Cloud Identity for Higher Education

Is a Cloud Identity Solution Right for Your Institution?

All higher ed institutions want the same thing: to be secure and compliant while not sacrificing growth.

What if you could see all your users, apps, and data, understand who has access to what for your entire IT ecosystem, all while maintaining user productivity?

Governing digital identities from the cloud can tackle it all.

However, not all cloud technologies are made equal. While many vendors claim to provide a true cloud architected identity solution, they differ dramatically with regards to core service offerings, maturity, and costs.

Cut through the clutter.

In this webinar, we will discuss current identity technologies and determine which is best suited for your educational institution.

Key takeaways from this session:

• Understand how to improve user experience and secure the access environment while limiting the impact on IT resources
• Review the current cloud identity vendor landscape
• Discover an effective classification model that matches cloud-based identity technology with the unique needs of your educational institutions

Video Transcript

Shae Mann: Welcome, everyone, and thank you for joining us for today’s webinar, Cloud Identity for Higher Education: Maximize security minimize impact on resources. I’m Shae Mann and I will be your moderator today.

Joining us today is Adam Bacia, Senior Cloud Technology Evangelist at SailPoint. We also have Donovan Blaylock, Director of Higher Education Solutions here at SailPoint presenting for us today. And we have got a lot to cover. So with that, Adam, I will pass it over to you to get us started.

Adam Bacia: Thanks Shae, appreciate it. So actually, before we kick off, I wanted to do just a couple of quick poll questions to kind of get a feel for what our audience maturity level is in terms of identity management and also you know in terms of cloud adoption. So if we can, we’re going to see if we can kick off a quick question for everyone to answer, hopefully you guys will see that pop up on your screen.

All right, looks like most folks have answered. So that’s good news. Shae, if you don’t mind popping up. The second question for everyone.

This one really again is, you know, we’re asking, does your organization currently use cloud based solutions for any practice again, what we’re talking about is if you have salesforce.com for your CRM, if you’re using ServiceNow for your services Incident Management Pack, if you’ve got Workday for your HR system. Just want to make sure we understand sort of where folks are at in terms of their cloud adoption, so please let us know.

Okay, just a couple more seconds for everyone to finish up.

All right. I think that’s everybody. Awesome. Well, thank you so much, that kind of will help Donovan and I, as we go through framing up the type of conversation that we want to have today and make sure we’re covering this in a way that sort of addresses the needs of the actual audience online.

So with that, let’s go ahead and dive in. Now when we talk about identity in higher education. People often associate that with enabling students and faculty to access information in a timely fashion.

And that is, of course, critical her identity also plays another part in higher education. And that’s cyber security. Securing access to sensitive data is one of the biggest challenges facing IT departments in higher education today.

Think, most of us know that preventing a data breach has always been an uphill climb, but unfortunately that hill really is getting steeper and here’s what I mean.

First of all, the cost of cybersecurity is rising, with an estimated 124 billion being spent worldwide. This year alone. And at the same time we currently have millions of unfilled information security positions and vacancies are going to continue to rise.

These numbers represent the total worldwide across all industries, including higher education, but in our own experience we’ve even talked to some institutions that we’re so short handed they were using part time student workers to manage security.

Now these rising costs and perks personnel skill shortages, coupled with sort of persistence security, cyber security threats and regulatory pressure are really creating a huge risk potential for higher education.

And problem of course is you can’t sacrifice security compliance, simply because you have limited resources in fact remains, the cost of preventing a breach is nothing compared to the cost of remediation after an incident has occurred.

Some of you may have heard just recently hackers were able to access student data, including grades financial information and social security numbers through a vulnerability and an enterprise resource planning system.

That massive breach affected 62 colleges and universities, the year P firm is since published a patch to fix the security flaw that serves as a reminder that security really needs to be of the utmost importance for higher education.

What am I talking about here, well studies show that it costs higher education institutions $260 per compromised record.

You can imagine just how many records each of those 62 universities had compromised that the total financial exposure was enormous.

And yet when another analyst from the talent group conducted a survey of 100 higher higher education institutions they found that 69% of respondents said they’re spending less than 1/10th of their it budget on security.

More often than not, institutions, just don’t have the resources to do what they really need, even if they have the budget. So how can we help address these issues. Well, part of the answer is the reason we asked the question, right.

It’s already gaining adoption, but really the cloud is bringing a lot of new opportunities to organizations that don’t have dedicated resources. And in fact, another research firm married talk estimated that 62% of higher education applications would be cloud based by 2021. That essentially means 2/3 of all applications that organizations like yours are using are going to be based in the cloud in just two years.

