Before the Breach: Leveraging Identity Management Technology to Proactively Address Security Issues
With more than 50 percent of all identity-related security breaches occurring on college campuses(1) and high profile cases making headlines nationwide, security and identity management are top concerns for higher education institutions. Breaches carry grim consequences—including potential loss of thousands or even millions of dollars, not to mention negative publicity, which can result in lost funding or decreased enrollment.
Further, higher education institutions, particularly in the United States, face additional pressure to protect data in order to comply with privacy and financial reporting regulations, from the Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA) regulations to the American Institute of Certified Public Accountants’ Statement on Auditing Standards (SAS) No. 112, and even Sarbanes-Oxley regulations.
Higher education institutions are “rich” targets for identity theft because they possess personal information for thousands of diverse users from students and faculty to staff, alumni, donors, and vendors. Many institutions have open, decentralized environments which help promote education and collaboration, but when not managed properly can increase vulnerability. Decentralized environments also breed silos of identity information and unnecessary duplicative data, which reduce security and efficiency, while increasing costs.
While the challenge is not a new one, many institutions are slow to adapt even simple protective steps because of limited information technology budgets. Many struggle to balance the costs of proactively working to prevent breaches with the potentially staggering costs they would incur if a breach did take place.
Fundamentally, information security is about controlling access to systems and data. Institutions cannot do this without identity management, which, in its most basic definition, is the ability to properly identify people and their roles.
The most basic goal of identity management is to ensure that institutions have control over who has access to particular systems. Many institutions do not have a single source of truth to identify active versus inactive users and users’ roles within a particular system—something that is more challenging in higher education than other industries because individuals can hold multiple roles or change roles frequently. For example, a prospective student may have access to the university’s website to submit an application. Then that student matriculates and gains access to student systems. When the student takes a job on campus, he gains access to certain staff systems. Eventually that student will become an alumnus and, potentially, a donor. So in the course of just a few years, that individual has changed and added roles four times. It is vital to make sure the individual only has access to information and systems necessary at any point in time.
Technology can help institutions automate identity management to increase security and improve operational efficiency. However, identity management initiatives can be overwhelming. Before embarking on an identity management implementation, institutions must conduct a comprehensive evaluation to assess their current situation and consider important factors such as:
- What problems to tackle first and in which order
- Which credentials to use for user identification
- How to manage and identify persons who have multiple enterprise roles
- How to define policies for accessing sensitive information such as social security numbers (SSNs) or data protected by FERPA and HIPPA regulations
- How to ensure the entire population is covered and not just individuals in the human resources or student information systems
- How to manage access controls for non-university population who may use university facilities/systems such as the library (for public universities).
First, it is important to acknowledge that technology alone cannot solve identity management problems. Institutions must also address people and policies. Often a breach of sensitive data happens due to an innocent mistake by a staff member with access to sensitive data. In 2007, estimates show as many as 47 percent of higher education breaches occurred due to human factors such as “unauthorized disclosure” or “loss”(2) — outnumbering hacking incidents. These errors could be as simple as an employee losing a printout with sensitive information or browsing the internet insecurely and opening a malicious attachment. Institutions can prevent many of these breaches by increasing awareness of security issues, starting with a simple, non-intrusive policy that makes sure the user community knows that chat, instant messaging, e-mail, and unknown websites can harm the institution. Often the biggest challenges for identity management projects are socio-political instead of technical. Institutions typically do not have tight command and control structures like corporations. Thus, it takes communication and mediation to successfully coordinate the changes across a diverse population, while still meeting the security and academic requirements of the university. Users—from students to faculty to staff—need to “buy in” to identity management policies.
With a clear idea of their business needs and the necessary policies, institutions can begin evaluating technology options. There are a wide range of technologies available to combat identity management problems, and the choices often can be overwhelming. By looking at security from a “layered” perspective, institutions can determine which technologies best meet their unique needs.
Institutions should design a phased implementation plan that addresses their business priorities in order. The “big bang” approach will not work here—an approach that addresses one layer at a time and solves specific business problems is key to a successful implementation. A phased approach ensures the technical staff needed to support these technologies acquires experience managing the new system, and administrative staff can adapt to the new process or business flows that the new system will create.
