Edited by Apryl Motley, CAE – InCommon Communications Lead
Estimated reading time: 10 minutes
As part of our ongoing commitment to providing you with additional opportunities to benefit from the insights and expertise of InCommon Catalysts, we are continuing their quarterly Q&A column, Catalyst to Catalyst, which we feature in our e-newsletter InCommon News.
Think of Catalyst to Catalyst as a quarterly, virtual advice panel providing perspectives on key identity and access management (IAM) topics for the InCommon community. In this installment, catalysts address evaluating IAM solutions and hosting IAM in the cloud. This is our third column for 2023.
Question: What skills and experience are required to manage IAM solutions?
A: Effective management of identity and access management (IAM) solutions requires an evaluation of two key factors. First is human capital, which hinges on the composition of your team. It’s imperative to ensure that your team possesses a well-balanced combination of technical expertise along with a deep understanding of your business dynamics. Secondly, the decision of hosting an IAM system in-house or opting for a SaaS IAM solution plays a pivotal role in determining the breadth and depth of technical skills required to manage a successful deployment.
For in-house IAM solutions, technical expertise is profoundly important. Proficiency in networking, scripting languages (e.g., JavaScript, Groovy, PowerShell), familiarity with diverse operating systems (e.g., Linux and Windows), and database administration are imperative. A grasp of cryptographic concepts, including certificate management, is also beneficial. In contrast, SaaS IAM solutions demand a shift in focus, often away from traditional DevOps skills but still requiring scripting and database administration proficiency.
Regardless of the deployment model, a strong command of access control techniques, such as role-based access control (RBAC) and attribute-based access control (ABAC), is vital. Knowledge of single-sign-on (SSO) methodologies like OpenID Connect, OAuth, and SAML, along with a functional understanding of the systems to be managed and connected, is a prerequisite.
The composition of your IAM team hinges on the organization’s size. In larger entities, specialized roles distribute responsibilities, while smaller teams necessitate professionals with multifaceted capabilities. Regardless of size, it’s common for organizations to initially outsource a proof of concept or the initial deployment of their IAM system with the assistance of a third-party. As their staff becomes more proficient, they often scale back the third-party relationship.
In terms of business acumen, IAM leaders or analysts must excel at mapping business processes into IAM workflows, engaging stakeholders, grasping integration intricacies, and ideally, possessing industry-specific insights. Effective communication and adept problem-solving are also vital. Compliance expertise and the ability to meticulously document policies for the overarching IAM program are equally important.
In summary, IAM solutions demand a harmonious blend of technical and business proficiencies. The choice between in-house and SaaS solutions shapes the technical skill set with the former demanding proficiency in on-premises infrastructure management. Regardless of the IAM deployment model, success hinges on a foundation of business acumen, industry awareness, and the ability to communicate effectively while resolving complex challenges.
—Matt Growden, CISSP, Executive Director of Identity Services, Provision IAM
Question: What is the greatest pitfall you’ve observed in executing IAM projects/implementations effectively?
A: Too many campuses see IAM as a technology problem, when in fact, more than half of the challenge is around IAM governance and business processes. I have seen campuses invest in costly IAM replacement solutions for their primary identity provider thinking the software will make everything better. However, the software can’t really be implemented until there is alignment around IAM governance and general practices for areas like onboarding, authorization management, and offboarding. Cirrus Identity solutions (hosted and managed Shibboleth or CAS alternatives and/or self-service solutions for external users) can help offload administration for IAM teams so that they have time to focus on guiding their institutions in developing effective governance and identity and access processes.
—Dedra Chamberlin, CEO & Founder, Cirrus Identity; dedra@cirrusidentity.com
A: When it comes to Identity and Access Management (IAM), one of the biggest pitfalls to implementing a sustainable solution is underestimating the importance of having interconnected systems at the enterprise level. It’s not merely about ensuring your faculty, administrators, and students have secure access to the resources they need – it’s also important to create a cohesive ecosystem where your various data systems and applications communicate effectively with each other.
Having fragmented systems can compromise the institution’s capacity to make informed, strategic decisions. Therefore, when selecting an IAM solution, the ability to integrate any siloed systems should be a priority. It is less about the IAM system itself breaking down these barriers, and more about it serving as a facilitator for data unification so that your implementation can be utilized cohesively for what you need.
Certainly, there’s an emerging trend in the software industry with enabling more sophisticated, attribute-based permissions. This deeper level of IAM integration offers richer experiences and enhanced security measures for users. Over the years, the InCommon community’s standardization and best practices have improved compatibility between university IAM systems and enterprise software, so I encourage you to explore their resources when beginning your journey.
Remember, IAM is not merely an access gateway, but a strategic enabler that can help unify disparate data systems. Think about how your implementation will fit into the broader scope for a more seamless integration. This will not only improve operational efficiencies, but also pave the way for better data-driven decision-making that benefits everyone.
—Netta Caligari, Community Lead, West Arete; netta@westarete.com
Question: If you know a large change is coming in the next couple of years to the existing IGA, but don’t know exactly what, what should you do now to prepare?