Now, the other part of the solution is identities are really more specifically the ability to govern identities and their access rights applications and files, wherever that information resides. By coupling those two parts, cloud based identity governance has the potential to deliver ideal security and compliance capabilities, even for higher education institutions with limited resources. So let’s dive into cloud based identity governance to better understand what it is and how it can benefit colleges and universities.

First off, when we say identity governance, we’re not focusing on single sign on or authentication, that’s really just access. While that is an important element of identity, we want to focus on sort of the governance side of things, the technology that enables higher education institutions. To determine and control who has access to what who should have that access and then how that access is being used.

See, when you have deep visibility and control over digital identities access rights, you’re able to improve users access experience while simultaneously mitigating separate security and compliance risks.

Moreover, you enable more efficient IT and operational processes that ultimately drive cost savings.

So with all that said, let’s go ahead and dive into how this applies specifically to you in the field of higher education. And for that I’m going to turn it over to Donovan, who’s going to highlight some of the identity use cases that are most relevant in a high end setting.

Donovan Blaylock: Thanks, Adam. Hi, everybody. So yeah, let’s look at a practical discussion here around some of the specific use cases, we see unique in the higher education space.

There are some similarities out there, of course, with most commercial customers, but higher ed has some that are very commonly unique to them. And that we see almost consistently across every higher ed customer that we have. So I’m going to focus on some of those today and deep dive into what those might look like. And those concerns might be so that you can understand kind of one of the ways that we address these issues.

So without further ado, we’re looking at governing of complex user populations. The population of a university typically is extremely complex. You have students you have staff, you have something in between every service institutions even have an attached hospital.

That does work through your medical wing as well throughout your Medical University. There could be lots of permutations of types of people who are entering in the university.

You also have people that are alumni perhaps being managed by your organization and and sometimes those groups. You’re all managed together and sometimes are managed separate. However, one thing is consistent as universities always have your very complex user population to work with.

So that can be challenging. How that we keep those groups, a part or together. How do we apply best practices that are needed for each.

And often the best practices for each type of population are very different from the other. First of all, they may have different types of regulation. We’ll talk about that in a minute. But they have different needs a different security concerns.

So those things often need to be managed a little bit separately, but you want there to be some sort of unified approach across the board. So you can make this a program which you can manage more effectively over time.

And then we’ll move to the next one, IT and operational efficiencies. This really does apply across the board to all types of customers out there, but it’s a little different when you talk to higher ed.

Often, you’re doing a lot more with a lot less. You’re dealing with very large numbers of people in your organization compared to a company that may be of a similar size from an income perspective. So the numbers of the people involved in your organization are typically much higher.

And the staff that’s dedicated to IT security in general is much lower than that of a bank. So I think I probably make some logical sense but you’re having to do more with less.

For that reason, often as Adam mentioned, people from university are sometimes involved. We have graduate students, some students helping out these endeavors. Sometimes it’s been homegrown solutions to meet some of the niche needs inside here as well that are built by the university and people that might come from the computer science department itself.

But the bottom line is, there are still requirements for security that still require them to meet government regulation and there’s still a need to protect what’s going on with the information that’s housed in these identity management platforms, but the parties and operational efficiencies are very key.

To make sure that it’s not only an efficient process, but you’re increasing the overall security of the enterprise to protect yourself from not only embarrassment of what may occur but information that gets leaked out can do quite a bit of harm to your organization and to the individuals as well. So there’s a built in need to really make sure this is done, not only efficiently, but in an effective manner.

Then we’ll move to the next one. So I mentioned this, before I alluded to this, but complying with government regulations can be a big deal and universities are interesting. You may have a contract with a government agency, let’s call it Department of Energy.

That department has a lot of regulation on how information about the people on that project are handled and there’s a handoff at some point in time between the Higher Education universities and them.

However, there is a hybrid section there too, which is the part that people typically control. Same thing happens if you have a teaching hospital attached to your university. There’ll be a handoff and often as a separate business unit, not always, but often it is, that there is a part with which you want to manage both of them inside your enterprise to meet the HIPAA guidelines. So GDPR being another. You have a foreign student or if you’re a university and you have a practice that either travels or has a campus overseas you face GDPR restrictions. So what I’m getting to is while the industry in and of itself does not have a lot of regulation, you touch a lot of areas that have regulation. So the needs to meet those regulations are often very clear and very needed and the expertise to do that can be very challenging to have at higher ed institutions.

