Managing Identity in Higher Ed = Fewer Breaches? Part 2
Read this two-part blog series to explore the evolving data breach landscape in higher education and the crucial role that “people security,” or managing identities and access rights, occupies.
Last week, we explored the extreme vulnerability higher education institutions face to data breaches, led by stolen credentials. Vendors like SecureAuth caution higher education institutions to think of the “Identity level” as the new frontier of the cyber war. In this second part of the blog series, we discuss potential solutions. How are innovative higher education institutions (and the vendors that serve them) tackling this difficult issue? The Tambellini Group is actively researching this topic and regularly shares insights with clients into what leading institutions and vendors are doing to streamline and modernize identity management within higher education. Here, we delve into some of those insights.
In the Fall of 2017, Tambellini conducted a survey of higher education IT executives and security practitioners, inquiring about identity and access management (IAM) best practices, perceptions, and barriers, as well as enablers, to adoption. Many higher education institutions understand the role that IAM plays in giving users access to systems. Even so, a significant number struggle to articulate the value of investing in a robust, modern IAM solution suite. Take, for instance, this graph below. When asked about barriers to IAM adoption, almost 40% of respondents to Tambellini’s survey indicated that budget and/or a lack of perceived return on investment (ROI) was a barrier. This response was largely equal across different sizes and types of institutions. Of the 60% of respondents that did not indicate budget/ROI as a barrier, the majority reported that they still did not have a comprehensive IAM strategy backed by adequate staffing or technology.
How are some institutions able to dedicate budget and staffing to IAM? One potential strategy is to tie IAM modernization to a system of record (student/human resources/financial systems) replacement (and the budget that accompanies the project). Technology vendors of these systems and their implementation partners will tell you that inadequate IAM planning can lead to ERP implementation nightmares. Knowing this, Tambellini also asked survey respondents how many of them view ERP replacement as an IAM enabler. As seen below, only 14.5% affirmed ERP replacement as an enabler.
These respondents are at the leading-edge of one type of strategic, innovative approach to IAM. Interviews with higher education CIOs and cybersecurity teams further support these results. Of twenty interviews with institutions representing public, 4-year, public, 2-year, and all sizes of private, not-for profits, the institutions who reported modern IAM implementations (meaning a vendor solution providing identity governance with automated provisioning and deprovisioning plus sophisticated workflows and/or sophisticated access management like multi-factor authentication based on geo-location data, among other controls) also reported an ERP replacement project either occurring in the previous twenty-four months or planned within the future twenty-four months.
Tying IAM to an ERP project is just one enabler. Another lever that institutions are pulling to expand or modernize IAM functionality is the move to cloud. As CIOs know, moving to the cloud requires balancing many systems, including their middleware like IAM. How do you drive access to your new cloud applications? Modern IAM. As a bonus, user experience is also enhanced and can be used to convince institution stakeholders to get behind an IAM project.
What about the vendor perspective? Vendors ubiquitously highlight the user experience as key in an IAM project. Tambellini has interviewed twelve IAM vendors that provide higher education with IAM solutions. (You can read more about these vendors in Tambellini’s ongoing IAM Vendor Profile Series; the first report of the series is available and highlights SailPoint’s identity governance tools.) They all discuss user experience as a top reason to modernize. Institutions may need to provide very sophisticated workflows that differ by type of user (role-based), as well as department. How are these roles defined and architected? The top vendors have a deep investment in the nuanced requirements of higher education. If you are currently vetting vendors for an IAM project, carefully question them regarding architecting roles.
Many vendors also tout short implementation times to achieve base-line functionality. In reality, however, IAM implementations are notoriously difficult and time consuming. This fact has slowed adoption. If your institution has this concern, consider IAM vendors that offer a SaaS solution for identity management/governance, like Okta and SailPoint. Microsoft is also heavily investing in Azure Active Directory Premium as a SaaS IAM suite, and if your institution is already using Azure, you may want to investigate their IAM product roadmap. Oracle shouldn’t be discounted in this space, either; they have a very robust research and development roadmap for their Oracle Identity Cloud Service product, which has a micro-services architecture and went live in Q4 2016.
Regardless of tool, however, you should not modernize your IAM program without first developing a strategy. Tambellini recommends tying an IAM strategy to a security framework, like ISO 27001 or the NIST 800-63 framework. A security framework will not only help you prioritize security controls, but it will help to streamline and meet regulatory requirements like HIPAA, PCI, etc. Tambellini launched CISO Advisory services for higher education institutions earlier this year and can help you pick a framework, implement a framework, or just generally provide strategic guidance for your cybersecurity or IAM program.
Do you have questions about IAM or want feedback on the state of the IAM market for higher education? Do you need help with your overarching cybersecurity strategy? Contact Katelyn Ilkani with your questions or to schedule a call. You can also explore Tambellini’s cybersecurity reports here. Please share your feedback with The Tambellini Group on Twitter @tambellinigroup or directly with Katelyn @katelynilkani.