The Identity and Access Management Connection: Higher Ed Seeks Accelerated Course to Digital Innovation

MeriTalk recently connected with Rob Forbes, Okta’s senior cloud architect, to explore the potential impact of improved campus IT infrastructure modernization for higher education institutions.

MeriTalk: Higher education institutions that began investing in online education before COVID-19 envisioned it as a five-to-10-year project. As connected devices across campuses and beyond continue to proliferate, networking, security, and storage needs also continue to grow. With institutions preparing for a long-term hybrid future – what have we learned and what’s needed next for IT infrastructure modernization?

Forbes: Many colleges and universities have brought in a lot of online learning systems and mobile apps, which they’ve stitched together with their existing legacy infrastructure. Often, the mobile apps are built by one group with one set of users in mind. Each group, however, has its own user profiles, user environments, policies, logging, and configuration. When institutions tie these in with their back-end legacy systems, they use a lot of scripts, manual processes, and manual interventions to manage access ‒ creating a tough environment to juggle.

Universities are some of the most complex environments. The roles of students, professors, and staff are changing constantly. And, these shifting roles make it difficult for teams to put effort into updating systems, since they spend so much time resetting passwords and getting people in and out of systems.

So, what’s next? Centralization and modernization of identity and access management (IAM) with a modern solution set that allows IT teams to pull various silos into a single structure. The end goal – free up resources focused on help desk tickets to take on vital modernization efforts, like multifactor identification, DevOps, DevSecOps, and more.

MeriTalk: Most institutions are operating in a hybrid cloud environment, and most use a combination of on-prem identity and access management systems. What are the challenges? 

Forbes: Legacy systems are the obvious challenge, especially legacy IAM systems, because they don’t talk to modern protocols, or you have to put gateways, scripts, or processes in place from those legacy systems to the modern cloud apps. Once the job gets done – who maintains it? These extra steps add a strain on IT teams.

The other challenge is time. Universities and colleges are constantly pushing to get more apps in the hands of students. While students aren’t on campus to be vetted, organizations must also execute identity proofing and take other measures for IAM that would be typically done on premises. Systems aren’t designed to handle these remote needs, and teams can’t always get their jobs done in a timely fashion.

The pace of the cloud is so much faster than legacy on-prem. Some cloud organizations have a new release every week, whereas a legacy application might have a release every 18 months. If a cloud app is changing constantly, and the back-end app can’t change fast enough to keep up with the protocols, then it’s possible IT can’t even support the app.

MeriTalk: What’s needed to provide access to core education services, while maintaining security and privacy?

Forbes: An organization’s attack surface and, therefore, risk surface is much greater with disparate IAM silos. Institutions are struggling to ensure they dedicate enough people and resources, and keep them up to date, so that they can meet all the requirements for reporting, certification, and privacy. Policies that have to be adhered to may be based on citizenship, not where the institution is located. For example, a university may have students from Europe, so they may need to consider General Data Protection Regulation (GDPR) requirements for those students. They may also have students from various U.S. states, which may have different requirements, some of which could apply extraterritorially. IT teams have to make sure that administrators and audit logs are tracked properly.

This all comes back to centralizing identities and controlling provisioning access through a central system. The access rights and policies flow from that central system and give IT teams better control of the dynamic, shifting environments in colleges and universities.

MeriTalk: Many university and college administrators look to their IT teams to reduce costs, improve security, deliver better customer experiences, and, ultimately, contribute to student success. How can higher education IT teams respond to all of these pressures?

Forbes: Higher education IT teams have a tough job but can manage by making the shift to modern cloud solutions. Many teams write, code, and develop their own applications, which would have worked 10 to 15 years ago. But today, colleges and universities don’t have the time and/or resources to respond while keeping up with growing maintenance requirements, such as patching operating systems or applications. These pressures have become intensive, as organizations experience application and server sprawl. And some of these are critical systems, where you need a disaster recovery plan in place, which can double costs. Multiply that by 15 or 30 different departments and applications around the institution, and it really adds up.

The care and feeding of systems now consumable through Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service can take the load off the organizations by eliminating the need to set up a new server. This frees up considerable time, so organizations can focus on things like compliance, certification, governance, DevSecOps, mobile applications, and more.

MeriTalk: There must be different approaches across the IAM landscape. Based on your experience, what are the best first steps?

Forbes: The best first step to centralize your IAM solution is to look at your existing landscape and figure out where your identities live, and understand the lifecycle flows in those siloes, so you can consolidate them.

For most institutions, it’s a gradual process. We recommend a migration approach, where you take your well-understood applications and processes, such as getting people into Windows, and replicate those (or even run in parallel). Then, you can look at the niche use cases; for example, an application that has been running untouched for more than 15 years.

Another step is changing the mindset – when the internet started, the focus was interconnecting departments, and making it easy to transfer information. Most colleges and universities are still in that mindset. They don’t want to put roadblocks in place. However, many are working on sensitive research projects, COVID-19 vaccines, Department of Defense projects, and Department of Energy initiatives. It’s a lot of work to lock down, secure, and monitor hundreds of systems.

Mature IAM strategies allow organizations to shrink the attack surface. If you’re always logging in using Okta’s IAM solutions, we will see those logs coming in – whether it’s an old ID, or an attack coming in from a nation state. We look across not just an individual university, but across a number of datasets and threat landscapes, which gives us much better visibility.

MeriTalk: What can institutions with modern IAM achieve versus those without? 

Forbes: For institutions without modern IAM, there can be a lot of loss. If a professor can’t get into the system for a new class, learning halts while the professor sits on the phone with the help desk. If an alumnus is trying to donate money to the university and they have to reach out to the help desk, they may abandon their gift. If a student is applying for their 15th ID and becomes frustrated, they might resort to sloppy practices, like putting IDs and passwords on a Post-it Note.

But if a student has access to the right systems in a timely fashion, they can do their work faster because they’re not waiting days to access applications or get help. If teams can deploy new applications to let alumni make donations easier, or allow parents to pay student bills without hassle, they can really change the dynamic inside the organization. This becomes the focus – take commoditized services and leverage modern approaches, so you can focus on higher value work, processes, and procedures.

Automation is not about eliminating people. It’s about folks going off and tackling modernization.

Now that your team is working on high value work, everyone is happier – and you’re saving money by modernizing resources.

MeriTalk: Can you share an example of a higher education institution that improved operations with IAM, and the impact?

Forbes: We recently worked with a state university that had 17 silos of user stores, over 500 scripts, patch jobs, text files, and custom code. The university was getting about two requests a week for new applications and averaged 300 tickets a week for granting manual access. They had to hire additional student workers just to meet system access demand.

The university wanted to deploy mobile applications for a parent portal, as well as for student registration, scheduling, and billing, but didn’t have the resources to do it. At the same time, they were trying to enable cross-campus solutions. The university looked to consolidate the campus identities, as well as manage a single cloud learning platform instead of five cloud learning platforms.

This university purchased Okta’s solution set, and within six months, all applications were online, the self-service password reset was running, and multifactor was in play. We eliminated about two-thirds of their scripts and consolidated about 15 out of the 17 identity stores. The university can now focus on getting cloud-based and modern systems online. Their backlog for granting access went from 300 requests to 20 to 30 requests.

Now, this university can prioritize new services and systems, as well as security and compliance.