Then we’ll move to the next one. So disparate processes. It is not uncommon for us to see when they go into an organization that there is a different stovepipe process for each key system across the university. Because they built from scratch. They built it as needed throughout the program and it sort of was a break fix for when things were done.

And these processes are often done different ways in different departments even inside the University so they each have their own little process and there’s no consistency across the board and checking we’re verifying or you know, doing compliance certifications, or any of that is inconsistent across the board. We’re seeing that fairly regularly throughout the enterprise higher education, and its not just efficient from a security perspective, but it’s a lot more efficient from a people perspective as well.

And then we’ll move to the next one. This is a really interesting one we see at almost every university I’ve talked to. So this is a very key requirement for multiple personas.

You will likely have people in your institution who are employees, but they also are going to school. They’re a student. And then maybe they sit on the Research Board and so these three sets of themselves, these three personas, is what we call them, have different kinds of access and they have different managerial changes that have different reporting requirements, they have different people who may need to see and request additional access on your behalf.

And those should never be overlap. You may stop being a student at some point in time, but you’re still on the Research Board and you’re still employee.

And when that gets terminated, it should never touch your access as an employee. So we see this pretty consistently, the need to manage while you being a single identity, a single person you have multiple, what we call personas, across the enterprise. And this is a pretty common requirement at universities as well. And then we’ll move to the next one. So the access workflows.

If you can normalize these really complex processes that have likely been built from the ground up over time into a more standardized practice, it allows higher education universities to get more lockstep with systems going forward. So to paint a picture here, you know, you’ve got a department and IT department who rolling on decided this is how you’re going to build ticketing systems, and this is when you’re going to open a ticket and this is how things go. Over time, that expanded out to a much wider audience of people who need to have change request put into the system for the university outside the IT department.

Very common that this has happened, right. What’s the process. How do they go in there. How do they access it.

And what are they going to use it for. And who can look at that data, right, all those change over time as it has become more pervasive throughout the university both amongst the employee body, but also the student body in the organization. And by the way, higher ed tends to really make those lines very gray.

Because always students need access to things as well labs, specialized equipment, etc. inside the university and they want to be able to see their stuff as well about themselves.

So this improving and access workflow is really built around taking an industry that often has built a homegrown solutions and putting them into a more modern, sustainable, standardized fashion that we know works across multiple enterprises. So hopefully that makes some logical sense. We can certainly talk more about that up on YouTube. And then let’s go to the next one. That’s really big.

It mentions authoritative sources. And what is that?

When people come into a normal company, they come in typically through HR, and that’s normal. When people attend a university, they typically come in from three or five different ways.

So it can be very interesting how that works out. And it can be shared person coming from a different university that are coming a short time or they can come in through the employee system, or potentially have some HR, but there might be multiple HRs. What I’m getting to is your identity and your institution can be many different ways. So they’ll come from multiple what we call authoritative sources or systems of record that can create a new identity in your enterprise and this can happen in multiple ways.

You have to think about that when you’re dealing with identity and and management and governance off those identities and the access overall because you need to normalize that a little bit so you can still manage them in a single system.

Even though they’re coming from separate systems likely with different types of attributes and different names of those attributes and different fields that don’t necessarily match up with the HR system of record.

Pretty used to doing that, this can help out an awful lot. It also helps provide a single source of truth, back when you have an identity stolen of all the people that come from all the authoritative sources, which is often a very nice thing to have. And it’s kind of a hidden benefit to deploying an identity governance solution. So hopefully that makes sense. And then we’ll go to the last one. The production of data.

I can’t speak enough to this and that is the amount of data being stored at higher education institutions is growing yearly exponentially.

Not only the number of megabytes, gigabytes and terabytes of data is growing, but the complexity of who has access to it is also growing exponentially.

So you may have a file storage out there on a box account that backs things up internally that are very important. And then maybe they share it with somebody and then that somebody else creates that share, and they share in a different place and share in a different method, and then another group being added to it. My point is when you look down on these files and folders you find a whole myriad of ways that people get access, people being granted access to a place where sensitive files are stored. This is becoming a real problem.

In the past we’ve really only kind of talked about here so far today, access to the systems and how you normalize that. But access is more than just the fact that those files and folders that often have the keys to your kingdom, they have very sensitive information. We’re seeing the breaches that occur, happening more and more in this area and less and less into the type of access people have into your critical systems. They’re going after the data because when they find a good shared drive out there that they can get into and extract personal information about students or employees, or what you’re working on for research grants. All that information can be used for nefarious purposes fairly easily from a shared drive perspective.

