clarified references to review of Privileged Access in the Authorization section of the Statement of Standard.

December 12, 2024: Document reviewed; minor administrative updates made to titles, offices and links.

May 16, 2023: Removed references to BoilerKey.

September 19, 2022: Added requirements to sections on Authentication, General Security Controls and Remote Access Controls as a result of a security risk assessment. Added definition of Endpoint Protection Software.

July 15, 2019:  This standard supersedes the policy on Authentication and Authorization (VII.B.1) and the policy on Remote Access to IT Resources (VII.B.4). It also supersedes associated Remote Access Standards dated March 1, 2010, and Access Control Standards issued by the Identity and Access Management Office (IAMO) dated February 1, 2008, and revised December 7, 2011.

Appendix

There are no appendices to this standard.