Estimated reading time: 8 minutes
Edited by Apryl Motley, CAE – Communications & Technical Writing Consultant, InCommon
As part of our ongoing commitment to providing you with additional opportunities to benefit from the insights and expertise of InCommon Catalysts, we are continuing their quarterly Q&A column, Catalyst to Catalyst, which we feature in our e-newsletter InCommon News.
Think of Catalyst to Catalyst as a quarterly, virtual advice panel providing perspectives on key identity and access management (IAM) topics for the InCommon community. In this installment, catalysts discuss the concerns or challenges their higher ed customers most often need help addressing. This is our first column for 2024.
Question: What is the concern or challenge that higher ed customers most often express to you or need help addressing?
Response: The effectiveness of automated systems hinges entirely on the quality of the data they operate on. I’ve heard countless stories about organizations grappling with their IAM solutions due to inaccurate or delayed HR data. It’s frustrating when new hires face delays in getting set up, or worse when they can’t access their accounts on their first day. And the same goes for when someone leaves – if their employment records aren’t promptly terminated, it poses a serious security risk.
So, what can be done about it? Well, for starters, building flexibility into systems is key. We need to recognize that sometimes we’ll have to set up accounts before all the HR data is in, and we might need to manually deactivate accounts to ensure no one has access beyond their employment.
But perhaps just as important is working hand in hand with HR. Bringing HR representatives to the IAM governance board helps bridge the gap between data processing and real-world implications. They might not always realize the impact of delayed data on systems, and often, they’re not even aware of the issues that arise. Keeping them in the loop not only helps them understand but also ensures better collaboration in managing data effectively.
—Jim Beard, IAM and Grouper Engineer, Unicon; jbeard@unicon.net
Response: The primary concern our higher education clients bring to us revolves around the ever-expanding gap between the escalating demand for services, the stakeholder expectation that legacy solutions will continue to be supported, and a lack of capacity to do everything with the current IT resources. This persistent challenge has become a defining theme for institutions grappling with the rapid evolution of technology in the education sector. Many campuses find themselves in a precarious position, struggling to keep pace with the digital transformation imperative while having to focus a not insignificant percentage of their time and energy maintaining outdated foundational infrastructure.
Our clients have successfully navigated the challenges posed by the digital age, implementing effective strategies for technological advancement by having us help them make the case for a change. However, a substantial number of campuses are merely holding on, caught in a precarious balancing act. The rising expectations for seamless online learning experiences, robust cybersecurity measures, and innovative educational technologies intensify the pressure on already stretched IT infrastructures.
As a small, boutique consulting firm that specializes in higher education IT and information security, Vantage is typically brought in by our clients to conduct comprehensive assessments of an institution’s data governance, information security program, or other aspects of their IT strategic plan. These assessments serve as a critical tool for illuminating the urgency of change and the necessity for increased investments in IT resources. Armed with detailed analyses, we assist clients in articulating persuasive arguments to campus leadership, advocating for strategic decisions that can bridge the gap between the institution’s mission and aspirations and the foundational work required to support everything. The overarching goal is to ensure that educational institutions not only survive but thrive, ultimately enhancing the quality and accessibility of education for all stakeholders.
—Jacqueline Pitter, CISSP, Senior Strategic Consultant, Vantage Technology Consulting Group; jacquelinepitter@vantagetcg.com
Response: The IAM field is exciting for many different reasons. Designing and deploying an IAM system is extremely responsible work because all other systems will rely on that. Also, the identity engineers must have a broad understanding of the whole IT infrastructure to properly define the identity layer with all dependencies. Then, we have standards and protocols, enabling compatibility and collaboration with others, as well as complicated crafted solutions for integration, where no standard can be applied. Add a portion of cybersecurity, regulations, and processes, and we are getting IAM/identity governance and administration (IGA) that is so fascinating for many engineers.
