Syracuse University: Provisioning Delivers Secure Self Service
By Gary McGinnis
Syracuse University aims to be "the
leading student-centered research university" that d'es everything possible
to improve the day-to-day lives of its 15,000 students.
That means, among other things, eliminating the usual wait to activate a computing
account or the need to call the help desk when forgetting the password to an
e-mail account. Through an online self-service interface that went live in August
2002, Syracuse students can securely activate their computing accounts and perform
other account management functions themselves.
In addition to its primary goal of improving the student experience, Syracuse
saves costs by eliminating the need to staff a temporary office to help students
activate their computing accounts.
Network Access
The challenges faced by Syracuse are familiar to any college or university that
needs to reduce clerical costs, improve customer service, tighten security,
and do a better job of auditing its access control processes. Educational institutions
are currently faced with the challenge of managing complex networks in which
a person's access rights to digital resources must be approved, canceled, or
adjusted numerous times in a single year.
Secure network access is crucial for universities and Syracuse is the perfect
example of why provisioning technologies are a "must-have" technology for the
higher education market.
Provisioning is a secure and cost-effective tool for centralizing university
computing accounts and eliminates the need to hire an enormous part-time staff
to administer and manage the digital resources and multiple accounts for our
ever-changing network of students, faculty, and staff.
Reclaiming Resources
The lack of a central solution for providing account management and other IT
services can drive up administrative costs, especially as schools hire expensive
temporary help to cope with registration crunches, or staff costly help desks
to manage routine problems. Customer service suffers as students stand in long
lines or must wait for regular business hours to contact a staff member to solve
their problem. It is almost impossible to enforce security policies, or to make
sure students are "de-provisioned" at the end of their academic careers, when
access is granted or denied by multiple administrators in multiple departments.
Furthermore, it's critical, now more than ever, that a person's resources are
reclaimed the moment they leave campus or no longer have a legitimate need for
access. In fact, federal regulations like the Student and Exchange Visitor Program
(SEVP), Illegal Immigration Reform and Immigrant Responsibility Act of 1996
(IIRIRA), the USA PATRIOT Act, and others are driving universities to maintain
accurate records of access to resources. The absence of a central provisioning
solution makes it expensive and time consuming to prove compliance with these
new regulations.
Self Service
Syracuse's journey to online self-service began in the fall of 2001. That's
when the department held a series of public forums asking the students which
functions they'd most like to see online. Their requests included the ability
to manage the computing accounts that give them access to e-mail, computing
labs, online storage and printing, and applications such as high-end statistical
packages hosted on shared Unix servers.
Syracuse wanted to improve the students' experience by giving them a global
user name and password that would allow them access to any appropriate system
they needed, from anywhere at anytime. This required us to create a single source
for authentication for our students, in the form of a single database of student
information that could be used to provision the local directories already in
use by different schools and departments across campus.
To accomplish these goals, we considered creating a homegrown solution, as
well as several commercial offerings. After much research and consideration,
Business Layers' eProvision Software was the most appropriate choice for Syracuse,
as it was the best fit for our environment and the most cost-effective system
for our specific needs.
Computing Resources
At Syracuse, we have about 35 organizational units maintaining directories on
platforms ranging from Unix to Windows NT to Novell NetWare. The Unix systems
use Sun Microsystems Inc.'s Sun ONE as their directory; the Novell systems use
Novell Inc.'s eDirectory and Windows NT relies on Microsoft Corp.'s Active Directory.
Our Syracuse team turned to eProvision to populate and update an enterprise
directory that serves as the authoritative source of user information. eProvision
then monitors the enterprise directory for changes and, as necessary, updates
the more than 35 distributed directories used by those applications. While the
provisioning tool is centralized, decision making is not; it's still up to the
owners of the local systems to provide the rules and policies that determine
how users are given access to computing resources.
The first local directories linked to eProvision were the Unix-based systems
that serve between 32,000 and 34,000 user accounts. These systems provide user-focused
services such as e-mail and on-line storage, as well as management of students'
computing accounts. The next stage will involve the Novell systems, with about
15,000 users and then the Windows NT systems with 3,000 to 5,000 users. The
number of user accounts is greater than our 15,000 full-time students because
part-time students, outside researchers, faculty, and staff also have accounts,
further complicated by individuals having multiple accounts on different systems.
Given the numerous and disparate data sources involved in this process, our
team experienced some challenges in supplying the cleanest and most synched
information to the overall provisioning system. We wanted to ensure that we
would have a 360-degree view of the most accurate information for consistent
provisioning throughout our distributed systems. This need was successfully
addressed with a series of systematic data mergers and some manual coding.
While the primary focus is on the students, the school is also rolling out
capabilities to faculty and staff. We don't expect scalability to be an issue.
While the number of current and former user names in the enterprise directory
could eventually grow to the millions at any one time, we'll only have 12,000
to 15,000 students actively maintaining their accounts through eProvision.
Communicating Benefits
The final challenge was getting the word out about the online services. People
are accustomed to getting their password changed by someone else, rather than
being able to do it themselves online. Our group used targeted e-mails, as well
as publicity in the student paper to get the word out. You need to have a good
public relations and communications plan in place to drive use (and the maximum
benefits) of the self-service site.
Most students might not know what "provisioning" is, and that's fine with us.
What matters to the students is, "How do I securely manage my account?" At Syracuse
University, our students can manage their own accounts when and where they want
to—just as it should be in a "student-centered" university.
For more information contact Gary McGinnis, Director of Client Services,
Syracuse University Computing and Media Services Department, at [email protected].