The organizational structure of colleges and universities make them one of the most interesting industries for addressing identity challenges. Students, faculty and staff often change roles, and in addition, a new wave of students enters the organization at the start of a semester or quarter each year. When a student can simultaneously be a faculty member or staff, mapping their various personas is necessary for granting proper access to systems and applications. I spoke with a SailPoint customer in the higher education space who shared the importance of their identity governance program and the impact it has had on the university.
This customer was using legacy identity and access management system, Oracle Identity Manager and searching for an innovative replacement solution leveraging a governance-based approach. They also needed assistance managing a single authoritative source, that would aid in provisioning and tracking users with multiple affiliations – something only a next-generation identity governance solution could provide. “We were in a tangled legacy environment and needed to build a program with a modern extensible framework,” the customer shared. After considering vendors to partner with on this next phase of their identity program, SailPoint was selected to provide approximately 50,000 active users with secure access to their applications and data.
First on their roadmap was retiring their legacy solution and migrating their identity program to SailPoint. During this phase, it was important for them to make sure their data was clean, which was necessary to start the program correctly. This ensured the access an employee received was consistent with their job, and nothing more, or less was granted. An identity within a university community can have multiple affiliations though – students can be faculty, faculty can be staff, and there’s often movement between various roles. Mapping a 360-degree view of access from different sources based on affiliations helped ensure their data was correct. They were then able to establish the business rules for automated provisioning and de-provisioning of user access to business applications and data.
The identity team then went on to focus on creating an identity source that feeds SailPoint’s IdentityIQ. Legacy email provisioning was retired and replaced by birthright provisioning for Gmail and Office 365. This allowed users immediate access to their email as soon as their identity was established in the system. The identity team is now heads-down on the design work for building the provisioning process for ActiveDirectory that will improve timeliness and data within IdentityIQ. They plan to go live with this functionality, as well as provisioning access to additional applications.
Because it is common for people to have multiple personas within higher education, these identity programs are some of the most complex. Identities are constantly coming and going at universities, and the need for security and accessibility continues to compete. Our customer views the importance of a leading identity program as critical for maintaining a secure campus, and complying with regulatory standards. “Your identity program should be at the center of your IT security strategy,” our customer shared. “Our IT administration has streamlined, and the quality and accessibility of our identity data has improved with our next-generation identity program. The university as a whole has greatly benefited.” As this higher education client continues to innovate their IT and learning environments, they shared that it is becoming increasingly important to maintain clean data, which helps ensure only the right people have access to the right systems and data, at the right time. “This can only be done by centralizing your provisioning,” they shared.
I asked our client what the biggest lesson learned from their experience leading this program has been. They shared the need to avoid biting off too much – especially at first. “Start with a focused clear objective, make successes, build on them and keep learning. Identity governance programs when done right, take time. SailPoint is helping us transition into being a proactive IT organization.” They also emphasized the importance of having an executive sponsor and maintaining communication across all groups that need to be involved – groups that often otherwise operate separately.