InCommon Collaboration Success Program Case Study
(September 2023)
University of Massachusetts Amherst
Executive summary
University of Massachusetts, Amherst (UMass Amherst) participated in two different cohorts of the InCommon Collaboration Success Program (CSP) in 2021 and 2023. The primary impetus for the university’s participation was finding a replacement for its15-year-old, heavily customized core identity management (IDM) system, which wasn’t serving the institution’s needs. Through the CSP, UMass Amherst gained an understanding of the identity and access management (IAM) landscape, vetted additional IAM solutions, and began development of a long-term roadmap for improvement.
Solution summary
UMass Amherst originally joined the CSP with the intention of finding a replacement for its15-year-old core IDM system. This heavily customized legacy system isn’t serving the institution’s needs. In addition, UMass Amherst hoped to increase training for current IT staff and add some members to the IAM team. The university’s first CSP in 2021 gave UMass Amherst an understanding of the IAM landscape, while the second in 2023 inspired a long-term roadmap for improvement.
Trusted Access Platform features supported
- Grouper
- Using Shibboleth
- Evaluated midPoint
- Exploring COmanage
The problem
Below is a diagram of the state of IAM at UMass Amherst as of September 2023. The middle square was still uncertain as of the writing of this document.
UMass Amherst’s custom IAM solution doesn’t meet the institution’s current needs for governance, business, operations, or compliance. The custom integration code is in many different languages with many different servers and different platforms.
- The legacy custom IAM solution wasn’t created with intent and includes high maintenance costs.
- The institution experienced issues with role lifecycle management (on/offboarding, role changes, no attestation).
- There existed a low-maturity level for containerized deployments.
- UMass Amherst lacked dedicated IAM staffing.
- IAM understanding on campus was a problem with those outside of IT underestimating the necessity.
- UMass Amherst had multiple solutions with the same functionality.
- The institution had limited access management services.
Provisions were in place to many different systems, but with little access management to those services.
CSP Goals
UMass Amherst originally joined CSP hoping to start a rebuild of its Identity Governance and Administration (IGA) team and reduce significant technical debt. Specific goals included:
- Engage campus community by increasing IAM awareness while examining unmet IAM business needs.
- Hire a dedicated IGA staff.
- Start a road-mapping exercise and gather statements both within and outside IT.
- Develop formal IAM requirements to drive decision making.
- Engage with InCommon Catalysts and other partners to help with projects.
- Deploy Grouper and move access management to this tool.
- Determine resources, budget, and timeline for a three- to five-year IAM plan.
Challenges
The IGA team recognized, through the CSP, a number of issues necessary for UMass Amherst to address before tackling main IGA restructure goals:
- The directory and authentication/security architecture needed improvement.
- UMass Amherst had no IGA team prior to its 2021 involvement in the CSP program.
- Matrix IGA team members had other roles at UMass, making IGA involvement secondary.
- The institution came to CSP with a lot of technical debt.
- Service reliability issues and some breaches occurred during the CSP program.
- Resources and budget were limited.
The solution
The CSP program allowed the UMass Amherst team to refine its original goals in a more realistic way. Resources for the team were limited and would remain so for an undetermined time. With this realization, the team created a long-term plan (three to five years) for a restructured IAM team with some dedicated members and a prioritized list of necessary actions:
- Determine resources, budget, and timeline for three- to five-year IAM plan.
- Engage campus community to understand unmet business needs.
- Develop formal IAM requirements that will drive decision making.
- Engage with InCommon Catalysts and other partners to help with projects.
- Establish a dedicated IAM team.
- Deploy Grouper and move access management to this tool.
The result
The program raised awareness of the larger need to build an IGA team, beginning the process of garnering support from stakeholders, which would drive all other changes.
Key Activities:
- UMass Amherst’s team took full advantage of the InCommon Academy training available.
- The institution completed an independent IAM review.
- The team incorporated Grouper into the IGA strategy to address immediate needs and technical debt.
- Unmet IAM business needs and other deficits were cataloged.
- UMass Amherst began staffing a dedicated IAM team and is exploring alternatives to hiring full-time, dedicated IAM team members.
- The team launched a production Grouper solution.
- The CSP experience resulted in lasting connections with potential partners and CSP peers.
- The CSP program motivated the assembling of RFP requirements.
- A three- to five-year IAM plan with prioritized issues is underway.
- The institution’s gaps with compliance are now documented.
- The team rolled out the new DevOps paradigm in the IT department using Consul and Nomad container infrastructure.
- UMass Amherst developed a container/solution server, while improving authentication with a consolidation of services and a single credential store.
- The institution moved services to SSO and deployed MFA across campus.
- UMass Amherst backed all SSO with Azure AD IDP.
Lessons learned
- The team learned how to align its IAM strategy with business needs.
- UMass Amherst now has a clear understanding of the current IAM state of affairs.
- The CSP allowed the team to vet and eliminate potential programs previously considered.
- Grouper should have been deployed in a non-containerized environment.
- The lack of dedicated staff is better understood as an impediment to progress, but alternative solutions like the training of current staff and virtual support may fill the gaps.
Conclusions
- The first CSP for UMass Amherst centered on understanding the overall architecture and beginning the plans for a road map. In the second CSP, the UMass Amherst was able to fine tune the road map and explore specific components in more detail. Developing agreed-upon governance is key to moving forward effectively.
- Hiring staff for a dedicated IAM team may not look the way it did originally. Instead, a dedicated IAM team may come through a combination of training current matrix staff and using virtual support from vendors.
- The networking part of the CSP held enormous value for UMass Amherst during both CSP cohorts. For example, the UMass Amherst IGA team connected with UVA and received guidance around UVA’s adoption of Fisher.
About UMass Amherst
UMass Amherst is the largest public research university in New England. The institution has approximately 23,000 undergraduate students and more than 1,400 full-time faculty. The university’s IGA team manages 95,000 active accounts within a customized person and entity registry, including students, employees, retirees, guests, and contractors.
UMass Amherst Project Team
Matthew Dalton, chief information security officer (CISO)
Stephen Battisti, architect
Jeoffrey Pooser & Garnett Martin, information and risk compliance analysts
Mayumi Fraser, Longfei Wu, & Elliott McClinton, IAM software engineers
Elliott McClinton, Brandon Hartshorn, & Mark Scarbrough, Shibboleth engineers
Ross Kellogg, IAM project manager
Scott Szajna, IAM liaison to president’s office
—Back to Collaboration Success Program Alumni Case Studies