6 Keys to Identity Management

These best practices will help make your IAM project a long-term success.

An identity and access management (IAM) project on campus can feel like a Sisyphean task: Just when access rights have finally been sorted out, the semester ends--and users change roles, leave campus, or require new processes.

Indeed, a number of IAM challenges confront the higher ed sector:

  • Mass onboarding (i.e., setting up access rights for new users) and deactivation at the beginning and end of each semester.
  • Different classes of users: Students, faculty, staff, alumni, and visiting scholars often have diverse technical requirements and business processes.
  • Widespread use of federation (infrastructure that allows an application to trust an assertion made in another administrative domain about the identity and access rights of a user) to enable cross-institution sign-on.
  • Relatively small budgets compared with those found in the business world.
  • Very large user populations. Alumni, in particular, can pose challenges because there are more of them every year.

On top of these issues, IT departments face a constantly changing technical landscape: integrating new applications and retiring old ones, complying with privacy rules, and dealing with vendor churn. For instance, Oracle's acquisition of Sun Microsystems will undoubtedly have far-reaching technical and financial implications for many institutions, and the impact of Novell's recent acquisition by Attachmate has yet to be felt.

The following best practices can help overcome such challenges and turn the seemingly endless IAM labor into an IT triumph.

1) Don't Think of It as a Project
Identity and access management is the glue between the business processes that govern user access and the systems that users need to sign into. And since both business processes and systems are always changing, the IAM system must constantly adapt.

For that reason, the most successful IAM initiatives are run as ongoing programs, with permanently assigned staff and budgets, rather than one-off implementation projects. This enables organizations to keep up with change and also to drive user adoption--which is key to getting a return on investment.

2) Deliver New Functionality Frequently
Avoid the big bang approach: Don't take too long to stand up a system, because needs change constantly. If you take a year or more to implement IAM, you may find that the business processes and integrated systems have changed by the time you finish. A good rule of thumb is to deliver something meaningful every three to six months.

3) Measure Results
To justify an ongoing IAM program, it's important to measure user adoption and benefits. Identifying business drivers and the associated metrics can help calculate a return on investment. Sample metrics include:

Driver

Metric

Measured as

C

Password-reset call volume

Number of calls per month (average and peak) to the help desk to reset passwords

C

Help desk FTEs

Number of full-time equivalent staff required to support peak password-reset call volumes

C, P

Setup time

Number of IT work hours required to set up a new user

S

Deactivation time

Lag time between notification and deactivation of a departed user

C, S

Deactivation effort

Number of IT work hours required to terminate access for a departed user

S

Weak passwords

Number of systems that do not enforce length, character set, history, and dictionary rules

S

Standard caller authentication

Number of questions asked to authenticate help desk callers

C, S

Orphan accounts

Per system: number of user objects minus the number of legitimate users

C, S

Dormant accounts

Per system: number of accounts inactive for a certain number of days

C, S

Unassociated systems

Number of systems whose unique user identifiers are not mapped to a campuswide identifier

S

Admin password change interval

Per system: frequency of change of administrator passwords (in days)

C, P

Complexity of identity-change request

Number of different forms used to request changes to user identity data (name, phone, address, department, location, etc.)

C, P

Passwords per user

Average number of passwords a user must remember for institution-owned systems

C, P

Login prompts per user per day

Average number of times per day that a user must sign into an institution-owned system

Key: C = Cost reduction; P = User productivity; S = Security

4) Understand Your Users
Keep in mind that you have multiple user populations, each with distinct user lifecycles and business processes. For that reason, it makes sense to manage onboarding, deactivation, authentication, and access control for each population separately. As the chart below demonstrates, there are many possible deliverables for each segment of users:

User population

Process

Students

Faculty

Staff

Alumni

Automated onboarding

X

X

X

X

Automated deactivation

X

X

X

X

Request-driven workflow

?

X

X

?

Enrollment of contact info

X

X

X

X

Enrollment of security questions

X

X

X

X

Self-service password reset

X

X

X

X

Password synchronization

X

X

X

X

Privileged ID management

?

X

X

-

5) Integrate, Integrate, Integrate
It's vital for an IAM system to integrate with a variety of systems campuswide. Possible integrations include: directories, e-mail systems (internal or hosted), student records systems, administration/finance systems, and research systems.

This year, consider adding new integrations to the mix:

  • Automatic provisioning of user e-mail accounts on hosted e-mail systems from vendors such as Google or Microsoft.
  • Enabling students, especially in computer science and related disciplines, to provision and de-provision virtual machines on cloud providers such as Amazon EC2.

6) Leverage Student Labor
Higher education organizations often have low budgets--particularly in today's economic climate. Fortunately, they also have a plentiful supply of inexpensive labor for implementing IT systems: students!

Utilize student labor for such tasks as business analysis, integration work, and implementation of business logic--not just initially, but on an ongoing basis. Students can help deploy a first-phase system, evolve the system's capabilities, and then transfer their knowledge to the next generation of student workers, supplying some of the work to make your IAM initiative a long-term success.

Featured