Identity and Access Management: Products Won’t Save You, but They’ll Help

Higher education is facing a pivotal moment where institutions must protect themselves from constantly evolving cybersecurity threats with limited budgets and staffing. Compounding the problem even further, higher education is especially susceptible to marketing that portrays products as the solution to their problems.

As with every discipline, technology alone is not the answer. It’s the practice(s), more than the technology, that enables value. Let’s look at identity and access management (IAM) as the top-of-mind example since I just completed some research and a publication series on IAM this month.

If we examine current practices in higher education, we see that many institutions have deployed basic functions of identity management using custom scripts, programs, and databases that have been augmented over time. Adopting commercial solutions has been difficult for many institutions for many reasons, including:

1. Cost: IAM solutions are typically indexed on the number of identities being managed—which, for higher education, includes students, driving costs skyward for every type of higher education institution compared to similarly sized commercial organizations.
2. Requirements mismatch: Commercial organizations generally do not need to manage the complexity of roles, the number of roles (sometimes five or more per individual), or the pace of change (students, graduate assistants, and adjunct faculty coming and going every term) that higher education does on a regular basis. Solutions that don’t offer a specific focus on higher education needs can be difficult for institutions to use.
3. Incremental requirements change: Institutions are constantly adding requirements to their IAM functionality to meet evolving needs, and many have typically just added one more bit of code, an add-on product, or a few new fields to the database to try to keep up.

But now, with increasing audit and compliance requirements, heightened attention on cybersecurity risk, the explosion of the number of applications under management, staff turnover and losses, and the prospect of replacing their key identity systems of record (HCM and student), institutions are left with the daunting task of replacing their custom web of identity components with commercial platforms.

Here is the reality of identity management systems: No commercial system in and of itself can fix everything. Implementing a robust IAM system will rightfully require significant process and policy change and have a significant impact on end-users.

The product certainly matters. Our research shows there are few options that are both comprehensive and attentive to higher education’s needs. Selecting a vendor partner that can help meet the broad set of challenges presented by IAM, such as single sign-on and identity governance, will simplify an institution’s architecture in the long run, even while implementing it over time.

In surveying the IAM solution ecosystem, consider that other elements—cyber risk, process, policy, and user impact—should drive your implementation plan more than product specifics. Institutions should be looking to clean up their identity data and process while implementing an IAM solution as a catalyst for the change that is required to deliver efficient operations, technical agility, and reduced risk.

Higher education is at least a decade behind commercial industries in the IAM space, which is unacceptable in the coming years of increased risk and faster change. By doing a great job with the resources at hand, IT departments have often inadvertently hidden the complexity and brittle nature of the solutions they have crafted to meet complex needs.

Institutions need to prioritize updating this fundamental information management function as a central part of their modernization efforts. As institutions undertake major cloud (especially SaaS) adoptions, the underlying issues with their existing IAM infrastructure will be laid bare. Understanding the complexity of these efforts, preparing in kind, and involving a broad coalition of partners on campus to make these changes are critical to institutional success.