The Complete Guide to Selecting an IAM Solution Designed for Higher Education

Graduate into the Future with a Modern Solution Built to Address Higher Ed's Unique Identity and Access Management Challenges

While colleges and universities deal with many of the same Identity and Access Management (IAM) challenges as corporations, they also must overcome a number of unique challenges not found in other enterprise deployments. However, nearly all of today’s commercial IAM systems were only designed to address commercial enterprise use cases out of the box. Anything beyond that is considered ad-hoc.

Time and time again, the following eight use cases come up in our conversations with colleges and universities. It’s likely your institution is also dealing with these challenges. Perhaps you’ve even accepted that these struggles are inevitable—but they don’t have to be. By choosing an IAM solution built for higher education—one that addresses these challenges without customization or services engagements—you can reclaim hundreds of hours for IT to spend on more strategic projects. Here's what you need to know.

Complete the form below for a PDF version of this guide, or keep scrolling to read.

3D-Higher-Ed-Image.png

Common Identity Challenges in Higher Education

Before digging into Higher Ed’s unique identity use cases, let’s take a quick look at the macro challenges schools consistently tell us they're up against:

  1. Working with limited budgets and resources. Colleges and universities must work with limited resources relative to their complexity and size. They need a pricing model that’s designed to scale to meet budgets of all sizes.

  2. Spending too much time on manual identity tasks. Schools want to automate and streamline tasks associated with identity, and therefore, must choose solutions with strong Identity Lifecycle Management capabilities.

  3. Managing decentralized and distributed IT organizations. University systems encompass large numbers of colleges, departments, and offices that often have their own IT infrastructure, policies, procedures, and security tools.

  4. Shifting security responsibilities to IT. IAM is no longer simply an operational IT tool. As IT departments take on more security responsibilities, IAM must be at the core of security.

  5. Moving toward multi-factor authentication (MFA). There is a growing array of compliance regulations with stringent security requirements: FERPA, HIPAA, HITECH, PCI DSS, and the Gramm Leach Bliley Act. While some may have off-the-shelf MFA tools for privileged accounts, most don't have integrated MFA solutions.

 

 

Chapter 1

Aging Homegrown and Legacy Systems

Open-source, legacy, and homegrown IAM systems are common in Higher Ed. When these systems were implemented, they might have met the college or university’s needs. However, open-source systems don’t age well because there isn’t an incentive to innovate them. Moreover, many homegrown solutions were created by one or two individuals who have since left the organization.

When these individuals leave, all too often, the institution’s CIO or IT leadership discovers that the entire identity program is bound in the duct tape of archaic coding. This leaves the IT team in a panic. They realize that these homegrown and legacy systems are putting the college or university at risk—they weren’t built with security in mind. Instead, they were built for the sole purpose of managing identities.

On top of these problems, schools must contend with flat or even shrinking budgets and personnel. The IT department is told to do more with less, but leadership isn’t sure where to start. Many legacy IAM systems are expensive to maintain and costly to fix or enhance, and they provide terrible customer service.

With legacy and homegrown IAM systems, many identity-related tasks, such as deprovisioning, are highly manual, time-consuming, and laborious. As a result, there’s a risk of human error, as well as orphan accounts being left open.

Modern IAM solutions solve these problems by automating repetitive tasks, such as account claim and creation, password changes, provisioning, and deprovisioning. This is especially helpful at the beginning of a new semester, when such tasks can be overwhelming for IT staff. With real-time provisioning, users immediately gain access to needed resources, and changes are automatically made throughout all downstream systems—without the need for IT to make the same change in multiple systems.

With modern IAM solutions, schools can delegate control of new account creation, role and group assignment, and access requests from the IT team to the appropriate business managers. These solutions also offer self-service capabilities that allow users to make common system requests, such as password resets, themselves. This dramatically reduces IT help-desk burden, while improving end-user experience.

 

The University of Houston Downtown Makes the Move to Modern IAM

The University of Houston Downtown wanted to migrate completely to Active Directory (AD). There was a problem, though—they were using Novell’s IAM system, which had been implemented long ago. The Novell system’s dependence on eDirectory prevented such a migration.

UHD logoHowever, the university’s decision to adopt Microsoft Office 365 was the mandate they needed to make the shift to a Microsoft-friendly, modern IAM solution. After evaluating a number of solutions that were cost-prohibitive, UH Downtown chose Identity Automation’s RapidIdentity because the of the solution’s affordable pricing and strong identity lifecycle management capabilities.

