1. Introduction
2. Criteria
3. Scope
4. Security
5. End-User Convenience
6. Enforcement
7. Suggestions for Improvement
8. Citation

Introduction

The ONYEN (Only Name You'll Ever Need) program at UNC-Chapel Hill is designed to provide affiliates of the University with a login device that can be used to access various tools provided electronically by the university and its departments. As the name indicates, the idea is to utilize this single login device for all electronic tools requiring authentication at UNC. The goal of the program is to "eventually replace all campus login names" with this single, integrated service. Since the services incorporated into this program include tools used to manipulate private and/or sensitive data, a security policy has necessarily been developed to prevent unauthorized users from gaining access to ONYEN services. The 12 major components of this policy are as follows:

1. Affiliation Requirements - Individuals must fit appropriate prerequisites to be eligible for an ONYEN the foremost of these being legitimate affiliation with the University.
2. Single ONYEN policy - Requires that a single individual may only be associated with a single ONYEN.
3. Research accounts - Sets restrictions on the availability of special research accounts
4. Ethical Standards - Asserts that all ONYEN users are expected to act ethically "even in the absence of reminders or enforcement".
5. Terms of Agreement - Lays out the terms binding any individual accepting an ONYEN including responsibility for the ONYEN and its use and subjugation to University, State and Federal prohibitions.
6. Legal, Ethical, and University Policy Prohibitions - Provides a representative list of prohibitions on the use of ONYEN services.
   
7. Consequences of Misuse - Describes consequences of ONYEN misuse.
   
8. Additional Disk Space - Describes procedure for acquiring further disk space on UNC servers.
   
9. First_Last Email Aliases - Describes procedure for setting up e-mail aliases.
   
10. Forgotten Passwords - Describes policy for forgotten ONYEN passwords.
    
11. Password Integrity - Describes the policy for password requirements and the recently revised policy regarding password expiration.
    
12. ONYEN and Data Expiration - Lays out timeline for ONYEN expiration after ending affiliation with the University.

Criteria

Below is my analysis of the UNC ONYEN policy, divided into four areas.

1. Scope - The purpose of the policy as a whole and how it interacts with other University policy.
2. Security - The aspects of the policy focusing on data security and how they work
   
3. End-User Convenience - How the policy affects ONYEN users.
   
4. Enforcement - How enforcement of the policy works and its effectiveness.

Scope

The ultimate goal of the ONYEN program is to provide a single, universal login to any electronic service provided by the University (and its departments). In order to do this, the ONYEN policy is designed to assign ONYEN logins to UNC affiliates (and only UNC affiliates) and to protect these logins from unauthorized access. The assignment aspect of the policy is achieved using University-assigned Personal Identification Numbers (PID's). A PID is given to new University affiliates at the beginning of their affiliation. This PID is then used to register, via the web, for an ONYEN. Since only one PID is assigned to each affiliate, using this previously establish system to facilitate the ONYEN system prevents any one individual from acquiring more than one ONYEN. Also, all new ONYENs are checked against the database of ONYENs to prevent duplication.

The universal aspect of the ONYEN program is achieved through cooperation among several different departments on campus including ATN, AIS, various academic departments, etc. Because of this dispersion, the ONYEN's are used to access some confidential tools as well (i.e.. academic grades, payroll information, etc.) and, thus, it is critical that access be only available to appropriate personnel. The ONYEN policy works with the Honor Code and employment policies to prevent, and punish when necessary, misuse of ONYENs. Also, the policy must deal with the risk of unauthorized access via a) acquiring an ONYEN and password from a legitimate ONYEN owner (i.e.. with sniffer software) or b) decrypting an ONYEN password (i.e.. dictionary attack). Protecting against such intrusions is an integral component of the ONYEN policy (see Security).

Security

The ONYEN policy is designed to protect against unauthorized access to and/or use of the ONYEN system by both 'inside' threats (legitimate ONYEN owners) and 'outside' threats (external intruders). Protection from the inside is accomplished by Sections 4, 5 and 6 of the ONYEN policy. During the on-line application process for an ONYEN, the user must agree to the terms listed in the aforementioned sections of the policy. Violation of these terms is handled according to Section 7 of the policy (see Enforcement).