There are also many challenges. We almost always start with an existing solution that needs to be seamlessly migrated to the new one and the wide reach of IAM integrations prevents us from building a full test environment. It would be too much work to clone everything, and when you consider cloud services or services connected through federation, the complexity is even higher. Data is also tricky. It’s never perfect; you need to deal with errors and exceptions, and often, there is no easy way to verify or fix the data.
This leads to the quintessential challenge in IAM/IGA: How can we cultivate assurance in deploying changes when comprehensive testing is nearly unattainable, data quality remains suboptimal, and we’re amidst a transition from legacy to modern systems? It requires careful analysis, thinking about the corner cases, designing tests in a limited test environment, and, in the end, nerves of steel, hoping that all will go smoothly. Evolveum is well aware of this challenge, and we are trying to help.
This is where midPoint’s simulation feature proves its worth. It offers a simulated run of changes in the production environment before deployment, providing a clear view of the proposed change’s impact without risking data corruption or misconfigured access control for services. Simulations in the production environment ensure that all corner cases are considered, all data–including exceptions and flaws–are processed, and the consequential analysis covers the entire new state. This feature boosts engineers’ confidence in deploying new changes swiftly and efficiently while notably decreasing stress levels.
—Igor Farinic, CEO, Evolveum; academia@evolveum.com
Response: Over the past 20 years, I have worked with hundreds of higher education focused clients, including colleges, universities, university and state systems, consortiums, teaching hospitals, and research institutes. Based on my most recent experiences in the field with many of our clients, we are seeing some well established and emerging patterns that are having a major impact on the industry as a whole, but more specifically patterns that are affecting the technologies we use to provide the identities and access required to teach, learn, conduct research, and provide care.
A major issue many higher education institutions are experiencing is shrinking enrollment that has been compounded by fierce competition and decreased funding, not to mention societal changes like the normalization of hybrid/remote learning and work, increasing demand for an internet native perspective on user experience, and eroding perceptions of the value of higher education. Capital and regulatory stresses are also forcing institutions to adopt complex solutions to satisfy requirements from cyber insurance providers and privacy regulations. Schools are responding to this by expanding non-traditional/non-degree programs, expanding 100% online offerings, and intensifying their focus on research to offset the losses in enrollment. Some schools have taken extreme measures to reduce overhead and redundancy to become more competitive by consolidating IT services and establishing consortiums.
Responses to these changes in the higher education landscape are usually predicated on utilizing technology to solve these problems. These rapidly emerging trends are placing an increasing burden on IT to adapt to and support the organization’s needs with more complex technologies. Initiatives spawned by these needs tend to include:
- Modernized enterprise resource planning (ERP) deployments to support complex business practices that require more flexible and efficient IAM.
- Real-time identity provisioning to support transaction-based education, allowing a student to pay for a course and take it right away.
- Removing barriers and obstacles from and streamlining student recruitment to identify and track people and their actions sooner.
- Privacy regulations and inclusivity initiatives that change requirements for how people can manage their identities and grant consent.
- Cyber insurance and identity as a security perimeter needs more robust privileged access management (PAM) solutions.
- Providing everything people need on their first day requires a rationalized approach to access governance.
- Growth in research requires increased collaboration and real-time provisioning for people that may not yet be in the ERP system.
A mature IAM program is required for institutions to properly respond to changes in the higher education sector with new ideas, new business, and new technologies. The key to a mature IAM program is:
- Spending the time to understand the greatest needs of your most critical stakeholders – the students, faculty, staff, practitioners, and researchers at your institution, collaborating with business stakeholders, and aligning those needs with the needs of the business.
- Working together with a holistic perspective to redesign processes that will enable future technologies.
- Defining boundaries and enforcing them with policy to ensure execution of your mission.
All of this equates to the fact that IAM can either be the biggest blocker to your modernization initiatives, or it can be an agent for digital transformation. It just depends on how you approach it.
—Jim VanLandeghem, Principal IAM Architect, Moran Technology Consulting; jim.vanlandeghem@morantechnology.com