IT Security
Identity and Access Management: A Discipline, Not a Project
Getting IAM right can take some serious planning and analysis plus a commitment to continued evolution over the long term. Here, three universities share their experiences.
When Tom Dugas was named director of information security and chief information security officer (CISO) at Duquesne University (PA) three years ago, one of the first things he did was to draw a matrix of all the roles and computer access points people had on campus as well as the identity and access management (IAM) systems being provisioned in-house. He knew that before developing a roadmap for the long-term IAM evolution at Duquesne, he had to have a clear picture of the current environment.
"That work was not trivial," he recalled. "It took a dozen people from human resources, enrollment systems, enterprise IT and the help desk to create it."
Like many universities, Duquesne's IAM systems were largely home-grown, and while they were not broken, many involved too many manual processes and end-user hand-holding, Dugas said. Now that the university is looking to implement a new solution, one goal is to create more dynamic and automated processes that allow it to provision and deprovision services more fluidly.
IAM efforts run the risk of getting siloed if IT and information security teams fail to engage the communities they serve to better understand their needs. To avoid this common pitfall, Dugas created a cross-functional team made up of people from different parts of the campus community to talk about IAM. "At first, everyone said their experiences were good," he recalled. "But as we peeled back the layers of the onion, we found manual processes using an exorbitant amount of time, that we could be doing smarter. That is where we are now." As his team recently worked with consultants to prepare a request for proposals from vendors, Dugas said Duquesne was highly likely to look at cloud solutions. "The market has shifted that way in the last 24 to 36 months," he said.
Taking Time to Get It Right
Sharon Pitt, vice president for information technologies and chief information officer at the University of Delaware, said the efforts to get IAM right are nothing new. "I remember talking about it 20 years ago," she said. "It is a nut we have been trying to crack in IT for a long time, and it is a particularly challenging nut in higher education when you have so many kinds of roles and even people playing multiple roles." (For instance, Dugas is both a part-time faculty member at Duquesne and an administrator.) To address these needs, universities tend to put together integrations, scripts and automated processes and end up having 20 systems to ensure they have a workable solution.
When she arrived at Delaware in December 2017, Pitt said, the university was "in a solid place but really not a mature place in terms of how we wanted to be with IAM. We are moving toward that." She added that having great project managers and business analysts is important: "If you partner and communicate effectively, there may be an opportunity to consolidate roles and access points."
Delaware is in the process of hiring an identity and access management specialist who will report to the enterprise application team, she said, and the newly hired CISO will also be closely involved.
Like other CIOs, Pitt recognizes that IAM is more of a discipline than a project. "This is not something where you work on it and then you are done," she said. "You need to have flexibility in your environment to take on new use cases, because they will crop up."
Indeed, new use cases are a common occurrence at Duquesne, Dugas said. For instance, one of the university's stated goals is to engage the local community more deeply, and that may involve community members using Duquesne's computing environment. "We are not positioned for that yet," he admitted.
In addition, while Dugas' team was creating its matrix of current IAM needs, university administrators decided they wanted to add recently admitted students to the mix. "The university decided it was critical to get them in as early as possible to have them feel a sense of community," he explained. "If we made it difficult for them to gain access, with hoops that are hard to jump through, they might have a bad experience out of the gate," he said. "Getting that right was a big effort, but it was valuable work."
Lessons Learned From an IAM Revamp
If Duquesne and Delaware still have work to do on the IAM front, Harvard University (MA) has already done a lot of the heavy lifting. From 2013 through 2017, Harvard made a concerted effort to revamp the IAM experience for the campus community. Among the major benefits achieved in the project branded HarvardKey, according to project documents available online:
- One login for life has replaced an average of six-plus logins per user;
- University-wide adoption of standardized and improved passwords with associated two-factor authentication dramatically increases security; and
- All schools across Harvard are integrated with common user identities that enable university e-mail, HarvardPhone and more than 2,000 other applications.
According to TimVaverchak, program director, identity & access management, in the Harvard University Information Technology (HUIT) organization, the University Identity and Access Management (UIAM) effort began with careful planning. It was important to lay out the context and vision for the effort in the IAM Program Plan created in the first six months of the program, he said: "I believe it was a key foundation to ensure the program delivered on the value proposition over many years and changes in leadership." As mentioned in the plan, the vision of the program was to: "Provide users, application owners and IT administrative staff with secure, easy access to applications; solutions that require fewer login credentials; the ability to collaborate across and beyond Harvard; and improved security and auditing."
"We have made tremendous gains in standardizing and securing our environment through the HarvardKey deployment," Vaverchak said, "and we are continuing grow our service offerings and work with our schools to drive consistent process adoption throughout the university."
Still, there were some initial false starts during the IAM improvements. When the University IT Strategic Plan was first developed, the CIOs of the various schools of Harvard recognized that there would be great value in sharing common identity, authentication and authorization functions across the university, Vaverchak explained. It took some time, however, to be able to coalesce that felt need into terms and a vision that could be recognized by other leaders across the university. "Prior to the UIAM program, there were several efforts that focused more on the technology than on the business process changes that the program would enable," he said. "In each instance, it became apparent that a technology-driven effort would be more challenging to message, build support for, and track over time. The efforts to scope the program in business terms led to the [final] IAM Program Plan."
Early in the project, the Harvard team recognized that an internal branding effort would be important for engaging constituents. Each user received a new identity known as their "HarvardKey."
"Quickly our users were able to understand the concept of the Key as their tool to access online resources," Vaverchak explained. "Until we had that brand identified, it was very hard to communicate to external users what the UIAM project was trying to achieve. After the definition of the brand, we had a very tangible product that we could craft our messaging around and something for both our consumers and staff to visualize as we advanced the program."
Like Duquesne, Harvard also decided on a cloud-first strategy for the project. "The cloud provided both a cost savings and most importantly a dynamic environment to allow us to quickly scale and size infrastructure to meet our expanding needs," Vaverchak said. It has also yielded benefits beyond IAM: "Being able to leverage cloud services has meant that we can constantly adapt and modify our environments to meet our changing requirements — and that has helped grow DevOps skill sets across the team, which has made us a more agile and responsive shop overall."