So hopefully that makes sense as well. So just a little bit on each one of these, but these are areas. We definitely see quite a bit in our education almost in every use case out there, and we do focus on those and we have specific parts of our products that help answer each one of these.

Adam Bacia: Alright, thanks. Donovan so you know, obviously, having understood what cloud based identity means and really how it can benefit your institution, it’s also important to better understand what type of cloud deployment best fits your organization.

After all, there are different flavors of cloud. And just because a vendor says they have a cloud solution doesn’t really mean that they have the one that best fits your needs. So let’s explore how various types of cloud deployments work. Now we’ll start off with SaaS. This is a methodology that’s really developed exclusively to work from the cloud.

SaaS enables higher education institutions to rapidly adopte a comprehensive approach to identity. It really takes advantage of the fast time to value and ease of use that only a SaaS solution can provide.

SaaS deployment is especially ideal for colleges and universities that have very limited IT and financial resources dedicated to managing and maintaining an identity platform.

Primarily because SaaS requires no additional capital investment and it doesn’t require staff to manage ongoing upgrades patching, etc.

So, you know, a tie on this one is the SaaS approach is really ideal for institutions that need fast time to value and ease of use, but who also possess minimal IT and financial resources.

The second one that will talk about is the MSP approach and really, this one is sort of synonymous with hosted.

So, typically hosted solutions are delivered by a trusted managed service provider. However, in the case of SailPoint, we also have an offering of our own that is managed by SailPoint. So a lot of different ways that a hosted solution can be implemented.

In this deployment option, educational institutions delegate some or all of their identity governance administration to a proven service provider to assess, deploy, manage, and even support the overall identity efforts.

This program is probably ideal for for institutions that like the SaaS model, possess limited IT resources or want to focus their resources on other areas and also probably want to reduce their initial capital investment. However, they may also require some customization and configuration that needs very specific use cases. Donovan talked earlier about the multiple personas issue.

They may also have requirements for very specific systems. So systems that are homegrown or unique something that is developed in house for a specific laboratory experiment or something of that nature paths are typically a little bit higher in this model, but it does allow for more flexibility.

And then last but not least, let’s talk about the hybrid model. So, you know, early on we asked a couple of polling questions and there were several folks actually that said that they already had an identity management solution in place.

That being the case, it’s likely a legacy solution. Otherwise, you probably wouldn’t be on this call. So if you’re using an Oracle or an IBM, something like that. You’ve got a legacy system that is already on premises.

This deployment model sort of helps because it kind of incorporates a combination of traditional on premises identity governance practices with some component of a cloud solution. So, it enables colleges and universities to maintain and configure many internal processes as needed. Also, capturing some of the benefits associated with cloud solutions. Probably the best example that I can give you is something like self service password management for end users. So you still got some of your identity management being hosted in house, but at least to your end users. You can take advantage of the cloud and its ability to work on mobile platforms or from anywhere.

So, you know, to sort of summarize on hybrid, the approach may be the best fit for institutions that have existing, extremely complex identity management workflows and want to take more of a staged approach to moving their identity practice to the cloud. So again, we can even implement from a SailPoint standpoint for those folks that want to move off of a legacy platform to a modern platform, an instance of one particular platform on premises and then components of our in-the-cloud solution as well.

So like an MSP hosted deployment, there’s probably a strong need to provision some specific core educational systems that are unique and that’s another reason that folks typically will go with a hybrid approach.

So with all of that setup said, and also to make sure that people are still awake after hearing my voice, let’s throw up at least one more poll question to just kind of get a read up so you know based on the information you’ve heard so far, What deployment methodology, do you think would best fit your organization’s needs? And this will kind of help us sort of understand, and we will actually throw the results up here as everybody finishes voting.

A few more seconds to make sure everyone’s got votes in there we go. Alright so interesting.

So we’re actually seeing a lot of folks saying SaaS. And this is something that we’re we’re seeing a lot more really in the industry as well, but 75% are saying that SaaS identity platform is kind of the approach that they want to take. A few folks for the others as well. So kind of an interesting result.

One of the things that that I guess is key to sort of keep in mind. And just to make sure everyone understands, especially those folks that are talking about SaaS, the methodology for how you want to implement a cloud deployment is really equally important in terms of the type of solution you want to provide, to understand the cost and benefit of customization versus configuration.

