Catalyst to Catalyst (Spring 2025): Ideas and Insights from InCommon Catalysts

Question: How can IAM provide flexibility to support institutions in the face of changing regulations, reporting, or security requirements?

Response: Even though the primary purpose of IAM is different, it has a vast potential for supporting many use cases related to security compliance, regulations, and reporting. That’s because an IAM solution usually has access to a large amount of identity-related data and can process it in various ways. You can use this to your advantage and generate reports required by compliance policies or prepare information for auditors. 

However, regulations are not only about reporting. You also need to certify certain properties of your systems and meet some security requirements, such as segregation of duties. A proper IAM solution can handle these requirements with ease. You can define automated processing rules and policies that guarantee the desired state and prevent actions that would violate the requirements, regulations, and security policies. Conversely, you may want to relax the conditions under certain circumstances and allow actions that would normally be in conflict with the policies to take place. Any time such an exception occurs, though, you want to have the situation strictly under control, be informed about it, and have a human-driven resolution process in place. An IAM solution can help you make all this easier.

Despite all its advantages, an IAM solution won’t solve everything and make you compliant by itself. It provides the tools to make the process easier for you, but you need to actively work on making your organization compliant in all its aspects, both inside and out of the IAM realm. There are tasks that you can’t offload to IAM. For example, you need to have proper processes in place, your employees may need to go through relevant training, or your documentation needs to be properly maintained. It’s a lot of work, but a well-deployed IAM solution can take a significant portion of that burden off your shoulders.

It is important to note that to realize the full potential of an IAM solution, you need to provide it with all the identity-related data you handle. For instance, if you still manage access to a few resources outside the IAM solution or even have some systems that aren’t connected to it at all, the reports and compliance checks will never be complete. Such a situation significantly hinders the usefulness of IAM. Therefore, don’t wait, take action now, and ensure your IAM solution has all the data it needs to help you get and stay compliant with all relevant regulatory, reporting, and security policies.

– Slavek Licehammer, Head of Engineering, Evolveum; academia@evolveum.com

Response: To say that we’re in a time of uncertainty in higher education would be the understatement of the year, maybe the decade. We have federal regulations that change day-to-day that may also conflict with the state-level regulations that govern our institutions, and even different state-level regulations for some institutions that cross state lines, and all of that before we get into international regulation like General Data Protection Regulation (GDPR) from the European Union. Institutions must be agile in their ability to respond to these changes, and robust IAM systems can go a long way toward enabling that agility.

Especially for organizations that haven’t adopted data warehousing for reporting, the IAM system will often be the one centralized repository of bio/demo data, which otherwise would be coming from any number of disparate authoritative systems. Beyond holding data that might be required for compliance or reporting purposes, a robust IAM system will provide an institution with tools to control who can access that required information, wherever it’s located within institutional systems. As the data necessary for a compliance or reporting need changes, well-designed entitlement and role-based access control (RBAC) systems allow for the granting or removal of access in a clean, manageable way.

IAM systems also help institutions protect the privacy of personal data to comply with regulations like Family Educational Rights and Privacy Act (FERPA) or GDPR. When all the systems in an institution are sourcing their identity data from a centralized system, it’s easy to enforce controls on what data a system receives about any given individual, depending on the actual business need of that system. For example, enterprise resource planning (ERP) systems can receive full data including the legal name of a student since that data is required for its functionality. The learning management system, on the other hand, doesn’t really need the student’s legal name, but for functionality like rostering and attendance, it will need the student’s name. Finally, if students have opted to restrict access to their information under FERPA, the institutional people directory wouldn’t receive any data about the students. As with enabling access to data, well-designed IAM systems (including business processes, technical processes, and technology systems) make it easier to protect the data of an institution’s constituents.

Finally, IAM systems can help to ensure complete purging of data that, through changes in regulation, might become more of a liability to maintain than the value provided to the institution by having it. Since the IAM system is already controlling access to identity data, the pool of systems that must be purged is minimized, and with systems sourcing their data from the IAM system, overwriting or removing the data in the IAM system will generally ensure that it is overwritten or removed in any downstream system as well.

While none of us can be sure what new challenges tomorrow will bring, we can all do our best to make sure we’re prepared to meet those challenges when they arrive.

– Kenny Barnt, Senior Consultant, Moran Technology; kenny.barnt@morantechnology.com

Question: What are best practices for institutions to follow when working with vendors?

Response: Institutions should fully understand their desired relationship with vendors, especially with professional service vendors, to ensure long-term success. For example, some vendors focus on training and knowledge transfer to make university resources self-sufficient, which may not suit institutions looking for staff augmentation post-project. 

When working with software vendors, be prepared with the use cases you want to discuss and ask for them to be demonstrated if possible. Some software vendors will give you a trial/lab that you can use for several weeks to do a proof-of-concept. It’s important to have your requirements for infrastructure in advance, particularly with SaaS vendors. You typically will only get two environments (non-production and production), and typically your non-production will have user limits. These can be inhibitive for some institutions when it comes to load testing or end-to-end testing. 

Lastly, be sure to talk to references. Not a lot of software vendors understand the unique landscape and challenges within higher education and research. The same thing can go for professional services vendors as well. There are a lot of institutions that have had great experiences with software and services vendors; be sure you are one of them. 

– Paul Hodgdon, CEO, Instrumental Identity; paul@instrumentalid.com

Response: Sometimes engaging external vendors is the best option for colleges and universities to address complex challenges and enhance institutional operations. Institutions look for partnerships that enhance their operations, create efficiencies, and free up time for their teams to focus on other high-priority items. As someone who has both hired vendors and been the hired vendor, I recommend following these best practices when selecting, managing, and maximizing vendor relationships.

First, when selecting a vendor, do your due diligence to make sure they align with your institution’s needs. Talk with peers who will provide honest and valuable insights into vendor performance and reliability. Another good way to assess a prospective vendor’s expertise is by reviewing publications, speaking engagements, and case studies released by the vendor (or by individuals on behalf of the vendor). Additionally, check that a vendor’s proposal reflects your specific goals rather than offering a generic, one-size-fits-all approach.

Meeting the team with which you’ll be working is equally important—interview potential vendors to confirm that the assigned consultants fit the institution’s culture and needs. (Pro tip: Ask if the team presenting the proposal will be the same team that works on your project.)

Once you select a vendor, set clear expectations to foster a productive relationship. Define project outcomes up front by voicing your desired results rather than dictating specific methodologies or approaches. Then, make sure to clarify roles and responsibilities of both members of the vendor team and those on your internal team who will interface with the vendor. Agree on deliverables, success metrics, and communication frequency—and be specific.

Maintaining active engagement through regular meetings will help keep both parties aligned on timelines, budgets, and institutional needs, and you’ll find it easier to hold everyone involved on the project accountable. If you determine expectations are not being met, promptly address concerns by scheduling discussions with the vendor to find solutions, preventing minor challenges from becoming major disruptions.
I’ve been involved in countless positive vendor engagements on both sides of the partnership. I’ve found the ones that are most successful follow these best practices and often yield unforeseen benefits that go beyond the project scope.

– Jacqueline Pitter, CISSP, former Senior Strategic Consultant, Vantage Technology Consulting Group