Opinion: Why IAM Is Increasingly Important for Higher Ed

The popular musician will.i.am, of the Black Eyed Peas, and their song “I Gotta Feeling” gave me the idea to bring the issue of IAM (identity and access management) into the limelight for higher education. IAM is much more than just “having a feeling,” but rather, having a variety of elements in place including policies, processes and technologies to verify end-user identities. Students, faculty and staff all rely upon email, learning management systems, instructional resources, administrative databases and much more. Having robust IAM technologies allows IT professionals to initiate, capture, record and manage user identities with appropriate permissions. However, while a wide variety of challenges persist, our challenge is to ensure we have the “will” to guarantee strong IAM campuswide.

IAM CORE COMPONENTS

There are three main components to IAM: authentication, authorization and user management. Authentication, as its name implies, relates to how we verify a user by their username, password and multifactor authentication. Once authenticated, we can authorize what resources or access they have. User management refers to how we monitor user data, passwords, roles and respective permissions. Our goal is to ensure the process is smooth, safe and secure. All of these processes are tied to traditional face-to-face education, as well as hybrid and remote learning situations. For higher education, while a multitude of technologies have created richer learning environments, they have also proven to be a valuable target for cyber attacks.

ISSUES AND CHALLENGES WITH IAM

While IAM processes, policies and infrastructure provide a mechanism for campuses to protect valuable data and personal information, many issues still exist. With the dramatic increase of remote learning, particularly during the pandemic, providing a secure learning environment has become a daunting challenge. IAM treats each user as a separate ID, and end users with multiple roles may have several credentials for various activities. Single-sign on (SSO), which can allow end users to access several applications with the same authentication, can be a convenient alternative to multiple credentials, but implementation can be challenging, complex and costly. As the consulting company Expert Insights pointed out in an April 2024 blog post, “it takes a lot of work during implementation and configuration to get it up and running. SSO can be challenging and time consuming for IT teams to install and configure, especially as all applications needed for the solution need to be configured into that solution.” The potential risk with SSO occurs when a hacker gains access to an end user’s credentials, potentially giving access to every application the end user has rights to.

In a 2020 blog post titled “The Top Trends in Higher Education IAM According to IT Leaders,” the IAM company Bravura Security wrote, “IAM for higher education has only been further complicated by a new batch of challenges brought on by the pandemic: an increase in layoffs, additional security challenges created by the influx of remote access requirements, and budgets that are even more in flux than they already were. Finding the right solution requires an intimate understanding of this complex case.”

One challenge for some campuses is hiring part-time or adjunct faculty, as some IAM systems don’t have a flexible way of managing external users. This process can also be difficult when hiring external vendors and managing their access. Other common situations requiring IAM processes are when potential students need access prior to registering, when students register and become official students, or when graduates eventually become alumni. They also factor into situations where faculty take classes or students become campus staff.

IT CHALLENGES WITH IAM

Much has been written about ensuring a seamless and secure experience for end users when accessing applications and data, but it’s also important to consider the challenges of IT staff when managing IAM infrastructure and associated processes, and ensuring they are working effectively and efficiently. Certainly, there are excessive costs for requests for password resets and unlocking accounts, and campuses have to do a lot of this throughout the year, especially in the fall, during exams and graduation. These high-volume times put additional strain on IT resources and staff as they work to provide clientele with 24/7 seamless access. Having to deal with transient students and staff only exacerbates the problem. Maintaining up-to-date end-user information and logins is a critical pressure point. This is especially true when a campus employee is terminated from employment, requiring that their passwords and account access be quickly changed and disconnected. This is when the “zero trust” philosophy needs to be in force: never trust, always verify. Both IT and human resources must work in tandem to ensure faculty and staff accounts are actively audited so that access and privileges start and conclude in an effective and timely manner.

One additional growing threat is “synthetic identities.” This issue goes well beyond higher education, and throughout our personal lives. As the credit-reporting agency Experian pointed out in a January 2024 blog post, “Synthetic identity theft is a form of fraud that combines real and fake identifying information to create a ‘new,’ false identity. Synthetic identities can be made by combining a stolen Social Security number with a fictitious name, birthday and address.” The idea of a synthetic identity is akin to the epidemic issue in higher education known as “ghost students” — scammers who create fake applications to steal funding for student aid. But synthetic identity fraud goes much further. In an April 2024 piece for the business publication University Business, staff writer Alcino Donadel said, “Aside from stealing money, ghost students who clear an institution’s cybersecurity measures and enroll in classes can take advantage of its cloud storage and VPN services. Furthermore, they use their newfound student email address to commit other scams.”

HAVING THE WILL TO INCORPORATE IAM

While the challenges of IAM can be overwhelming, there are important items to check to see if your campus is up to the challenge. One is the ability to automate IAM processes from the very first day. Your IT department needs to have adequate self-service capabilities available 24/7, coupled with a user-friendly process. Unusual or non-traditional access requests need to be carefully planned for ahead of time and occur through an automated process.

Another is that the campus must carefully track, log and audit all user accounts and remove those which should be terminated. Does your campus have the will and financial resources to ensure your IAM is beyond just “having a feeling” things are okay? Now more than ever, having a strong IAM infrastructure with an accurate identity life cycle management process has never been more important.