Edited by Apryl Motley, CAE - InCommon Communications Lead
As part of our ongoing commitment to providing you with additional opportunities to benefit from the insights and expertise of InCommon Catalysts, we are continuing their quarterly Q&A column, Catalyst to Catalyst, which we feature in our e-newsletter InCommon News.
Think of Catalyst to Catalyst as a quarterly, virtual advice panel providing perspectives on key identity and access management (IAM) topics for the InCommon community. In this installment, catalysts address evaluating IAM solutions and hosting IAM in the cloud. This is our second column for 2023.
Q: What’s a question everyone should ask themselves when evaluating an IAM solution/implementation and why?
A: When evaluating an IAM solution it is crucial to ask: “Does this IAM solution effectively address the risks and challenges my institution faces?” This simple question opens the door to a few evaluations that need to happen.
First, consider security alignment. Every higher education institution has unique safeguarding requirements regarding sensitive data and business operations. The solution should support regulatory compliance for anything FERPA, GLBA, HIPAA, and PCI related that may exist in any area in your environment; providing audit trails, access controls like 2fa, endpoint posture scrutiny, clear workflows to easily provisioning and de-provisioning access, appropriate privileged access management, and maybe support identity certificates like EAP-TLS. Assess the IAM solution to ensure it adequately protects your organization’s assets.
Second, assess scalability and future-proofing. A campus network environment is never static, and similarly, the IAM solution should be able to adapt to evolving needs and technologies as well as accommodate new user types, devices, and applications without requiring significant rework. And, as the solution grows, it needs to be able to be supported and maintained by your existing IAM team (or have clear leadership-supported plans in place for team expansion).
Third, evaluate end-user experience and productivity. The solution should be easy to use, offer self-service capabilities, and efficient authentication methods. A positive user experience will make the IT Service Desk’s job a lot easier.
Finally, assess integration with existing (and planned) systems. Ensure seamless integration with applications, directories, and platforms, reducing complexity in managing user access across environments.
By asking this question, you ensure the IAM solution meets your institution’s current and future security needs, scales well and will receive the care and feeding it requires, enhances user experience, and integrates into your existing environment seamlessly. This holistic approach promotes a solid risk-informed assessment of any IAM solution.
—Jacqueline Pitter, CISSP, Senior Strategic Consultant, Vantage Technology Consulting Group; jacquelinepitter@vantagetcg.com
A: What is your weakest link? Philosopher Thomas Reid said that “a chain is only as strong as its weakest link.” Nowhere is this more true than in cybersecurity. When evaluating an IAM system, it’s important to know which component is the weakest link. The level of security of that component is the level of security of the whole system.
Studies have found that the weakest link in most IAM systems isn’t in unsafe low-level code or improper database writes, but in human psychology. Forbes reported more than 300,000 phishing attacks in the U.S. alone last year. And, most security experts would agree that passwords are the weakest link. Unfortunately, we in the research and education community expose endless critical web services behind the flimsy shield of passwords. However, we found that with the recent introduction of passwordless standards, our industry has a rare opportunity to accomplish a step-change improvement in security.
This became the motivation for our newest project, OmniPasskey, a plugin that enables passwordless authentication for existing Shibboleth installations. The “weakest link question” snapped the password issue into focus for us and made it clear that we ought to get right to work replacing the weak “password link” in the identity providers that form the backbone of our community’s IAM infrastructure.
—Drew Capener, Software Engineer, Omnibond; drew@omnibond.com
A: When assessing an identity and access management implementation, an important question that higher ed institutions should ask is: How might this solution bridge the gap between data silos within our various systems?
A common issue facing colleges and universities is the segregated data amongst different vendor solutions that lack seamless interoperability – this can inhibit the institution’s strategic planning. The Chronicle of Higher Education’s research brief “Becoming a Data Driven Institution” reported that the biggest barrier on campus to effectively using data to make decisions and improve operations is decentralized/siloed data collection.
Identity information is a common denominator amid disconnected student data in individual systems, but it can cause issues with knowing who’s who. For example, if you have an alumni portal that does not tie back to the original identity, and the rest of your student data in a separate system – how do you connect the two for a complete record?
If you are selecting a new IAM system and it integrates with both data silos, you’ve made a significant step in being able to break those silos down and help the institution strategically utilize this data for the benefit of students, faculty, and staff.
Identity management itself doesn’t break down the silo and merge the data, per se, but efficient identity integration with trusted vendor products is the key (really, the prerequisite) to breaking down the barriers that data silos create.
The vendor solution itself may support the integration, or you may have to build a connector that makes the integration go well. However, various identity solutions will affect how easy (or hard) the integration is, depending on the vendor solution. I recommend picking your IAM solution with a focus on what data silos you can help bring together with your identity framework.
Remember, the unification of data holds immense potential, and your identity solutions can serve as the vital link to unlock this value for your institution.
—Netta Caligari, Community Lead, West Arete; netta@westarete.com
A: When evaluating or selecting an IAM solution, you should ask yourself: Have I accurately identified ALL my institution’s requirements and have I clearly defined why an IAM solution is a priority? IAM is not just a technology problem. It is a business problem (or opportunity) with a technical component. For example, your CISO might be focused on a new IAM solution’s capacity to reduce cyber security gaps and believes the best way to socialize IAM’s value is to emphasize the need to reduce institutional risk. However, your campus executives (as well as recruitment, admissions, applicants, students, and faculty) are probably clamoring for a frictionless and much improved digital experience. How do you prioritize competing needs and requirements?
