Who Goes There?
Modern technology has a lot of upsides. On the downside is the fact that you need an ID and password to access most of it. Keeping your own logins straight is hard enough; keeping them straight for thousands of people on a college campus is even harder.
Everyone is doing basic identity management, says Rodney J. Petersen, managing director of the Washington office and senior government relations officer for Educause. “Anyone who has logins does it.” The challenge is managing those accounts efficiently.
The trend is toward single sign-on and moving IdM out of individual applications to a single source—goals most higher ed institutions haven’t met, Peterson notes. “Generally speaking, it’s not surprising that the places that have the most advanced practices are large research universities. They’ve been working on it long and hard. The campuses that have a long way to go are smaller colleges, and particularly two-years.”
For community colleges, the usual challenges of limited resources, a wide reaching mission, and a transient population rear their heads. “I think the turnover does add difficulty because there is more churn and a faster pace of change in the constituents,” says Bill Thompson, principal architect of identity access management for Unicon, an IT consulting services firm.
IdM is one of those tasks campus leaders leave on the back burner until a compelling business reason tips the scales. The need to “deliver consistent and seamless access to many applications to enrich the learner’s experience” and the reality of complying with regulations such as FERPA spurred Capella University leaders to get the Lighthouse Gateway solution for their IdM needs, says Maria Schuett, the online institution’s identity and access management architect.
“Identity management is about managing the lifecycles of users,” says Eric Maass, CTO at Lighthouse Security Group, the company behind that product. It touches everyone on campus from students enrolling to graduating and everything in between and faculty and staff being hired and promoted. The challenge is getting the pertinent information out of the HR system or SIS into the other systems that need it. Also, should users manage their own passwords and profile information?
Petersen says IdM should ideally be handled by an “enterprise directory” independent of other systems. In reality, new applications, each requiring authentication, are stacked. “We’re maintaining the problem,” he says. “It’s a policy as well as process issue.”
Resource and Security Drain
Poor IdM can affect IT staff resources and efficiency, security, and service. “Server space is the least of your problems,” asserts Idan Shoham, CTO of Hitachi ID Systems. “Disc [space] is cheap. If that were it, no one would care.” They do care about adding (or removing) a semester’s worth of students in a short time frame on a regular basis. Missed deadlines mean service disruptions and overtime that goes into processing new students over the weekend.
While the large volume of changes bookending semesters up the ante, IdM is a year-round task. At Montgomery College (Md.), “it’s a continual process to keep [data] current as names and job functions change,” says Andrew Scheppler, lead technical manager. “It’s pretty much a manual process, and if anyone needs access to different functions they call us. And naturally, people call and tell us they need things but not that they no longer need them. That becomes a security concern.”
Since the college currently provides system IDs only to faculty and staff, another concern is the default user account used on student computers in classrooms and labs. “If there is a computer that isn’t well monitored and someone starts doing inappropriate or illegal activity, there is no way to know who it is,” Scheppler shares. “There is always a concern that if we ever get a call from a company or law enforcement there isn’t a way to identify those individuals.”
Unfortunately, because of the pressure the IT department tends to be under, it takes a “headline grabbing breach” to move IdM to the top of the priority list, says Cole Clark, global vice president of Oracle Education and Research.
Another security concern surrounds the paper trail needed to get a new user on the system—paper that likely included personally identifiable information. “You don’t know the path that piece of paper will take,” says Maass. “The exposure of that data can be huge. Aside from the inefficiency, the leakage of personal info is concerning.” He also notes that poor data management can lead to purchasing more software seat licenses than necessary.
In the move toward a single sign-on solution, it becomes paramount to ensure passwords are strong and protected, stresses Petersen. “That is the biggest concern about single sign-on. You’ve introduced a single point of failure ... that gives access to payroll, timesheets, etc.” Two-factor authentication, such as a password combined with biometrics, can address the issue.
Finally, there is the risk of missed opportunities for students to access resources at other campuses or institutions. Aiding a potential transfer student to access resources at his or her target school provides better services, points out Thompson.
Policies and Process
Migrating to a new, or improving an existing, IdM system is one of those technology projects that takes a lot of legwork before the first line of code is written. “Identity management is a data flow problem,” says Shoham. You have to map the path data takes, determine change triggers, and identify who has approval rights before making changes. “It’s impossible for a vendor or consultant to come and replace stuff if you can’t tell them what you want it to do.”