And really, what is the best fit for you. So make sure as you’re talking to vendors about solutions, especially if you’re interested in a SaaS solution, that you understand if they have a true SaaS solution, something that is multi-tenant, something that delivers updates on a consistent, regular basis, so continuous delivery. All of those things are really important for a true SaaS solution.

Donovan Blaylock: So, the benefits of deploying identity from the cloud or from a hybrid solution. I think these make logical sense but you know it’s worth talking about each one of these a little bit right now. We mentioned several times now in different ways, the need to reduce in house expertise or higher expertise or having someone dedicated to this practice. That is the need across most higher ed. We mentioned they need to do more with less.

It’s easy to consume. It makes sense if universities are working with others or are signing up for spending down, they can very quickly change subscription models and I do find some benefit inside that as well.

So hopefully that make sense. And then lastly we’ll focus on a couple of last ones, and that is deploying very rapidly.

And then slashing time for upgrades, the stake in current and secure, all those are very big. And then last but not least, what we focused on earlier, which is the configuration for the unique use cases that exist out there.

So hopefully those make sense. All of these are pushing in particular our higher education customers to going closer to the cloud.

Adam Bacia: And one thing that I’ll mentioned as well on this. So obviously, you know, rapid deployment and slashing lead times for upgrades. Those tend to be better focuses for SaaS whereas configuring for unique use cases may be a better fit for a hybrid solution, or even a hosted solution.

Donovan Blaylock: Thanks, Adam. That’s right. And so here’s a couple of questions to consider in how you’re going to deploy out there. SaaS versus some sort of hosted solution out there and, you know, do you have the expertise in house to do this right, that’s done this before or has done this successfully at another location, sometimes you do. But often, you do not. So the expertise question is a very legitimate one to ask yourself, in this type of situation.

And then also what is your time frame right. We prefer as a company to do what’s called crawl, walk, run, because you can get some wins when you deploy things over time. That makes sense. And you build this program more capable over time.

There are times when an organization needs to run really quickly. They’re all in. And those are kind of driven by the needs of the situation at hand inside each university out there and then how much time and effort are you spending for compliance issues. Some universities don’t have this as a high priority other ones do. And it’s because of the uniqueness of each higher education institution that whether or not these compliance efforts are important or not, that’s what drives those things, or it could be from an incident that happens fairly regularly also. And then you know how much configuration do you need.

Is the university willing to accept what is deemed best practices across the board for these functionalities or doesn’t really want to drive its own special use cases? That really kind of helps us decide if this needs to be a SaaS or hosted or a hybrid solution inside the environment, and again we can help make these decisions.

And then do you need to eliminate capital expenditure? I think, in general, most universities say yes, they want to go subscription for most things and this is a way to go in that effort as well, along with best practices, which is why we see the high cloud adoption in this particular vertical more than others out there.

So hopefully these questions help jog some things to think about when you’re deciding about how to do this and which method to go about. So thanks for that.

Adam Bacia: Okay, so we’ll actually go into a couple of key takeaways here. So one obviously not surprisingly cloud is here to stay, all of the research that we’ve seen really points to the fact that cloud adoption is on the rise in every industry vertical that we look at, but especially in the higher education space.

Again, going back to the quote from earlier, it sounds like at least 2/3 of all applications that higher education institutions will be using in the next couple of years will be in the cloud, so understand that cloud is the future and it does make sense to try and begin to at least make a migration path at this point, if you are on a legacy identity solution.

Identity reduces risk. So at the end of the day hopefully we’ve done a good job of explaining how combining all of the different pieces of information that reside in different systems about an individual, the things that they have access to, how they can access them, and then, in particular as Donovan pointed out, what data resides in those systems that they’re able to get to.

Having that all in one place and being able to manage it and govern it really is important, and so we believe that identity is sort of the future of how security will work for large groups of populations which obviously the higher education space has.

Cloud identity lowers costs. Again, particularly in the SaaS side of the house it is very easy to implement a solution. Pay for it via op X versus cap x and have it just be an expenditure that works without having to, you know, higher up or train resources, especially in the higher education space where you may have turnover from student workers one year to the next year. It really helps to be able to have a steady stream solution in place that’s managed and maintained by a third party.

And then last but not least one size does not fit all. Again, we went through several cloud methodology solutions so hopefully, folks understand that there is a difference between how cloud gets implemented and really do your homework, do some research to understand which solution is best for you.

If you want to come talk to us. We actually have solutions across the board for all those but we will take a very consultative approach to make sure we find that solution that best fits the type of organization that you have and where you’re looking to go.