How IAM Benefits the Lab
Program • On Schedule
Identity and Access Management (IAM)
The Identity and Access Management (IAM) Program is one essential part of the larger Zero Trust Architecture (ZTA) initiative currently underway to strengthen SLAC’s cyber posture. It is changing the way we do business at SLAC.
Zero Trust is a security framework built on the principles of explicit verification, least privileged access, and breach assumption. IAM processes grant targeted access control and visibility for centrally managing resources. SLAC IT’s IAM Program includes multiple technologies and business processes, focusing on three critical areas:
One Identity Management System for SLAC: Uses multi factor authentication, providing users with a streamlined and easier login process.
Universal Registration Process via the New Identity Portal: Allows research collaborators from other institutions to use their home credentials for accessing necessary information.
Modernized Approach to Application Access/Entitlements: Grants access based on role and need, enhancing how IAM benefits the Lab.
Program
Program
SLAC IAM Program Components
There are several related projects that will implement a single sign-on experience and a modern, adaptable, and scalable user access infrastructure. The graphic below illustrates the interrelated nature of these projects and specifies individual responsibilities.
Single sign-on (SSO) enables users to securely authenticate with multiple applications using one set of credentials. SLAC-owned applications with web-enabled SSO allow central provisioning for admins and secure, easy access to applications for users.
Expect a new login experience for the applications that are web-SSO enabled.
When SLAC Cardinal Key is installed on your device, select Stanford Login from the options provided.
Application administrators: Enroll your applications now!
Join the Slack channel to stay up-to-date #slac-it-iam-community
SLAC Cardinal Keys will simplify your login experience and provide stronger protection for your account. As SLAC expands the use of Cardinal Keys, they will become necessary for accessing applications.
In alignment with Executive Order 14028 for ZTA and Identity Access Management (IAM) compliance, everyone is encouraged to use a SLAC Cardinal Key for login.
SLAC is embarking on a transformative journey towards enhanced security and streamlined access through the adoption of YubiKeys. YubiKeys offer a robust second-factor authentication solution, bolstering the existing username and password credentials with an additional layer of security.
By embracing YubiKeys, SLAC aims to mitigate the risks posed by evolving cyber threats while providing its workforce with dependable authentication mechanisms. Starting June 19, the Service Desk is available to help distribute and set up YubiKeys.
Remote workers can request their YubiKey here.
A YubiKey should be ordered for new employees as part of their onboarding hardware setup.
Instead of “Issuing Credentials,” federated authentication allows SLAC to redirect researchers from other institutions to authenticate using their home institution single-sign-on service.
Non-SLAC personnel and researchers who are coming to SLAC from trusted institutions can use their home institution credentials (Federated ID) to log into approved SLAC applications.
New IAM Consultation Services
Office Hours
Every Tuesday starting June 11, 2024
1-2 PM PDT
Application administrators: Join the Slack channel #slac-it-iam-community to stay up-to-date.
SLAC IAM Overview
SLAC’s IAM Program provides a structure for consolidating, monitoring, and dictating access to SLAC-owned information and systems.
The SLAC’s IAM Program objectives are to:
- Establish one identity system at SLAC, which includes all people who are affiliated with our work.
- Create universal user registration processes for SLAC staff, facility users, and visitors.
- Modernize SLAC’s IAM infrastructure to be adaptable, scaleable, and equipped to meet future research, mission objectives, and administrative needs. The modernization includes multi-factor authentication for an improved user experience and enhanced role-based permissions.
- Transition to highly available, cloud-hosted, and geo-diverse systems and tools.
- Comply with federal, Department of Energy (DoE), and Stanford University requirements and industry best practices.
Identity Management at SLAC includes usernames, devices, services, groups, and other unique online identifiers associated with users or systems. It encompasses all aspects of identity creation, from initiating new user access to managing change processes, granting user access levels, authentication, and more.
By implementing a secure, centrally managed universal access system, SLAC will enhance the user experience and streamline the onboarding process.
Current Onboarding Process
The current onboarding process for new staff, strongly affiliated personnel, and researchers is complicated and cumbersome, requiring multiple forms, portals, and redundant data entry. The new centralized SLAC Identity Portal will be a one-stop solution for onboarding.
Future Onboarding Process
SLAC’s IAM Program is moving toward a streamlined future state where data is entered once in a single location, and applications will manage role-based access to SLAC-owned applications. This single source of information will increase visibility, improve onboarding efficiency, and support greater automation.
Access management/entitlements is the process of determining what individuals and which systems need access to various applications, devices, and networks. By automating permissions based on roles, we are making access management/entitlements more secure and more robust.
Based on role and job duties, people will be given access to applications and systems immediately, which means less downtime and the security of the information they need.
Multi-Factor Authentication
One major tenet of Zero Trust is Multi-factor Authentication (MFA). MFA is necessary for our Lab’s security posture and to keep all of our data, applications, and personal information safe. We will be rolling out a new approach to MFA to our employees this summer in the form of YubiKeys. By adding this piece of hardware to our endpoints, we are able to MFA quicker and more securely than ever before.
| ROLE | MEMBER(S) |
|---|---|
| Primary POC | Bruce Vincent |
| Project Manager | Erika Everingham |
| Information Technology | Ross Wilper Michael Gettes Ricardo Kau Venkat Samineni Madhu Swaminathan |
Project updates
Primary Authentication Method •
YubiKey Required
YubiKey will be the primary authentication method for employees. The deadline for all staff to adopt YubiKey is Sept. 30, 2024, when YubiKeys will also be required for international travel.
Login changes on SLAC applications •
Web-enabled Single Sign-On
SLAC applications will start to adopt this new sign-on feature. Once sites are SSO enabled, there will be a new login experience with an option of logging in using either SLAC or Stanford credentials.
Password-Less Authentication •
Improve Your Login Experience with Cardinal Key
SLAC IT is excited to announce SLAC Cardinal Key, a digital credential installed on devices that offers passwordless logins for Stanford applications, is now available on most SLAC-managed devices.
Email Account Policies •
UNIX Email Sunset
In partnership with SLAC IT Cybersecurity, the IAM Program is sunsetting the UNIX email application. New onboarding and entitlement policies will impact facility user sponsors and UNIX email account holders. Understand how this affects you and the available SLAC IT support to facilitate this transition.
IAM Project Timeline
-
CompletedUpdate Password Policy
-
-
-
Available Now for FreeYubiKey
The Service Desk will visit each building on campus to distribute a free YubiKey to each employee. YubiKeys will be available for a fee starting October 1, 2024.
-
Starting June 6, 2024Web-Enabled SSO for Application Administrators
Web SSO enable your applications for ease of use and compliance with the ZTA order.
-
Starting June 6, 2024Federation & Role-based Access/Entitlements
Application administrators: Enable your application with these features to take advantage of streamlined access.
Visiting researchers and staff need access to certain applications while they're visiting. To ease access, this functionality will allow these visitors to use their home institution credentials to access these applications. Additionally, these features will automate access based on role.
-
TBDSLAC Identity Portal Build
Sponsors of non-employees to SLAC will have a new portal to begin the process of onboarding.
-
TBDSponsors of Non-Employee Training
-
TBDOther Identity Systems Decommissioned
In accordance with the ZTA Order, there is to be one identity management system at SLAC. All other identity management systems will be decommissioned by 2025.
