Description
This standard establishes NIH Login as the required method of implementing authentication in web-based applications at the NIH. Authenticated identities are the basis for many other information security services. Therefore, NIH needs to:
- Verify user identity as the basis for access control to NIH resource
- Control individual user access to the resources and services provided by those systems
- Create an audit trail of individual user access or attempted access to those systems, resources and services
Authentication services are crucial to access control and auditing services. If users' identities are not properly authenticated, NIH has no assurance that access to resources and services are properly controlled. In most situations, User ID and password combinations will provide an appropriate level of security if the User ID and password conform to NIH policy. However, NIH will implement stronger authentication for enterprise users with high system privileges (e.g. system, network and security administrators).
NIH Login shall be used by web-based applications for user authentication.
Brick Information
Tactical
(0-2 years)
|
Strategic
(2-5 years)
|
|
|
Retirement
(To be eliminated)
|
Containment
(No new development)
|
|
- Application-specific user authentication based on databases including LDAP, RDBMSs
- Application-specific user authentication including IP and MAC Addresses
|
Baseline
(Today)
|
Emerging
(To track)
|
- Application-specific user authentication based on databases including LDAP, RDBMSs
- Application-specific user authentication including IP and MAC Addresses
- NIH Login (currently utilizing CA SiteMinder)
|
- Biometrics which integrate with NIH Login
- Smartcards which integrate with NIH Login
|
Comments
Time Table
This architecture definition approved on:
April 2, 2008
The next review is scheduled in:
TBD