Catalyst to Catalyst (Summer 2023): Ideas and Insights from InCommon Catalysts

As part of our ongoing commitment to providing you with additional opportunities to benefit from the insights and expertise of InCommon Catalysts, we are continuing their quarterly Q&A column, Catalyst to Catalyst, which we feature in our e-newsletter InCommon News. 

Think of Catalyst to Catalyst as a quarterly, virtual advice panel providing perspectives on key identity and access management (IAM) topics for the InCommon community. In this installment, catalysts address evaluating IAM solutions and hosting IAM in the cloud. This is our second column for 2023.

Q: What’s a question everyone should ask themselves when evaluating an IAM solution/implementation and why?

A: When evaluating an IAM solution it is crucial to ask: “Does this IAM solution effectively address the risks and challenges my institution faces?” This simple question opens the door to a few evaluations that need to happen.

First, consider security alignment. Every higher education institution has unique safeguarding requirements regarding sensitive data and business operations. The solution should support regulatory compliance for anything FERPA, GLBA, HIPAA, and PCI related that may exist in any area in your environment; providing audit trails, access controls like 2fa, endpoint posture scrutiny, clear workflows to easily provisioning and de-provisioning access, appropriate privileged access management, and maybe support identity certificates like EAP-TLS. Assess the IAM solution to ensure it adequately protects your organization’s assets.

Second, assess scalability and future-proofing. A campus network environment is never static, and similarly, the IAM solution should be able to adapt to evolving needs and technologies as well as accommodate new user types, devices, and applications without requiring significant rework. And, as the solution grows, it needs to be able to be supported and maintained by your existing IAM team (or have clear leadership-supported plans in place for team expansion).

Third, evaluate end-user experience and productivity. The solution should be easy to use, offer self-service capabilities, and efficient authentication methods. A positive user experience will make the IT Service Desk’s job a lot easier.

Finally, assess integration with existing (and planned) systems. Ensure seamless integration with applications, directories, and platforms, reducing complexity in managing user access across environments.

By asking this question, you ensure the IAM solution meets your institution’s current and future security needs, scales well and will receive the care and feeding it requires, enhances user experience, and integrates into your existing environment seamlessly. This holistic approach promotes a solid risk-informed assessment of any IAM solution.

—Jacqueline Pitter, CISSP, Senior Strategic Consultant, Vantage Technology Consulting Group; jacquelinepitter@vantagetcg.com

A: What is your weakest link? Philosopher Thomas Reid said that “a chain is only as strong as its weakest link.” Nowhere is this more true than in cybersecurity. When evaluating an IAM system, it’s important to know which component is the weakest link. The level of security of that component is the level of security of the whole system.

Studies have found that the weakest link in most IAM systems isn’t in unsafe low-level code or improper database writes, but in human psychology. Forbes reported more than 300,000 phishing attacks in the U.S. alone last year. And, most security experts would agree that passwords are the weakest link. Unfortunately, we in the research and education community expose endless critical web services behind the flimsy shield of passwords. However, we found that with the recent introduction of passwordless standards, our industry has a rare opportunity to accomplish a step-change improvement in security.

This became the motivation for our newest project, OmniPasskey, a plugin that enables passwordless authentication for existing Shibboleth installations. The “weakest link question” snapped the password issue into focus for us and made it clear that we ought to get right to work replacing the weak “password link” in the identity providers that form the backbone of our community’s IAM infrastructure.

—Drew Capener, Software Engineer, Omnibond; drew@omnibond.com

A: When assessing an identity and access management implementation, an important question that higher ed institutions should ask is: How might this solution bridge the gap between data silos within our various systems?

A common issue facing colleges and universities is the segregated data amongst different vendor solutions that lack seamless interoperability – this can inhibit the institution’s strategic planning. The Chronicle of Higher Education’s research brief “Becoming a Data Driven Institution” reported that the biggest barrier on campus to effectively using data to make decisions and improve operations is decentralized/siloed data collection.

A: When evaluating or selecting an IAM solution, you should ask yourself: Have I accurately identified ALL my institution’s requirements and have I clearly defined why an IAM solution is a priority? IAM is not just a technology problem. It is a business problem (or opportunity) with a technical component. For example, your CISO might be focused on a new IAM solution’s capacity to reduce cyber security gaps and believes the best way to socialize IAM’s value is to emphasize the need to reduce institutional risk. However, your campus executives (as well as recruitment, admissions, applicants, students, and faculty) are probably clamoring for a frictionless and much improved digital experience. How do you prioritize competing needs and requirements?

To be successful, IAM platform selection must be part of an IAM program that is aligned to your institution’s strategic goals and is capable of fostering sustained institution-wide collaboration. Identifying ALL your institution’s most critical requirements means including key executive, academic, business, and functional stakeholders in a formal process (e.g., workshops) to clearly identify and document current strengths, gaps, and key pain points. It will also require a means of prioritizing all of these (potentially competing) business, functional, and technical requirements.

A: Here are some of the questions that Cirrus recommends, as we all asked these questions when we were in roles at higher ed institutions. Do the vendors understand the nuances of IAM needs specific to higher ed and research? Are they a trusted partner? How many similar solutions for our use case have they successfully implemented? Do they have reference customers with similar needs to your organization? Has there been any information about this vendor posted to community lists like the EDUCAUSE IAM list or the InCommon participants list?

A: The InCommon Trusted Access Platform bundle, although it’s only one of the many IAM solutions, has been proven to work in the cloud, and Internet2 has created the “workbench” allowing for demonstrations and usage as needed including these key applications – Shibboleth, midPoint, Grouper, and COmanage.

Many IAM solutions can work in the cloud, there are considerations and not all are equal, but “the cloud” opens a new opportunity for higher education and their IAM teams.

A: When thinking about a cloud, it is necessary to be specific about what we really mean by the cloud. One possibility is to just deploy the IAM solution in the cloud in a similar way as if it were deployed on-premise. Is there any benefit? There might be, depending on your cloud infrastructure, orchestrating options, and so on. For the most part, it will save you some operations costs. However, there might be new issues with networking, firewalls, and so on, but that truly depends on the overall architecture, including whether the cloud is public or private.