A: In the landscape of higher education IT, staying ahead of technological advancements and security objectives is paramount. Success in a project like an identity governance and administration (IGA) overhaul requires recognizing that the project will disrupt your IT department’s operations beyond the singular focus on the IGA project itself for the duration of the implementation, and possibly even beyond.
An IGA transformation is no small undertaking. The project will demand substantial time, budget, effort, and expertise from your IT team as well as political capital. Allocating the necessary resources to the IGA project without disrupting ongoing operations requires recognizing the interconnectedness of various IT initiatives.
Knowing an IGA transformation is a few years off is actually a gift. It provides the opportunity to prioritize the foundational projects that otherwise would require overlapping resources and campus stakeholder engagements essential for the IGA project. These foundational projects could encompass diverse undertakings such as ERP/SIS, network modernization, classroom/ed tech realignments, cybersecurity reinforcement, and IT infrastructure enhancements. By proactively addressing these initiatives first, you not only lay the groundwork for a seamless integration of the IGA system but also ensure the institution’s IT operations remain robust during the transition.
Essentially, you need a resource-loaded IT strategic plan starting right now. Managing competing priorities with a finite pool of IT resources is a multi-dimensional nonlinear problem. User-facing teams have a limited “political well” to draw from for modifying campus connectivity expectations and need to strategize on acceptable user experience. The same is true for being respectful of the key campus stakeholders’ time and energy.
Front-loading foundational projects also aligns with the broader concept of risk management. By addressing pivotal tasks in advance, the institution mitigates the risk of neglected responsibilities amid the IGA project’s execution. This approach empowers IT teams to address challenges systematically rather than reactively.
Our experience in planning and overseeing complex projects in higher-ed shows that the campus leadership strongly prefers when there is a coherent vision and program of forward-looking initiatives that includes both stakeholder engagement considerations and clear institutional resource projections. If you aren’t intentional, you will be more resource-constrained which inevitably will lead to inefficiencies and setbacks. The clients Vantage has helped through similar processes have been more successful at navigating multiple priorities and projects. We can help you build an actionable program of projects with a vision that resonates with campus leadership.
—Jacqueline Pitter, CISSP, Senior Strategic Consultant, Vantage Technology Consulting Group
A: Some parts of the IGA world can indeed be very dynamic. However, the core IGA principles are stable enough to be used as an architectural foundation. Still, there is always development of new approaches and technologies that can have a significant impact in the end. The best recommendation is to stabilize your environment to be ready for such changes. Spend time cleaning up your data and eliminating the exceptions that we all have in our systems. Also, focus on automating data flows, aggregating all data in your central IGA system, getting the proper visibility over all identities, and ensuring the provisioning works smoothly. Connect all the systems with adequate connectors to ensure the desired state is always there.
If you get your IGA into such shape, you will be ready to deal with anything the future will bring. The visibility allows you to immediately evaluate the state of your identities and use this information to plan new improvements. The central IGA system working as an aggregator enables you to configure the new features in a single place without worrying about missing pieces of data or some side effects caused by entangled one-to-one integration, which are hard to analyze on a big scale. Thanks to the connectors to all systems, you will have visibility over the whole infrastructure. Therefore, you can be sure that the new change will be deployed everywhere in a consistent manner, and you can also easily audit that.
Even though these might be perceived as pretty specific steps when thinking about an unknown change, it has a simple justification. You need to get to a state where you have everything done systematically with the ability to reconfigure anything painlessly. Any exceptions, wrong data, systems that are not connected properly, or even flawed processes will make even a tiny change complicated, and that will slow down or even stop the progress. Therefore, if you have the time, spend the effort to connect, clean up and automate to prepare for all the new fancy stuff that the future will bring up.
—Igor Farinic, CEO, Evolveum; academia@evolveum.com
A: Identity governance is driven by three factors: internal policy, government or industry regulation, and the advancement of technology. Therefore, changes in identity governance are usually led by changes in identity technology because governance can only be as strict as the state of the art allows. So, the best way to prepare for changes in identity governance is by watching the “technological frontier” for new best practices.
One example of emerging best practices is the current shift to passwordless login using passkeys. Passkeys and their associated standards will cause a change in policy. But, for now, the major policies that govern the research and education community are basically ignorant of passwordless technology.
NIST 800-171, by way of example, includes requirements for dealing with passwords like enforcing minimum password complexity and disabling password reuse. But, with industry giants like Google, Apple, and Microsoft all now embracing passkeys as best practice, one can imagine that a successor document to NIST 800-171 is likely to discourage password use altogether. Also, the recommendations it makes around two factor authentication would become obsolete because of the inherent second factor associated with a passkey.
It’s easier for a practitioner to see changes like passwordless coming when they have knowledge of emerging best practices. So, individuals and organizations who make a habit of educating themselves on the cutting edge give themselves a leg-up. By the time best practices become hard policy, the most forward thinking are usually already compliant or nearly compliant.
—Drew Capener, Software Engineer, Omnibond; drew@omnibond.com