With RapidIdentity in place, the university was able to create an AD metaverse that syncs three distinct AD forests. There is also full identity lifecycle management for all users—students, alumni, prospective students, current and former faculty and staff, and contingent workers. Moreover, RapidIdentity integrates into Ellucian Banner, Office 365, and other cloud-based operational and productivity applications.

Chapter 2

Multiple Affiliations

In an enterprise, users tend to hold a single role, with a single set of access privileges. However, in the realm of higher education, it’s common for users to have multiple affiliations (roles). Students might work as staff, faculty might be enrolled in classes, and graduate students can also be alumni.

The issue with IAM systems built for commercial enterprises is that they fail to realize that more than one ID number might be assigned to a single person (for example, a student who is also a school employee). Instead, they treat these unique IDs as separate users, which means that a user with multiple affiliations must manage multiple identities in AD and downstream systems. And the IT department has to provision and manage all of these credentials.

With the right IAM solution in place, this doesn’t have to be the case. Some modern IAM solutions are able to recognize multiple affiliations per user, so a user can have one account for multiple roles, which eases the strain on help-desk staff and simplifies matters for the end-user.

These modern IAM solutions use multi-attribute matching and validation to discover whether or not a number of predetermined attributes attached to a particular ID (such as birthday, email address, phone number, home address, and school address) match. One of two things can happen: matching accounts will automatically merge, or they will be flagged for IT to review, depending on what business rules have been established.

 

Chapter 3

Preferred Name Changes

It’s not uncommon for the name you were given at birth to change. This could happen for a number of reasons, including marriage, divorce, or a shift in gender identity. Under the Obama administration, the Departments of Education and Justice released guidance on schools’ responsibilities to transgender students. If universities and colleges want to continue receiving public funds, avoid reputation damage, and promote a positive student experience, they must comply with these rules. 

However, IT teams are struggling with technical limitations that hamper their efforts to follow these evolving rules, especially in a timely and automated manner. While manual processes may have accomplished the job in the past, they’re time-consuming and prone to error. Names and usernames must be updated in all systems, including numerous downstream systems, and it’s easy to overlook one. There’s also the problem of IT not knowing which applications the end-user has access to. 

What IT departments need is an IAM solution built for higher education. When a name change is needed, these modern solutions have a built-in naming algorithm that automatically checks against AD and a personal registry (a collection of all usernames and associated IDs that have ever existed) and then creates a new, unique ID for the user. 

When a name change is needed, some modern solutions have a built-in naming algorithm that automatically checks against AD and a personal registry and then creates a new, unique ID for the user.

The IAM system then makes changes to the directory services and across all applications and resources to which the end-user has access. All it takes is a single update to the end-user’s account in the IAM solution’s dashboard. What happens to the end-user’s old email account? It becomes an alias for the user’s new email address. Accounts with the end-user’s previous name are automatically disabled, so they’re not left orphaned, and the previous username is blocked so that no one else can ever use it.

  

3D-cover-HigherEd


The Complete Guide to Selecting an IAM Solution for Higher Ed


DOWNLOAD THE EBOOK

Chapter 4

Transient Users at Massive Scale

While enterprise faces some level of transience, higher education institutions, especially community colleges, must deal with transience on a massive scale. Students and teachers flow in and out of the system, sometimes taking several semesters off before returning and sometimes never returning at all. This revolving door of user identities creates challenges for the IT teams that must grapple with these complex transient user lifecycles.

Legacy IAM systems (as well as many modern IAM tools) were designed for commercial enterprise usage, where employees have long-term accounts, and as a result, they don’t effectively scale. Increases in users often lead to performance issues. Large waves of transient users can also cause massive delays in onboarding as IT staff must pick and choose where to apply their limited bandwidth.

The end result is a very busy help desk. With the average 15-minute call to the help desk to resolve identity administration issues costing $31, soft costs add up quickly, especially when multiplied by thousands of users. Moreover, these issues negatively impact end-user experience when students have to wait for access to critical resources, such as online course materials and homework assignments.

How can modern IAM solutions help? Well, not all can. That’s why it’s important to find a solution with proven scalability. For example, RapidIdentity was designed for massive deployments, with proven support for 1,000 to 10 million users, without any performance deterioration.

The right IAM solution can automate the complex lifecycle management of a large and unpredictable user base—without the need for ad-hoc scripting, external resources, or staff increases. This means automating IAM tasks, such as onboarding, creating accounts, providing user IDs and passwords, granting access to resources, account changes, and offboarding. In addition, self-service password resets and delegated user management capabilities further save time, money, and frustration.

