Level 3

Central Authentication Services

SB12: Servers or applications classified as medium risk or higher, or handling data classified as L3 or higher, whether managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS), must use a centrally-managed Harvard authentication system that requires more than one factor for authentication where technically feasible, e.g. HarvardKey or Harvard VPN, or comparable non-Harvard multi-factor authentication system (supported/approved by Harvard).