Category: Security Architecture
Applicability: Applies to all state agencies, boards, and commissions, excluding higher education
History: Adopted on March 15, 2005. Amended on March 4, 2008 (by NITC 1-103).
All state government web applications that require authentication and authorization of users will utilize the enterprise directory, known as Nebraska Directory Services.
The purpose of this standard is to provide an enterprise solution for identity and access management capabilities to reduce security administration costs, ensure regulatory compliance, and increase operation efficiency and effectiveness. This standard focuses on web applications, because most if not all new applications will utilize web technology. To incorporate non-web applications into the Nebraska Directory Services would require additional cost and different policies to implement.
Authentication: The process of uniquely identifying an individual. Authentication ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.
Authorization: The process of giving individuals access to system objects based on their identity which allows them to add, update, delete or view information for a web application.
Identify and Access Management: Enterprise Identity Management is a system of technologies, business practices, laws and policies that manages common identification of user objects; reduce the costs while enhancing the quality of government services; protects the integrity of state resources; and safeguards the privacy of the individual.
LDAP: LDAP (Lightweight Directory Access Protocol) is an Internet protocol that applications use to look up user information from a server, such as Novell's eDirectory.
Web Applications: Web server based applications that are accessed using a web browser. This definition includes custom developed systems and third party software systems.
This standard applies to all state government agencies, boards, and commissions, except Higher Education.
All new web applications requiring authentication and authorization of individuals must comply with the standard listed in Section 1. All existing web applications requiring authentication and authorization must convert to the standard listed in Section 1 as soon as fiscally prudent or upon an upgrade to the web application, whichever comes first, unless the application is exempt.
IMServices will incorporate the needed hardware and software into their infrastructure to provide the following:
Agencies, Boards and Commissions will carry out the following responsibilities:
The State Government Council's Directory Services Workgroup will provide ongoing advice and direction, including but not limited to: