Estimated reading time: 14 minutes
Edited by Apryl Motley, CAE – Communications & Technical Writing Consultant
As part of our ongoing commitment to providing you with additional opportunities to benefit from the insights and expertise of InCommon Catalysts, we are continuing their quarterly Q&A column, Catalyst to Catalyst, which we feature in our e-newsletter InCommon News.
Think of Catalyst to Catalyst as a quarterly, virtual advice panel providing perspectives on key identity and access management (IAM) topics for the InCommon community. In this installment, catalysts discuss implementing identity governance and administration (IGA) solutions, explaining identity and access management (IAM) to a nontechnical audience, managing source of authority between systems, and supporting a collaborative culture when it comes to data governance practices. This is our third column for 2024.
Question: What trends are you seeing in how organizations approach implementation of IGA solutions?
Response: We have seen more use of (or requirements to use) message queues to pass data between disparate systems instead of database tables/views or REST APIs. Customers are wanting more real-time or near-real-time updates as user data changes over time. In some cases, the customer wants their IGA to receive all of the user data from an authoritative source in this fashion, not just updates. This has caused some changes in how we have worked with some customer systems, and we have had to make suggestions and pivot with customers to suggest a hybrid approach to ensure that there is a source of truth for either midPoint or Grouper that can be re-scanned for consistency, while also receiving updates in a timely manner using a message queueing setup.
We have also seen more questions around using Entra ID. Microsoft’s best practice is to have Entra synchronized from on-premise Active Directory, but customers have wanted us to configure midPoint to manage Entra ID identities directly. This trend is something that we see increasing over time. Customers seem to be increasing their usage of Entra, especially customers who have historically used a combination of Google Workspace and Entra. The trend appears to be a desire to migrate users from Google Workspace (usually students) into their Entra environment (usually consisting of staff/faculty users), and at the same time using an IGA to manage the accounts in Entra. In some cases, the accounts moved would be cloud-only accounts in Entra (no on-premise AD accounts), so they need their IGA solution to manage them directly while their on-premise accounts are managed in a legacy fashion. The apparent trend seems to be a collapsing of users into a single cloud environment, and Entra appears to be the desired environment.
—Mark McCoy, IAM Engineer, Unicon; info@unicon.net
Question: How do you explain IAM to a fully non-technical audience?
Response: The IAM area is beloved by identity engineers, but it’s often very mysterious to a non-technical audience. For those who may be following technical discussions from a distance, it can be puzzling why IAM is frequently mentioned, even if they don’t seem to encounter it directly in their daily work.
Here comes a key explanation point: A well-designed IAM system operates seamlessly in the background, ensuring users have the access they need without any hassle. Provisioning processes automatically react to changes in assigned roles or a user life-cycle, and the resulting accesses are adjusted immediately. That means users can start using their new access immediately, often without even realizing that a complex system is at work behind the scenes. The same smoothness is expected from the sign-in process, which should be so natural that users ideally won’t even realize that it is done by a complex IAM system.
With all that in mind, you can tell a non-technical audience that IAM is a sophisticated system that operates mostly out of sight, ensuring that everyone has the access they need to do their jobs. Additionally, by managing access permissions, IAM prevents unauthorized access, thereby keeping users’ data secure.
However, this explanation might be flipped on its head when you implement identity governance and administration (IGA). IGA transforms IAM into a more user-friendly component that speaks the language of the users. It empowers individuals to naturally understand the information in the IGA system and use that to manage access for themselves and their teams.
So, don’t hesitate and start the IGA transition, and with that, get ready to demystify the IAM world for non-technical users.
—Slavek Licehammer, Head of Engineering, Evolveum; academia@evolveum.com
Question: What has been your most frequently asked question from customers so far this year, and how have you addressed it?
Response: Colleges and universities frequently ask us something like, “How can I navigate the myriads of tools that claim to be ‘identity’ solutions and select the best IAM tool/platform for my institution?” This question reflects the growing importance of IAM programs and services to higher education institutions. IAM is not merely a technological challenge but is also a business opportunity that requires a holistic perspective. A successful approach to evaluating tools and the selection of a platform must be both comprehensive and tailored to your institution’s unique needs.
To begin, get organized. Starting with a framework or reference architecture to organize your institution’s budgetary, functional, and technical requirements will help you compare and separate IAM platform “apples” from “oranges.” There are a lot of great platforms to select from, but their strengths and gaps differ significantly. We use the Moran Technology Consulting (MTC) IAM Assessment Framework (grounded in international standards such as ISO/IEC 27k series and NIST 800) to evaluate and organize a campus’s needs across three critical pillars: identity management, access governance, and authentication and assurance. Another excellent tool for this is the InCommon Trusted Access Platform reference architecture. You can leverage a reference architecture to identify and organize your technical requirements – both immediate needs as well as those needed to support your long-term strategic objectives.
Once you have identified and organized your requirements, you will want a way to both quantify your platform evaluation (i.e., score per requirement) and prioritize those requirements. We leverage a Pugh Decision Matrix (i.e., the MTC IAM Decision Matrix) to evaluate and compare potential IAM solutions more objectively. A Pugh Decision Matrix enables you to prioritize each requirement and requirement category by assigning each a relative weight. It is great to know how well an IAM tool performs identity matching, lifecycle management, or entitlement request/approval, but it is essential to also know which of things are most important to your institution.
Once you have prioritized your requirements you are ready to evaluate each IAM tool and platform. Platform demonstrations and references from other higher education institutions can be used to evaluate each platform. Being organized, having a method to quantify your evaluation, and prioritizing your requirements will enable you to be confident that you have selected not just a good IAM platform, but the tool(s) that addresses your institution’s most pressing needs.
—Godgift Iteghete, Sr. IAM Consultant, Moran Technology; godgift.iteghete@morantechnology.com
Question: How are you working with R&E institutions to manage source of authority (SOA) between their systems?
Response: Within higher education it’s not uncommon for a user to have multiple affiliations (also called roles or personas). Often these different affiliations (i.e. applicant, parent, alumni, student, guest, vendor, faculty, staff, etc.) reside in different sources of authority (SOA). Sometimes the different SOAs communicate with one another and sometimes they don’t. The complexity this introduces when trying to provision accounts or update attributes on accounts a user has can be very difficult to sort out.
Take a situation where full-time employees are also taking classes part-time. When they registered for classes within SIS, they used their legal name, but as employees they have a professional/preferred name in HR. Often the desired state is that a preferred name is used when available and, in the user’s, “primary” source. In this example most schools would have some precedence logic in place either in a SOA, IDM solution, or some custom scripts that would look at the attributes across an identity and what their source data has as well as what affiliation they “primarily” are and determine that HR should trump SIS in this case.
In our many years of experience working within higher education, this situation has cropped up 100% of the time. We have seen many different approaches to handling this and will shed some insight into some of the benefits and challenges of each.
- If/Else logic – This is probably the most common way of handling what data or attributes determine what is primary for a user and probably the most sustainable from a support perspective. It lends itself to having varying degrees of complexity introduced, especially as the nature of the student enrollment landscape evolves.
- Weighting – Using a numeric scoring value based on all the SOA data and affiliations is somewhat common in higher education. With this model typically an affiliation or source is given a particular score, and by looking at the aggregate of the data, the top ranking one will win. The challenges for this are that sometimes affiliations can span across different SOAs (i.e. a faculty member in an HR system and in an affiliate/sponsored system). In addition, if the scale for weighting doesn’t consider any new values that need to be considered, you are left with a whole number scale now turned into a mix of whole numbers and decimals.
- Last in wins – The last in wins approach seems simple right? That source must have the most recent data about the user, so let’s use that. The challenge is that you may only want to consider a name change from a particular SOA if they exist in multiple sources and would need to be able to know that it was that piece of information that changed and not some other attribute. Some ERP products support event-based notifications like name changes, but typically not all do. The other challenge this brings is in an era of digital transformation and AI, a lot of schools are undergoing ERP transitions, which would lead to nuance in a migration for determining what the most recent record was.
- Self-service portal – This is my favorite and preferred way to handle certain attributes about a user. However, this is often fraught with mostly political challenges and some technical ones. Ideally if users want to have their name (for example) changed everywhere they have a digital presence, they can log into one place and make that change, have it go through a workflow or approval process if needed, and voila – the data is propagated to all source and target applications. While this doesn’t solve trying to determine what someone’s primary source is per se, it does help with some of the complexities of users having different SOAs and determining what data to use when.
As I mentioned, every higher education client we have worked with has this challenge and has taken various approaches to solving it. Having clear business requirements and stakeholder involvement from all the lines of business that are key decision makers is a first step to solving the problem.
—Paul Hodgdon, CEO, Instrumental Identity; paul@instrumentalid.com
Question: What strategies can IAM solutions offer to support a collaborative culture when it comes to data governance practices?
Response: A shared goal between both data governance practices and cultivating a collaborative work culture involves weaving transparency into policy, practice, and workflow.
Transparency in data governance means making it clear to everyone why certain policies and frameworks exist. It’s about demystifying data governance so that employees understand it’s not just about control, but about enabling better collaboration and decision-making across the organization. When employees see that data governance is designed to protect both the organization and its people, they’re more likely to align with these practices.
A transparent culture also helps break down silos. Often, teams hold on to data tightly because they fear the consequences of sharing it or don’t understand the potential benefits.
Susan Featherston, a senior strategic consultant at Vantage who specializes in higher education data governance projects remarks: “These fears can lead teams to limit access to data that could be shared to derive institutionally meaningful insights through disparate datasets. IAM solutions can facilitate the secure democratization of data while maintaining compliance and protection of sensitive information.”
Transparency encourages teams to see data as a shared resource, valuable not only for their own tasks but also for the organization as a whole. This shift in mindset can unlock new opportunities for innovation and efficiency, as data is shared more freely among departments.
IAM solutions, with their audit trails and monitoring capabilities, play a crucial role in this effort by supporting privacy, security, compliance, and the principle of “trust but verify.” By tracking data access and usage, IAM solutions help organizations ensure that sensitive information is only accessible to those with the proper authorization. This not only protects the organization from potential breaches but also ensures compliance with regulations like GDPR, GLBA, HIPAA, and FERPA. The ability to verify compliance through audit logs further enhances trust, both internally and externally.
The principle of “trust but verify” is central to transparency. While organizations should trust their employees to handle data responsibly, IAM audit trails provide the necessary verification. This approach ensures that trust is maintained without sacrificing security. It also encourages a culture where employees feel comfortable sharing data, knowing that governance frameworks are in place to protect both the data and the people who use it. Vantage regularly assists our higher education clients in establishing and implementing updated data governance that meets the strategic mission and compliance obligations of the institution.
—Jacqueline Pitter, CISSP, Senior Strategic Consultant, Vantage Technology Consulting Group; jacquelinepitter@vantagetcg.com
Response: Identity and Access Management (IAM) plays an important role in the data governance space. Beyond protecting data, IAM grants the right people access to the appropriate level of information. These principles apply across all facets of data governance in higher ed, but they are especially important when it comes to research management. Effective data sharing and compliance with strict funding and regulatory requirements help secure grants. This enables researchers to further drive human progress forward (no small feat).
IAM offers various solutions that can support your institution’s goals within the appropriate framework if you work to identify what will fit your specific needs. For example, user-centric tools like single sign-on (SSO) can significantly enhance the user experience, reducing the hassle of multiple logins and simplifying access to data. Role-based attributes ensure that individuals have the appropriate level of visibility, and that access can be adjusted as projects evolve.
Meanwhile, data governance provides a framework for managing, using, and protecting data throughout its lifecycle. IAM complements this by offering dynamic and intelligent access controls that support the collaborative nature of research while safeguarding sensitive information. When done right through federated identity management and adaptive, contextual access controls, it can adapt to the needs of the research community.
But technology and information management aren’t the full story. Effective data governance also relies on engaging researchers, data stewards, and other stakeholders in the process. When these groups are involved, there’s greater commitment to and compliance with your IAM protocols, and how they impact their respective roles and the data they can access. Regular training, clear communication, and building a culture of trust and accountability can help avoid bottlenecks, keeping data governance practical and research moving with forward momentum.
When researchers and other stakeholders understand and trust the tools available to them, it builds a collaborative approach to data management. Meetings can then start to shift from debates over control to discussions on how best to manage and share data, resulting in more productive and constructive conversations. Engaging directly with your research department is a great way to learn how you can support their needs without making assumptions—you might be surprised by the feedback they offer.
IAM should be about building smarter gates, not higher walls. Whether in research or other domains, it enhances efficiency, boosts institutional reputation, and helps create a culture of trust and collaboration that empowers everyone to do their work without unnecessary barriers. And your efforts with IAM play a foundational role in how your institution can move forward, one secure access point at a time.
—Netta Caligari, Community Lead, West Arete; netta@westarete.com