6 Keys to Identity Management
These best practices will help make your IAM project a long-term success.
An identity and access management (IAM) project on campus can feel like a Sisyphean task: Just when access rights have finally been sorted out, the semester ends--and users change roles, leave campus, or require new processes.
Indeed, a number of IAM challenges confront the higher ed sector:
- Mass onboarding (i.e., setting up access rights for new users) and deactivation at the beginning and end of each semester.
- Different classes of users: Students, faculty, staff, alumni, and visiting scholars often have diverse technical requirements and business processes.
- Widespread use of federation (infrastructure that allows an application to trust an assertion made in another administrative domain about the identity and access rights of a user) to enable cross-institution sign-on.
- Relatively small budgets compared with those found in the business world.
- Very large user populations. Alumni, in particular, can pose challenges because there are more of them every year.
On top of these issues, IT departments face a constantly changing technical landscape: integrating new applications and retiring old ones, complying with privacy rules, and dealing with vendor churn. For instance, Oracle's acquisition of Sun Microsystems will undoubtedly have far-reaching technical and financial implications for many institutions, and the impact of Novell's recent acquisition by Attachmate has yet to be felt.
The following best practices can help overcome such challenges and turn the seemingly endless IAM labor into an IT triumph.
1) Don't Think of It as a Project
Identity and access management is the glue between the business processes that govern user access and the systems that users need to sign into. And since both business processes and systems are always changing, the IAM system must constantly adapt.
For that reason, the most successful IAM initiatives are run as ongoing programs, with permanently assigned staff and budgets, rather than one-off implementation projects. This enables organizations to keep up with change and also to drive user adoption--which is key to getting a return on investment.
2) Deliver New Functionality Frequently
Avoid the big bang approach: Don't take too long to stand up a system, because needs change constantly. If you take a year or more to implement IAM, you may find that the business processes and integrated systems have changed by the time you finish. A good rule of thumb is to deliver something meaningful every three to six months.
3) Measure Results
To justify an ongoing IAM program, it's important to measure user adoption and benefits. Identifying business drivers and the associated metrics can help calculate a return on investment. Sample metrics include:
|
Driver |
Metric |
Measured as |
C |
Password-reset call volume |
Number of calls per month (average and peak) to the help desk to reset passwords |
C |
Help desk FTEs |
Number of full-time equivalent staff required to support peak password-reset call volumes |
C, P |
Setup time |
Number of IT work hours required to set up a new user |
S |
Deactivation time |
Lag time between notification and deactivation of a departed user |
C, S |
Deactivation effort |
Number of IT work hours required to terminate access for a departed user |
S |
Weak passwords |
Number of systems that do not enforce length, character set, history, and dictionary rules |
S |
Standard caller authentication |
Number of questions asked to authenticate help desk callers |
C, S |
Orphan accounts |
Per system: number of user objects minus the number of legitimate users |
C, S |
Dormant accounts |
Per system: number of accounts inactive for a certain number of days |
C, S |
Unassociated systems |
Number of systems whose unique user identifiers are not mapped to a campuswide identifier |
S |
Admin password change interval |
Per system: frequency of change of administrator passwords (in days) |
C, P |
Complexity of identity-change request |
Number of different forms used to request changes to user identity data (name, phone, address, department, location, etc.) |
C, P |
Passwords per user |
Average number of passwords a user must remember for institution-owned systems |
C, P |
Login prompts per user per day |
Average number of times per day that a user must sign into an institution-owned system |
Key: C = Cost reduction; P = User productivity; S = Security |
4) Understand Your Users
Keep in mind that you have multiple user populations, each with distinct user lifecycles and business processes. For that reason, it makes sense to manage onboarding, deactivation, authentication, and access control for each population separately. As the chart below demonstrates, there are many possible deliverables for each segment of users:
|
User population |
Process |
Students |
Faculty |
Staff |
Alumni |
Automated onboarding |
X |
X |
X |
X |
Automated deactivation |
X |
X |
X |
X |
Request-driven workflow |
? |
X |
X |
? |
Enrollment of contact info |
X |
X |
X |
X |
Enrollment of security questions |
X |
X |
X |
X |
Self-service password reset |
X |
X |
X |
X |
Password synchronization |
X |
X |
X |
X |
Privileged ID management |
? |
X |
X |
- |
5) Integrate, Integrate, Integrate
It's vital for an IAM system to integrate with a variety of systems campuswide. Possible integrations include: directories, e-mail systems (internal or hosted), student records systems, administration/finance systems, and research systems.
This year, consider adding new integrations to the mix:
- Automatic provisioning of user e-mail accounts on hosted e-mail systems from vendors such as Google or Microsoft.
- Enabling students, especially in computer science and related disciplines, to provision and de-provision virtual machines on cloud providers such as Amazon EC2.
6) Leverage Student Labor
Higher education organizations often have low budgets--particularly in today's economic climate. Fortunately, they also have a plentiful supply of inexpensive labor for implementing IT systems: students!
Utilize student labor for such tasks as business analysis, integration work, and implementation of business logic--not just initially, but on an ongoing basis. Students can help deploy a first-phase system, evolve the system's capabilities, and then transfer their knowledge to the next generation of student workers, supplying some of the work to make your IAM initiative a long-term success.