IT Security david raths
Identity and Access Management: A Discipline, Not a Project
Getting IAM right can take some serious planning and analysis plus a commitment to continued evolution over the long term. Here, three universities share their experiences.
WHEN TOM Dugas was named director of information security and chief information security officer (CISO) at Duquesne Univer- sity (PA) three years ago, one of the first things he did was to draw a matrix of all the roles and computer access points people had on campus as well as the identity and access management (IAM) systems being provi- sioned in-house. He knew that before devel- oping a roadmap for the long-term IAM evo- lution at Duquesne, he had to have a clear picture of the current environment.
“That work was not trivial,” he recalled. “It took a dozen people from human resources, enrollment systems, enterprise IT and the help desk to create it.”
Like many universities, Duquesne’s IAM systems were largely home-grown, and while they were not broken, many involved too many manual processes and end-user hand- holding, Dugas said. Now that the university is looking to implement a new solution, one goal is to create more dynamic and automat- ed processes that allow it to provision and deprovision services more fluidly.
IAM efforts run the risk of getting siloed if IT and information security teams fail to engage the communities they serve to better understand their needs. To avoid this com- mon pitfall, Dugas created a cross-functional
team made up of people from different parts of the campus community to talk about IAM. “At first, everyone said their experiences were good,” he recalled. “But as we peeled back the layers of the onion, we found man- ual processes using an exorbitant amount of time, that we could be doing smarter. That is where we are now.” As his team recently worked with consultants to prepare a request for proposals from vendors, Dugas said Duquesne was highly likely to look at cloud solutions. “The market has shifted that way in the last 24 to 36 months,” he said.
Taking Time to Get It Right
Sharon Pitt, vice president for information technologies and chief information officer at the University of Delaware, said the efforts to get IAM right are nothing new. “I remember talking about it 20 years ago,” she said. “It is a nut we have been trying to crack in IT for a long time, and it is a particularly challenging nut in higher education when you have so many kinds of roles and even people playing multiple roles.” (For instance, Dugas is both a part-time faculty member at Duquesne and an administrator.) To address these needs, universities tend to put together integrations, scripts and automated processes and end up having 20 systems to ensure they have a workable solution.
20
CAMPUS TECHNOLOGY | March/April 2019