Identity management technology options range from applications that tackle specific security issues and approaches to comprehensive suites that address many needs in one package.
Institutions can start by determining how users will access their systems and overall environments. They must determine what level of access each user should have, what entitlements users at certain levels should have, and overall right of entry to all systems. From there, institutions should assess what applications might require stronger authentication—such as a multi-factor or layered approach—in order to protect a student application or an application that contains personal information. Next steps might address provisioning and de-provisioning of access or simplifying sign-on processes.
Embry-Riddle Aeronautical University, an international university with residential campuses in Prescott, Ariz., and Daytona Beach, Fla., is an example of a university that faced many challenges in managing its identity infrastructure and chose to tackle access management first. Like many institutions, Embry-Riddle has to manage a variety of administrative and academic systems, made even more challenging due to the university’s dispersed system, which includes not only the two residential campuses, but also more than 130 centers throughout the United States, Europe, Canada, and the Middle East. To combat these problems, Embry-Riddle chose to create a centralized identity management system, using Oracle Identity and Access Management Suite, to integrate its disparate systems, enabling the institution to automate and centralize security processes while enhancing the overall user experience.
Embry-Riddle faced another challenge—one of the major access management challenges most institutions face—providing a single directory for multiple potential sources of identity information. Specifically, Embry-Riddle supported multiple Lightweight Directory Access Protocol (LDAP) directories, including Microsoft Active Directory, Novell eDirectory, and Oracle Internet Directory. It is common for institutions to have multiple directories for different users, while storing personal information and course enrollment information in various databases. Traditionally, the only way to have a single view of this data was to copy it into a single directory. However, this is costly and can take several years to deploy.
Alternatively, some institutions like Embry-Riddle have implemented virtual directories, which leave the source data in its original repository (whether it is a LDAP directory, active directory, database, or even a web service) and retrieve the information from the source on demand. Virtual directories can also join data from multiple sources into a single virtual entry. Some virtual directory products can also transform data—such as renaming attributes or translating attribute values—to meet specific application requirements. A true virtual directory is able to perform these functions without any additional synchronization. Some virtual directories even have standard tools to help meet FERPA publishing requirements. By deploying a virtual directory, institutions can reduce the time and effort needed to deploy applications that use directory services. Additionally, they gain security benefits because there are fewer places where the identity information needs to be stored, backed-up, and secured.
Once an institution establishes access management processes, it can consider other priorities such as provisioning—the process of on-boarding and off-boarding accounts and privileges. When constituents add, change, or delete roles, institutions must update their security accounts. For example, when a student matriculates, but does not yet have a “bill paid” status, the university may decide that the student can have a university e-mail account and access to student computer labs but cannot access the course management system. However, once the student has paid the bill, the institution will add the user to the course management system. Provisioning tools can dramatically reduce the time necessary to make these changes.
Embry-Riddle leveraged Oracle software to automate provisioning and deprovisioning of access privileges for more than 60,000 accounts. Previously Embry-Riddle used a manual or batch process to implement nearly 2,000 changes daily, which typically took 24 to 26 hours to complete and resulted in a delay in delivering updates to users. Now the university can accomplish this same task in less than 30 minutes and provide near real-time updates to its constituents.
With a basic identity management system in place, institutions can explore complementary solutions that further enhance security, streamline processes to increase efficiency, and simplify the user experience. One example is a web single sign-on (SSO) application. The desire to enable users to sign in once to access multiple applications is one of the main drivers that leads many institutions to begin an identity management project, although SSO itself is really an ease-of-use tool rather than a security enabler. However, reducing the number of credentials a person must manage can reduce security risks, as well as costs (by reducing calls to the help desk for password resets).
“Single sign-on at ERAU is crucial in achieving our goal of delivering seamless access to our diverse constituent base,” said Cindy Bixler, chief information officer, Embry-Riddle. “We can provide our customers with access to the appropriate systems and information based on their unique identity and role. Single sign-on truly enables us to deliver personal access and information to the right person at the right time.”