To be successful, IAM platform selection must be part of an IAM program that is aligned to your institution’s strategic goals and is capable of fostering sustained institution-wide collaboration. Identifying ALL your institution’s most critical requirements means including key executive, academic, business, and functional stakeholders in a formal process (e.g., workshops) to clearly identify and document current strengths, gaps, and key pain points. It will also require a means of prioritizing all of these (potentially competing) business, functional, and technical requirements.
While there are plenty of good IAM solutions available, they may not all be good solutions for your institution. To select the best solution, i.e., the one that meets your campus’s most critical needs, requires more than the ability to differentiate between the technical and functional strengths of the solutions you are considering. Prioritizing those functional requirements is critical. And these priorities should be aligned to and driven by your institution’s strategic goals. This is the best way to ensure that your choice is the right choice for your institution.
—Jim VanLandeghem, Principal IAM Architect, Moran Technology Consulting; jim.vanlandeghem@morantechnology.com
A: Here are some of the questions that Cirrus recommends, as we all asked these questions when we were in roles at higher ed institutions. Do the vendors understand the nuances of IAM needs specific to higher ed and research? Are they a trusted partner? How many similar solutions for our use case have they successfully implemented? Do they have reference customers with similar needs to your organization? Has there been any information about this vendor posted to community lists like the EDUCAUSE IAM list or the InCommon participants list?
Cirrus Identity has grown over time by earning the trust of our customers. We focus our cloud login solutions on challenges faced by higher ed and research. External users like applicants, parents, alumni, continuing ed students, research collaborators, suppliers, contractors, and retirees make identity management in higher ed and research much more complex. Many commercial solutions don’t adequately address these challenges or are cost prohibitive. Cirrus can help you consolidate your SSO, automate workflow, and provide seamless integrations that improve the user experience and reduce expenses.
—Dedra Chamberlin, CEO & Founder, Cirrus Identity; dedra@cirrusidentity.com
Q: What components of an IAM solution could reasonably be hosted in the cloud, and what would be the pros and cons to a higher education institution for making that choice?
A: The InCommon Trusted Access Platform bundle, although it’s only one of the many IAM solutions, has been proven to work in the cloud, and Internet2 has created the “workbench” allowing for demonstrations and usage as needed including these key applications – Shibboleth, midPoint, Grouper, and COmanage.
Many IAM solutions can work in the cloud, there are considerations and not all are equal, but “the cloud” opens a new opportunity for higher education and their IAM teams.
Key things to think about when you are planning to move your IAM solution to the cloud include the following. Does your institution have the staff expertise and working knowledge to make an IAM solution in the cloud a successful working solution? One can think of the pros and cons from different perspectives, but the trends represent challenges in not only finding identity specialists but keeping that knowledge in-house for an extended period of time. This means that not only is hosting a benefit, but managed services of this solution would be as well.
The “cloud” provides streamlined built-in services, redundancy, auditing, reporting, etc., which ultimately saves your team time and energy. Not to mention the physical footprint you are no longer required to have when you move to the cloud.
What I am hearing from higher education is that it’s all about the value of moving to the cloud. The challenge is knowing when to transition!
—Charise M. Arrowood, Executive Director, Business Development, Unicon; carrowood@unicon.net
A: When thinking about a cloud, it is necessary to be specific about what we really mean by the cloud. One possibility is to just deploy the IAM solution in the cloud in a similar way as if it were deployed on-premise. Is there any benefit? There might be, depending on your cloud infrastructure, orchestrating options, and so on. For the most part, it will save you some operations costs. However, there might be new issues with networking, firewalls, and so on, but that truly depends on the overall architecture, including whether the cloud is public or private.
The second, more interesting option is to think about how IAM can be used as a cloud service. This means that someone could operate IAM in a way that would suit several institutions simultaneously and could also be scaled easily. This is an exciting topic and certainly, something higher education institutions should consider. We all know it’s getting harder and harder to find skilled employees, and this is especially true in the area of IAM. Outsourcing to a cloud might be one solution. Additionally, the cloud service could easily solve some problems by design, such as automatic scaling, upgrades, and access to new features. Even the overall cost could be lower with a proper cloud service that really scales since the expenses are distributed among all institutions using the cloud service.
On the other hand, the cloud service cannot be fully customizable by design. Otherwise, it would scale less than we need it to. This means, when one decides to choose the cloud, there will be compromises. Furthermore, there may be the feeling of losing control over an area as critical as IAM. However, we’ve gotten used to this in other areas, for example, with Microsoft m365 services. Therefore, this might not be a showstopper after all.
To conclude, Evolveum has been thinking about how to build midPoint as a cloud service together with our partners. We are aware of the possible obstacles and limitations, but eventually, this could be a handy solution for some institutions. We will be happy to discuss this topic with anyone interested as well as ensure that our progress is shared with the academic community.
—Igor Farinic, CEO, Evolveum; academia@evolveum.com
If there’s a question you would like for us to address in a future installment of Catalyst to Catalyst, contact InCommon Communications Lead Apryl Motley.
ICYMI
Catalyst to Catalyst (Spring): Ideas and Insights from InCommon Catalysts
Catalyst to Catalyst (Dec. 2022): Ideas and Insights from InCommon Catalysts
InCommon Catalysts Bring Energy and Expertise to Community Conversations