Hot button issues facing colleges and universities at times seem endless: recruitment, student retention, and shrinking budgets, to name just a few. In contrast, identity management is an often overlooked and under appreciated business process among senior leadership in the higher education field. Yet with the increase of online courses; rising popularity of distance learning; and the challenge of protecting student, faculty and organizational data, identity management is fast becoming a top concern among university professionals.
In fact, identity management in a university setting is now considered by many to be part and parcel with enabling academic information and business processes to flow freely among students, faculty and administrators without sacrificing the integrity of private and sensitive data. However, many higher education CIOs are finding it difficult to manage data in secure, cost-efficient ways. Combine the software, hardware and physical server space with the staff required to keep all these components running, and the overhead cost of managing an identity management solution can drain university IT budgets fast. In addition, many CIOs struggle with the task of educating internal stakeholders on the risks facing students and the institution - while at the same time articulating the benefits and ROI of investing in identity management.
Under the traditional model, universities build and maintain their IT systems and identity management solutions in-house or on-premise. This means taking on the burden of physically housing the IT infrastructure on site as well as maintaining it. Today, there is an emerging alternative that addresses the cost and resource challenges that many CIOs face when implementing an identity management program. The growing trend, which is gaining traction across the higher education field, is to build and manage robust and reliable identity management and data security programs through the use of cloud computing.
Actual ROI of transitioning an on-premise solution to the cloud varies by university as it depends on the current system, security policies already in effect and size of the school. However, the following are areas where a university can expect a high return:
- Cost Savings: Not only do you eliminate the cost of infrastructure, software and space, the cloud also reduces the need to hire additional employees to manage an on-premise solution. Software upgrades and ongoing maintenance, which can feasibly take one full-time staff equivalent, are also outsourced in the cloud.
- Increased Focus: Improve service levels across the campus community by focusing IT resources on student- and staff-facing applications such as email, Web-access programs, etc.
- Improved Visibility: Transitioning to the cloud helps IT departments stay current on identity practices, such as who is using identity services and which departments are most frequently changing passwords, as well as improved reporting of usage and access patterns.
- Predictability: Service providers are contractualy bound to deliver specific results at a specified cost each month or face financial penalties, whereas internal IT departments can be distracted by competing internal projects and issues.
- Increased Visibility and Intelligence: Service providers can generally extract greater value from a solution due to their familiarity with the technology and motivation to increase client satisfaction levels. For example, offering detailed and targeted reports that uncover bottlenecks in a particular process that an identity management practice can resolve.
Transitioning to the cloud does not present any unique risks to a university's data that do not already exist in an on-premise environment. That said, here are some common areas organizations fail to address, regardless of the delivery model:
- Inadequate Access Control Policies: Failure to clearly articulate and enforce department and university-wide IT security policies and procedures creates both internal and external confusion, which can lead to ongoing threats and vulnerabilities.
- Lack of Education: When students, faculty and staff are not educated on the "do's and don'ts" of IT security, they are less likely to take the proper steps to secure their own information. For the IT department, an uneducated user base can quickly become the university's worst enemy.
- Insider Threat: Most data breaches are the result of an internal user (i.e. student, faculty, etc.) with access to sensitive information who unwittingly acts as an accomplice or an enabler to an external threat.
Establishing an effective security policy and its related procedures will establish protocol on how all users can access, store and share all types of data and information across the university and with outside parties. These "rules" should provide an intuitive, auditable, and enforceable framework for managing user access to data and resources. Additionally, employ preventive measures for policy enforcement in addition to detective/corrective practices. For example, solutions that automate account creation, modification and revocation in real-time based on the user's attributes (e.g., student, faculty, department affiliation, job status, etc.) can stop access violations before they can occur. Automated detective and corrective measures can then be employed on a scheduled basis to "clean up" the environment and catch outliers.
Developing a robust set of security policies is only half the battle. Universities will remain vulnerable if users don't understand the rules or fully grasp how their decisions and behavior, such as the websites they visit and the software they download, play a critical role in weakening a school's defenses from data breaches. Many universities have launched multi-channel efforts to educate their users on the threat and impact of security breaches, ranging from podcasts and web content to requiring signed acceptance of IT security policies.
Cloud computing isn't right for every campus. Deploying IT systems and applications in the cloud or on-premise is a decision every university must make based on a number of considerations, including the school's culture (i.e. its stomach for outsourcing), internal cost vs. expected ROI, regulatory requirements, and IT needs. But, reaching the right decision is dependent on understanding the facts, and not relying on assumptions and hearsay.
Transitioning to the cloud is a big step. And, because few campuses have yet to navigate the process, some CIOs may face an up-hill battle as they compare their needs and recommendations with those of other schools. Universities considering outsourcing need to properly vet the provider, specifically in terms of physical and data security, access control, disaster recovery, adherence to regulations (e.g., FERPA), and all services administered. After reviewing a service provider's policies and practices, organizations often conclude that the provider can offer a more consistent, secure and auditable service compare with on-premise solutions..
To facilitate the transition, identity management can be phased in based on available resources and comfort level of the university. The key is finding the right partner who can offer options in the cloud or on-premise that can adequately protect important data without impeding the university and its partners from conducting business in an efficient and productive manner.
-Andrew Sroka is president and CEO of Fischer International