SSO is part of a broader set of tools for web access management, which defines policies about which users can perform which functions under which conditions. Policies may be as simple as “only students can view their grades, but only instructors can change them” or more complex such as “only allow access to this website between 8 a.m. and 5 p.m. by members of the Bursar’s office who have a managerial role.” Most, if not all, access management products leverage LDAP directories and work best with a virtual directory.
Another area to consider, and one that is relatively new, is the concept of adaptive access control, the process of preventing unauthorized access to or operations within sensitive applications based on fraud rules. While initially driven by banking industry requirements, adaptive access control can also benefit education institutions due to the many financial operations involved in higher education, such as school fund transfers or student loan approvals. It can also help with educational-based needs, such as protecting grade updates. Adaptive access control tools can ensure, for example, a grade change falls under typical patterns before making the change. For example, if an instructor normally changes grades between 2 and 4 p.m. on weekdays from his/her office, and then a change request comes at 3 a.m. from a remote IP address, the system would take action. That action may include asking for additional proof of identity or requiring an additional e-mail confirmation. Ultimately, by identifying suspicious behavior, it is possible to start to protect applications even from fraudulent users.
One of the major challenges to expect is identifying all the sources of identity data, and in particular determining which are the sources of truth. For example, many institutions struggle with SSN removal. Although the SSN has been a personal identifier for many years, recent concerns about identity theft—including numerous SSN breaches that have made headlines—have forced institutions to restrict its usage in information systems. When an institution decides to eliminate SSNs from its systems, it is easy to assume that these numbers are only in a few systems, such as human resources and financial aid. However, if the institution previously used SSNs as student IDs, this number could be in a myriad of other systems from grading to housing. Further, if the institution has multiple campuses, each individual’s SSN could be in multiple systems across the various campuses if they took classes, worked, or taught at different locations. Modifying internal information systems to replace the SSN as a personal identifier can be an expensive, time-intensive process. Software that helps institutions identify and replace SSNs across multiple systems, such as Oracle Data Privacy Shield, is extremely valuable, and a relatively simple step to improve identity security.
Finally, it is vitally important that all organizations managing identity information and sensitive data perform periodic audit and attestation reviews. Audits help discover unusual and suspicious behavior in systems; attestation allows application owners to review and approve or contest users who have accounts and roles in their applications. Not only are audit and attestation good ideas, but they are increasingly required by internal regulations and even laws. Several vendors offer tools and consulting services to help institutions perform these processes.
When considering technology to solve identity management challenges, it is important to look for application-centric products. In other words, the systems should tie into the application layer, therefore establishing a security standard that all applications can use instead of creating one-off security approaches that are unmanageable and not integrated. Look for solutions that are flexible to support various types of applications and requirements and include directory virtualization. Whenever possible, leverage standards-based products that can improve interoperability and reduce implementation risk.
Products that support delegation—allowing various groups on campus such as individual colleges and departments to have at least limited ability to determine who should have what level of access to their own internal applications and websites—allow universities to meet their educational missions, while helping to navigate issues around centralized command and control. Further, institutions can save time and money by implementing applications with self-service functionality that empower users to perform common identity management functions—such as password reset, account creation, or requests for access—without calling the help desk.
Finally, suite-based products that contain as many best of breed tools as possible can optimize integration and reduce costs associated with purchasing, implementing, and maintaining the products. By purchasing an identity management suite instead of standalone applications, institutions can ensure additional components will “snap in” and work together.
Identity management implementations are not without challenges. However, the benefits of implementing identity management solutions are innumerable. Perhaps most importantly, identity management solutions can protect institutions from a breach, which, as noted previously, can result in thousands or millions of dollars lost and create embarrassment and negative attention. Identity management can also help increase IT system efficiency and reduce costs associated with support. Additionally, identity management technology can help universities comply with regulations and reduce risk of liability. Finally, implementing a strong identity management system can also become a competitive advantage in the recruitment of students and staff, as well maintaining alumni involvement, because once institutions identify who their users are, they can provide a more personalized and tailored experience.
Rob Guido is vice president, security, for Oracle.
1. “Chronology of Breaches,” by the Privacy Rights Clearinghouse. HYPERLINK http://www.privacyrights.org/ar/ChronDataBreaches.htm
2. “The Educational Security Incidents (ESI) Year in Review — 2007,” by Adam Dodge. HYPERLINK