Think of how many students and staff enter and leave a university every year. Take the University of Oxford for example: around 24,000 students in total, continually moving through the system. And that’s just the students. Every one of them needs login credentials that provide varying degrees of access to the IT system.
It’s a given that schools and universities need processes in place to secure the data of thousands of users who enter and leave the system every academic year.
But how can CISOs and IT admins at higher education institutes get the most out of an Identity and Access Management system to ensure their organisation isn’t the next headline about a student data breach?
Here are 5 reoccurring IAM challenges for higher education organisations:
- Ever-changing user population
- Multiple simultaneous job periods
- Security requirements
- Compliance requirements
- Digital transformation
Let’s take a deeper dive into each one and their solutions:
Ever-Changing User Population
Students enter, leave, or change their position in a school or university on a much more frequent basis than, say, employees within a financial organisation. On top of this, universities tend to have a concentrated period every year where thousands of students need to reset their passwords. This can lead to delays in both on-boarding, which creates poor user experience, and off-boarding, which could pose a risk to security.
A vital aspect of security planning for an organisation with so much personal data is well-managed user access without compromising on ease of use. An IAM solution can automate user lifecycle processes to avoid human error, as well as save time, effort and money.
To ensure strong authentication for all the accounts in the system, including visiting students and staff, multi-factor authentication (MFA) can be implemented to verify user identities. Users must provide two or more pieces of evidence to prove their identity (such as a password and mobile phone verification) for enhanced security and data privacy.
Multiple Simultaneous Job Periods
Universities are divided into faculties and sometimes colleges, and within those there are students, staff and alumni which commonly overlap and interchange. In these cases, the same person might have two different usernames in the system, one as a student and one as an employee, for example. With overlapping and interchanging roles within an organisation, access management quickly becomes complex. Role-Based Access Control (RBAC) enables access provisioning according to user sets and structures to avoid a deluge of manual access requests which burden the IT teams and steal resources away from more important tasks. The challenge, however, is managing those with multiple access rights and associating all the accesses to a single person for good governance.
Automated, policy-driven workflows for requesting access allow for the delegation of non-RBAC requests to relevant approvers so that ad hoc access requests for university resources become an effortless process.
In the Cyber Security Breaches Survey 2020, 80% of higher education institutions had identified breaches or attacks over the course of the year. The most common impacts for these organisations were a temporary loss of network access and the loss or destruction of personal data.
To protect sensitive data in an organisation with so many data access points is paramount. Taking a layered approach to Identity and Access Management is the best way to not only increase security, but also to ensure a logical architecture to the systems involved. This may require an IAM expert to advise on how best to implement a number of solutions for the most effective result.
Strict regulations for higher education organisations are there to protect classified data, such as student records. Chief Information Security Officers (CISOs) in higher education organisations tend not to be experts in the intricacies of regulations, such as the General Data Protection Regulation (GDPR), but there are large fines and penalties for non-compliance. In the event of a data breach, GDPR fines can be as much as £17 million…
Working with IAM specialists and implementing strong solutions is the easiest way to meet compliance requirements and mitigate the risk of breach and fines.
Now more than ever universities need to digitalise to keep pace with international students, remote applications and working or studying from home. Securely authorising and authenticating access from anywhere in the world is the new challenge for higher education organisations.
Understanding the relationship between the users in your organisation and where all the data is for those users is the key to success with digital transformation. Identity is often an afterthought or steppingstone along the way when it should sit at the core of digital transformation and security. (See Ubisecure blog: How Higher Education Should Leverage Digital Transformation With IAM)
Putting the identity at the core of your digital transformation also means involving the humans using your system. Cultural change is what drives the success of security and IAM implementations because it reduces human error and improves user experience when every user understands and cooperates with any security measures in place.
A Summary of the Solutions Discussed Above
- Automated user lifecycle
- Multi-factor authentication
- Role-based access control
- Request and approval workflows
- Layered security approach
- Working with IAM experts
- Cultural change
If you’re an IT security professional in a higher education institute and you’re concerned by any of the topics in this blog, or you want to find out more about solutions you could implement, you can trust Intragen’s team of IAM experts to advise you on a cost-effective solution. You’re in safe hands with our specialists and the 15 years of Intragen’s experience as a leading consultancy in the IAM space.
Interested to learn more about IAM in the higher education space? Read the full whitepaper below.