Security | Feature
Identity Management in the Cloud
With students and faculty now accessing applications in the cloud, IT departments should consider the merits of federating, centralizing--and even outsourcing--identity management. The rewards? Greater security, convenience, and lower costs.
Before the advent of the cloud, managing access to campus-based applications was fairly straightforward. With off-site software becoming the norm, however, IT departments are now faced with some identity-management (IdM) challenges: Cloud-based apps often require separate login credentials, forcing students and faculty to juggle multiple usernames and passwords. And as anyone whose brain has ever blanked on a login page can attest, multiple passwords are a recipe for disaster. Not only is a multi-account approach frustrating to users, but it eats up valuable IT time that must be dedicated to password resets--to say nothing of the hours needed for provisioning and terminating all those accounts.
More than inconvenience and labor are at stake, though. With so many credentials to keep track of, it's easy for users to let their passwords fall into the wrong hands. And even if users are zipped up like Fort Knox, there's always the worry that third parties will sell user data to the highest bidder.
Unite and Conquer
While decentralized IdM systems worked fine just a few years ago, schools need different solutions for today's cloud-focused environment. For institutions looking for convenient access to a variety of disparate apps, the best bet might be InCommon, a national federation operated by Internet2 that is focused on higher education.
For a registration fee of $700 and annual fees ranging from $1,180 to a maximum of $3,250 for very large research universities, InCommon offers access to a range of services (some for additional fees) including federated identity management, an assurance program, certificate service, and multifactor authentication programs. Hundreds of universities, labs, government agencies, and service providers belong. To participate, vendors--including cloud-based service providers--must meet certain standards. For example, each company needs at least one nonprofit sponsor, and it must agree to a strict policy of not aggregating data. More than 140 software-as-a-service providers have already signed on, including EBSCO, Blackboard, and CollegeNET.
Among other benefits, InCommon allows member schools to access all supported apps through their existing single sign-on systems, whether they're based on-site or in the cloud. The University of Wisconsin, for example, uses a local Shibboleth federated identity system to connect students to InCommon-supported cloud apps. Coppin State University (MD), on the other hand, patches users into the same network through its Fischer International cloud-based IdM solution.
"Once you've set up your campus to work with InCommon, whenever another provider is added, it's a 20-minute activity to add it to your own single sign-on," says Jack Suess, InCommon chair and CIO at the University of Maryland, Baltimore County.
Suess is also working with Internet2 and the National Science Foundation to roll out a new initiative called Eduroam that will allow users to gain access to WiFi and secure cloud software at every Internet2 member institution--without the need to obtain guest credentials. The connection is instantaneous, and users simply authenticate the infrastructure.
"Lots of SaaS vendors say, 'Send me a spreadsheet of all your users,' but that doesn't work for higher ed," explains Suess. "We're adding people throughout the year, and we have bursts where we get students right up to the first or second day of classes." Eduroam is currently available to the 220 Internet2 research universities in the United States, but it may soon be open to all of the country's higher ed institutions.
Centralizing and Outsourcing
While federations such as InCommon can help individual schools connect to the cloud securely and easily, multicampus systems also need ways to streamline their identity management. "It just makes sense to have a central broker provide access across disparate organizations," says Brian Viscuso, enterprise engineering systems lead for the Virginia Community College System, which has 23 colleges on 40 campuses statewide.
Each VCCS school has a localized IdM system, but students also have access to a central portal. In years past, users had to manage two sets of login credentials, and contracting for cloud services was a mess. Multiple points of entry also created additional security hazards, especially for students attending more than one of the system's campuses.
To simplify and secure the VCCS network, Viscuso partnered with Microsoft to build a centralized Enterprise Active Directory. Using Microsoft's Forefront Identity Manager software, he synchronized each school's IdM program with the central hub, creating one of the first statewide single sign-on systems. Now students can access Blackboard, the VCCS student information system, and other centrally managed applications with the same credentials they use for local data.
Equally important, both local and central IT staff can now easily control access to wireless, printing, and library services. Since VCCS campuses are open to the public, these services were often highlighted as major liabilities during security audits.
The ability to create a single sign-on for applications, whether they're housed on-site or in the cloud, is a major step forward. But some schools are going further by outsourcing their actual IdM system to the cloud. Coppin State was the first school to implement Fischer's identity-as-a-service (IaaS) program, after utilizing the company's on-premise Identity Suite for four years. According to CIO Ahmed El-Haggan, making the switch to the cloud-based version of the product was "no hassle whatsoever. It took us maybe three hours to move on-premise systems to the cloud."
The benefits of the shift were immediately evident. Not only can Coppin students now access all of the school's cloud-based services with a single sign-on, but they can handle password resets without help from local IT staff. Considering that the school used to deal with 25,000 resets every semester, this feature alone has saved hundreds of hours of labor.
Cloud IdM has also made provisioning a snap. "When someone is hired, he's ready to go by the time he leaves HR," notes El-Haggan. "What used to take a week now takes 10 minutes or less." Access to applications and sensitive data is all handled automatically, based on roles and job duties that are defined ahead of time. And when employees are promoted or leave, Fischer's IaaS system allows HR personnel to change access privileges as needed.
A security rule of thumb is to minimize points of access. Lumping every application into a single sign-on does present some security risks, though. "It would be a gold mine if someone could get in there and get all those usernames and passwords," Viscuso admits of the VCCS system. For its part, InCommon allows for multifactor authentication options by schools that want extra protection. In most cases, stakeholders who need access to sensitive data are provided with PINs via mobile phone, but plenty of other options are available. Chris Spadanuda, IdM group manager at UW, for example, requires researchers to provide in-person verification when funding from the National Institutes of Health or other government agencies is at stake.
As for cloud-based solutions, El-Haggan actually finds outsourced IdM to be more secure than any on-site option. "When it comes to ID management and provisioning, I don't want it on my campus anymore," he says. "I took a risk in 2009, and I'm very glad I did." Although Coppin does store critical data on distant servers, all of its login information is stored on-site. UW's Shibboleth system works in similar fashion: Instead of students and faculty submitting their own passwords to third-party apps, the school's sign-on system sends an "OK, let them in," message to password-protected apps.
Aside from the convenience and beefed-up security features, centralized IdM also seems to be a clear cost-cutter. Coppin's IT department saved 1.5 full-time equivalents when it set up Fischer's on-premise system, and another 1.5 FTEs when it moved to the cloud. "If you are doing IdM manually, you are paying too much money," advises El-Haggan. VCCS has likewise saved tens of thousands of dollars through cloud-sourced printing and centrally managed WiFi alone. And, of course, federations such as InCommon can save institutions from vendor lock-in.
So why haven't more schools implemented central authentication? "A lot of times the barrier is more political than technological," notes Viscuso. While a single sign-on solution was a clear choice for his two-year college system, four-year universities have more researchers, more departments, and more students. A lot of buy-in is required as a result. "You have to have all those people engaged and comfortable, and you have to answer all their questions," says El-Haggan. "IdM isn't just IT--it has to be a campuswide effort."