 

How Lone Star College Manages Transient Users at Scale with RapidIdentity

With over 100,000 active students and 6,000 employees spread across 19 campuses, Lone Star College is the third-largest education system in the country. Up to 40 percent of students are transient users. 

LoneStarCollege_logo_white“We’re constantly onboarding new LoneStar Collegestudents,” says Link Alander, Vice Chancellor and CIO, Lone Star College. “And with our prior IAM solution, it was an overwhelming burden.”

To manage this number of transient users, Lone Star implemented RapidIdentity as its IAM solution. RapidIdentity was able to scale to handle large fluctuations in transient users without performance issues or staff increases, whereas other IAM solution vendors Lone Star looked at recommended IT staff increases of three or more full-time employees.

After implementing RapidIdentity, the college’s IT staff saw help-desk calls related to passwords drop from 90,000 to 45,000 per year—a soft cost savings of $400,000 per year. 

“Identity Automation enabled us to drive workload efficiencies and cost savings while dramatically improving the experience for students and staff,” says Alandar.

Chapter 5

The Spike in Contingent Workers

Contingent workers in education have become the new normal. A recent study found that contingent faculty accounted for at least half of all instructors at all types of institutions, ranging from 50 percent at public research universities to 80 percent at community colleges. In fact, the rate of contingent and part-time faculty has grown at 10 times the rate of tenure-track faculty, leading to a fundamental shift in higher education.

Colleges and universities have realized it’s cheaper to hire contingent faculty than full-time, salaried professors. While this move might save schools money, it creates a number of challenges for the IT departments that must manage the identities of these contingent workers. Most IAM systems don’t have an easy way to manage external users who don’t exist in authoritative HR and SIS.

As a result, the processes for creating and provisioning accounts for these contingent and external users are manual. Furthermore, when the workers leave, there isn’t a process in place to notify IT, and frequently, no one does due diligence. The school is left with orphan accounts, to which the former contingent workers still have access. That’s a security risk, especially if the people have access to sensitive data.

Contingent faculty accounted for at least half of all instructors at all types of institutions, ranging from 50 percent at public research universities to 80 percent at community colleges.

Some modern IAM solutions are designed to help colleges and universities meet the challenge of contingent workers. These solutions offer out-of-the-box functionality and workflows designed specifically for managing external users. With these solutions, it’s possible to manage the entire identity lifecycle of all external users in the same automated way as full-time staff and students, without having to add them to authoritative systems.

In fact, deprovisioning contingent workers can be made easier by implementing time-based certification that automatically revokes access when it expires. IAM solutions can also harness single sign-on and multi-factor authentication for contingent workers to ensure maximum security.

 

Chapter 6

Manual, Ad-Hoc Access Requests

The variety and volume of network and access requests at colleges and universities is enormous. Visiting students and faculty are a fact of life, and they need to use college resources, which means they require access.

The problem is that because these faculty and students work or study at a partner university or college, they don’t exist in the HR or SIS of the school they are visiting—a dilemma similar to that of the contingent workers discussed in the previous section. To provide access, accounts and IDs typically must be created in an ad-hoc, manual manner.

The burden to create and manage these new user accounts and IDs falls to IT staff—often on the fly, as they may not be warned of the new arrivals until the last minute. Additionally, these requests are generally made through paper forms, by email, or in person—methods that are cumbersome and time-consuming. As a result, delays, errors, and potential compliance and security vulnerabilities are all but inevitable. Without the right tools, IT staff’s time and resources can easily be consumed fulfilling these requests.

The burden to create and manage these new accounts and IDs falls to IT staff—often on the fly, as they may not be warned of the new arrivals until the last minute. These requests are generally made through paper forms, by email, or in person—methods that are cumbersome and time-consuming. As a result, delays, errors, and potential compliance and security vulnerabilities are all but inevitable.

Here’s how modern IAM can help: a best-of-breed solution automates user account creation through policy-driven workflows, regardless of what kind of account is required. An easy-to-configure workflow engine turns ad-hoc requests into light work—higher education institutions can effortlessly manage nontraditional user access, administer approvals for digital and physical resources, provide time-controlled access certification, and delegate approvals to individual function owners. The best part is that no custom coding or scripts are needed to make this happen.

 

Houston Community College Tackles Ad-Hoc Requests With RapidIdentity

Houston Community CollegeHouston Community College (HCC) is the fourth-largest community college in the US, with 80,000 students, faculty, and staff. The school serves a vast external community, resulting in the need to manage 140,000 user accounts. HCC leveraged its IAM solution, RapidIdentity, to simplify and streamline a number of ad-hoc access requests that were once a manual time-drain for IT staff, including:

Paperless Temporary Access Requests. What once required multiple printed forms and constant shepherding is now an automated, online process that creates temporary accounts, user IDs, and passwords, as well as provisions appropriate access entitlements to buildings and systems.