The first line of defense against outside attack is to prevent unauthorized personnel from acquiring an ONYEN. Sections 1 and 12 are designed to protect against this by a) preventing individuals unaffiliated with the University from acquiring an ONYEN (see Scope) and b) placing time limits on ONYEN access for individuals whose affiliation with the University have ended. The other primary protection from outside attack is outlined in Section 11, Password Integrity. This section is included to a) prevent users from using passwords that are easily guessable or breakable via a dictionary attack and b) force password changes every ninety days to reduce the risk of cracked passwords (see End-User Convenience).

End-User Convenience

One of the biggest challenges in designing IT policy is striking a balance between security and convenience for users. The ONYEN program itself is designed specifically to make things more convenient for University affiliates by keeping the amount of authentication information they have to keep track of to a minimum. The more integrated electronic tools on campus become with the ONYEN system, the easier it is on users to keep track of how to access them.

Recently, a change in the ONYEN policy has created quite a stir on campus precisely because it sacrifices user convenience for increased security. This change is in section 11 of the policy and mandates a 90-day expiration period on all ONYEN passwords. This can be difficult for users, particularly ones not as comfortable with computers, to keep track of. However, the change was implemented in order to comply with state security requirements and, more generally, to decrease the likelihood of compromised passwords on campus.

Enforcement

Again, use of the PID system make enforcement of the one-person-one-ONYEN policy fairly easy. Sections 4, 5 and 6 of the ONYEN policy details terms of agreement that clearly lay what is expected from users of the ONYEN program. Section 7 lays out the consequences for violating these terms of agreement including suspension of ONYEN privileges and suspension of employment. This policy acts as a deterrent to internal tampering with the ONYEN system. In addition, section 7 mentions legal action, which can act as a deterrent to outside attack as well.

Enforcement of the password integrity measure outlined in section 11 is accomplished via the web interface used by the users to choose passwords. The system suggests appropriate passwords (randomly generated using two dictionary words, one four letters, the other three and one symbol in random order). If the user chooses to designate his/her own password, the interface automatically checks it against the rules laid out in section 11 and refuses the password if it does not meet the criteria. As for the new expiration policy, on the date of a password's expiration, all access to ONYEN services are denied until the password has been changed via the online interface at http//onyen.unc.edu.

Suggestions for Improvement

As mentioned before, one of the biggest challenges in security policy on such a large scale is balancing security and convenience for the users. The changes suggested below strive to increase one or the other without upsetting the balance too much.

Variable security levels and requirements - Many ONYEN users do not access particularly critical information. Most, such as students, have access only to their own email and AFS storage space. On the other hand, there are some ONYEN users, such as faculty and administrators, that have access to payroll information, grades, etc. Because of this, security measures, such as the new password expiration policy, must be enacted with the most critical users in mind. Thus, the security measures imposed on students and other low-level users, may be much more stringent and inconvenient than is really necessary. If ONYEN administrators could create a way to differentiate between ONYEN owners that need strict security requirements and those that only have access to less critical information, it could make the ONYEN program more user-friendly, particularly for low-priority users, while not putting critical information at risk.

Use of SSH clients and Secure FTP - Currently, the e-mail and ftp servers incorporated with the ONYEN system allow telnet and ftp connections, both of which are insecure connections. This means that when users send their authentication information over the network via these connections, the information is unencrypted. A simple sniffer program can capture a packet containing authentication information and return an unencrypted ONYEN and password. It may be wise to block these types of connections in favor of encrypted SSH and Secure FTP connections. With the CCI laptop program in place, the University could include an SSH client and a Secure FTP client on the laptops so that new students would already have the correct software. This would allow a four year phasing out of standard telnet and ftp clients and would, eventually, prevent unencrypted authentication information from being transmitted over the network.

ATN Onyen Policy. University of North Carolina ITS Security Group. Last modified on 2002/12/12. http://help.unc.edu/?id=1687.