Is Cloud Identity Ready for Higher Education?

Presenters:

  • Jon Allen, Assistant VP & CIO, Baylor University
  • Kevin Phan, Associate CIO, Pepperdine University
  • Mahmud Rahman, Director of Systems and Banner Services, Mills College
  • Dennis McDermott, CMO, SVP Global Marketing, Fischer International Identity LLC

Level Set

What was the state of your IDM efforts prior to your recent project? What were the biggest challenges you were addressing with your IDM deployment?

JA: we didn’t have a lot in the way of IDM. We had scripts, and Oracle database and batch files. Life cycle becomes difficult in situations like this! We knew we needed to manage it much better than we were. Should we build the car or drive the car?

KP: we’re similar to Baylor: disparate systems, everything was manual, Peoplesoft as system of record, AD authentication, batching and scripts for accounts management; no meaningful events for updating accounts. Going to an off-the-shelf system helped us manage things better.

MR: we had a pretty good system, fed data from Banner into LDAP. However, our system would breakdown, and our system didn’t do deprovisioning well.

Setting a Course

What components did you look for in an identity management solution? Which were most important to you and why?

JA: our search happened about four years ago. Traditional on-premises solutions were great and polished, but they didn’t necessarily work well with the systems we had on our campus. It was more a business and knowledge problem than a technical problem. Very few consultants understood our systems or what we do. We understood the routine functionality of in/out and when things were supposed to happen, but our edge cases were killing us. Audit was made difficult because access forms were being sent by email.

KP: it took us over a year to review the various vendors. Fischer’s system worked simply and easily for us…one connector to our Peoplesoft tables and we were ready to go.

MR: we’re a small school and we had to rely on others’ research to help guide us. We’ve been on hosted platforms for years now with Blackboard and Google, so our fear level was low. Vendors that understand the specific needs of students (meaning of stop outs, incompletes, etc.) was very important to us, and it’s surprising how few vendors actually do get this.

Resistance to Change?

How much resistance did you receive regarding outsourcing your IAM infrastructure? Who was resistant and how did you win them over? What would you say to those who prefer home-grown solutions?

JA: since I was the one bringing this project to the table, there was little resistance (I’m normally the one who slows projects down!). A big part of getting people on board was sharing what it would do for them as stakeholders, i.e. HR provisioning of new staff and faculty. Once HR saw what it would do for them, they were completely on board.

KP: we had political resistance. We overcame that by demonstrating cost savings with our CFO. We also were able to translate business value by showing reduction in number of help desk tickets. Convincing internal IT folk was the hard part…giving up control was WAY more challenging than it should have been.

MR: we had no resistance. Most people don’t see IDM as something important unless they can’t access resources. Sysadmins are no longer the ones who have to deal with the day-to-day ordinary functions. Our time spent on IDM is a lot smaller now.

Deployment

What was your approach for deploying IAM? How did you mitigate risk to achieve project success?

MR: we should have had more conversations with HR and Admissions first (there was turnover at the time, which continues). The people responsible for setting flags and attributes initially have moved on, so IT is playing a significant teaching role for the organization. The process allowed us to get a lot more granularity with respect to roles, which we accomplished before through creating exceptions (build exceptions into patterns).

KP: learning what our customers’ pain points were guided what we did first. Password management was a big problem, so we tackled that password self-service portal first. Second phase was the top 30 action codes in Peoplesoft. Most of the time, I had to “be a parent” to the project team when addressing challenges around control.

JA: we limited the scope of the systems to key systems first, including Banner and O365.

Sharing Outcomes

What are the top factors that made your project successful? What would you do differently? What would you say about home-grown IAM?

MR: we have a very smart Banner programmer! We also had a lot of cooperation from other IT staff, particularly sysadmins and the help desk. Our vendor also understood Banner well, which helped a lot. Also, my boss backed me up (huge). If I had to do anything differently, I would probably create more role granularity and more conversations with certain groups on campus like the provost’s office.

KP: top factors were understanding business value and translating to the business units. Understanding systems and data, looking a few steps ahead, identifying potential issues that might come up, having honest conversations with your team, all of these were important. What would I change? It took two years to complete because we didn’t apply enough resources to it.

Baylor Case Study

Why IDM? Security lifecycle, compliance, one of the main controls left. It’s the who, why, what, where, when of people accessing your systems. It’s the keys to the kingdom, it’s nothing sacred, it’s security.

IDM is hard! It’s the ultimate of integrations and it’s something we must have. Project failures are rarely technical. Systems worked where people understood higher ed and IDM. Consultants must know your business.

You need to clearly understand integration, UI (for follow-through and understandability), and you also need some flexibility to address special use cases.

Six months from start to Go Live. Staff must be bought in; testing is critical. Timelines are achievable if stakeholders are available and willing to work in a collaborative way.

Full provisioning: account creation, licensing managed and authorization. However, it doesn’t have to be completely automated. For example, we have a termination list: replaces non-interactive emails, allows for audit trail, deprovisioning the most critical part of the IDM. When we flipped the switch, we had to deal with the edge cases, which allowed us to clean up a lot of the data (source of authority).

IDM is a life cycle. Identity is constantly changing, and perfection is not possible.

Lessons learned: communication (need more of it), wrong assumptions (you can’t assume that HR understands their role – they’re worried about payroll), we want real time access (mistakes like name changes or account deletions are real-time too). Testing is good, but you’re not going to catch everything.

Going forward: more integrations, further refinement, expanding reach to applicants.

Great results: account provisioning/removal smoother, processes are documented.