VPN Group Management in Minutes. User accounts are now added and removed in batches from the VPN group directory by an automated workflow—a process that once took a dedicated administrator hours each day.

Hassle-Free Public Library and Lab Access. Library and lab managers delegate the authority to request temporary user IDs and passwords to frontline workers via workflow, while a second workflow automates the creation of user IDs and passwords. For security purposes, entitlements are time-limited to two weeks, and a searchable, standalone database captures all activity associated with these user IDs.

Chapter 7

Increasing Cyber Attacks & Compliance Requirements

Cyber attacks are on the rise in higher education. One study found that over the course of eight years, 13.9 million passwords and email addresses of staff, students, and faculty were bought and sold on the dark web. Ransomware is also a growing issue—one in 10 educational organizations have been hit with this type of attack.

At the same time, universities and colleges must comply with increasingly stringent regulations, such as FERPA, HITECH, HIPAA, PCI DSS, GDPR, NIST SP 800-171, and the Gramm Leach Bliley Act (GLBA). These regulations mandate stronger security measures to combat growing cyber security threats. More and more, this means encouraging or flat-out requiring multi-factor authentication. Schools who fail to comply face harsh penalties, including fines, losing access to federal funds, and reputation damage.

Many in higher education may view increased security and MFA as hindering their collaborative, open-data culture. However, with the right solution, security and user experience can go hand in hand.

By putting a modern IAM solution that’s purpose-built for higher education at the core of a security program, colleges and universities can implement secure access controls, automated provisioning and deprovisioning, and privileged access management for a large number of users and devices.

Moreover, look for a solution that offers integrated MFA capabilities. These solutions enable schools to deploy extra authentication factors in addition to or in place of passwords. With MFA in place, even if a student or faculty member falls prey to a phishing scam and their username and password are stolen, access to that person’s accounts and sensitive data is still protected.

Furthermore, by implementing strong, risk-based authentication, schools can tailor the level of authentication to the risk level of a given situation—for example, requiring more stringent authentication when a staff member accesses sensitive student financial data. This ensures that low-risk activities aren’t inappropriately burdensome and high-risk activities aren’t too easy. 

Colleges and universities can also leverage users’ existing mobile devices to implement cost-effective authentication methods, such as push authentication and one-time passwords (OTPs). Not only do these authentication technologies help protect sensitive data; they are easy to implement and simple for students and staff to use.

 

Chapter 8

Preventing a Poor Student and Alumni Experience

Here’s the rub: If you don’t address the aforementioned challenges, it’s impossible to deliver an optimal experience to students and alumni. An IAM solution can help you overcome obstacles, but it must be the right solution. Not all IAM systems are created equal—many legacy and point systems just are not up to the task.

The top requirement CIOs in higher education institutions face is delivering an optimal student experience. To meet the needs of students and alumni, CIOs need a solution that has the following features.

  • Account claim
  • Self-service resets and requests
  • Application portal
  • APIs to pull functionality into registration portals or other already designed interfaces
  • Ability to easily manage alumni accounts and provide email for life 

Look for a vendor that will be with you throughout the journey—a trusted partner with proven expertise in the higher education space. At each phase, the partner should work with you to ensure the implementation goes smoothly.

The right IAM solution also integrates into hybrid and heterogeneous environments because most schools have legacy systems in place but lack the budget to upgrade. If you can’t integrate all of your systems (not just the new web-based ones), then you’re only partially automating the identity management process.

Additionally, it's important to find a solution that can easily be configured to meet your school’s unique needs. After all, you don’t want to spend time or money on consulting. And the IAM solution itself should have a pricing model for all school sizes and user populations.

Faster time to value is another point to consider. Look for a modern IAM solution that is designed for rapid deployment and can be implemented in phases if your school requires this approach. And finally, you need a vendor that will be with you throughout the journey—a trusted partner with proven expertise in the higher education space. At each phase, the partner should work with you to ensure the implementation goes smoothly.

If you’re looking for an IAM solution designed to meet the needs of a higher education institution, contact us today to learn more about how we can help you address your college or university’s unique challenges.

close chapters modal

Download a PDF version of this guide by filling out this form

Simply fill out this form to receive a PDF version of our guide.

3D-cover-higher-ed-eb-email