As Montgomery IT staff migrate from Novel to Microsoft Active Directory, discovery has been an important part of the process. “We’ve had to talk to almost every department and discuss their processes,” says Scheppler. “In some cases, we’re having to define those processes. They don’t always know. We’re creating some of them piecemeal; they tell us things, then come back a few days later with more.” He attends faculty campus meetings and academic assemblies to discuss the project, as well as meets individually with each group or department on campus to discuss the on- and off-boarding process. “It takes one to two years to get it all in order. We’re planning on about 11 months.”
Capella has also undertaken “extensive identity lifecycle discovery, which entailed identifying and documenting all user types, lifecycle events, and data that can be used by IdM to correctly determine a user’s status,” says Schuett. Although their new system is not yet deployed, these efforts have already led to changes in business process and campus culture, she says.
“We know that if you don’t lead with policies, you won’t succeed,” cautions Clark. “You have to be prepared to enforce these policies around the use of the tools.”
Decisions also have to be made about maintenance going forward, providing self-service access to users for password changes and profile updates, and whether to integrate with social media sites. “If someone does want to take a test class, is it easier to have them set up a new profile or to just let them log in with their Facebook account?” says Maass.
Campus leaders have to realize IdM is as much an administrative issue as it is a technology issue, says Thompson. Some policies, such as how long email should stay active after a student leaves campus, are de facto because someone had to make a decision, but there was never really any thought put into it.
Higher ed is fond of building technology solutions in house, but, in the case of IdM, it might not be the best option. “I’ve seen cases where the people who maintain custom solutions retire or fall ill. The school was left scrambling during the semester end and beginning,” Shoham says. “There were significant disruptions. I’ve seen it happen at some big-name institutions.” Continuity of service, plus potential time and money savings, can drive schools to an off-the-shelf solution, he says.
After the discovery part of the process is complete, starting with clean data is key to success. Rather than migrating data, Montgomery staff are setting up Active Directory empty and populating it with the information in Novel. “Our CTO made that decision since we’ve never done a lot of house cleaning in Novel,” admits Scheppler. “He’s afraid the ‘later’ will never come.” Instead of taking a chance, they are carefully building the database from the ground up.
“Trying to push paper to keep users clean is futile,” says Maass. “Without putting an ID management system in place, you won’t manage to keep it clean.”
Since the term “project” implies there is an end-date that will allow people to move on to other tasks, Shoham suggests branding identity management as a “program” within IT. “A program implies it is ongoing and you will have people dedicated to it,” he points out. Thompson echoes the need to make IdM a core discipline, “not just something that has come along for the ride,” by establishing both a short- and long-term strategy to address it.
While senior leadership probably has an inkling about the importance of a strong IdM solution, ensuring ongoing resources are committed could take some convincing. Petersen says security is probably the easy argument to make. “There is an efficiency argument, but it’s not easy to demonstrate the ROI,” he says. “The classic question is how many times do you change IDs and passwords? A single system will reduce those incidents. And much of that can be automated now, too.”
Don’t expect to overhaul IdM overnight. “Installing the software and getting it to run is a very small part,” Scheppler says. “The bigger part is identifying processes of a student or employee that have come in and what should happen.” Determining the access each person needs takes as much or more time as other parts of the process.
The IT department shouldn’t be tackling IdM alone, cautions Clark. “IT needs to have a seat at the table, but they don’t necessarily have to be the owners.” Some early adopters of identity management put IT in charge and failed. As Maass says, “IT doesn’t own the business problem. They own the technical problem. Identity management is about changing and managing business processes. The effect is what is happening in IT. The cause it what is happening in HR and other offices.”
A strong solution helps senior management sleep better at night, says Clark. “It lowers the possibility of these headline-grabbing breaches.” Besides streamlining new users into the system, it ensures resources and network access are properly distributed, he adds. “First and foremost, I think it’s a huge piece of mind, and second, better utilization of resources.”
Consider the impact of poor IdM, says Thompson, and focus on the potential efficiencies and improved risk management. “The carrot is you will be able to onboard resources faster and easier. The stick is that if you have a big data breach and have to notify your constituents there is a big cost associated with that.”
Thompson sums up that there are both positive and negative aspects to IdM. Both should justify the steps and costs involved in getting a handle on this.