Perhaps more so than any other vertical, higher education faces complex and challenging issues when it comes to identity and access management. Continuously throughout the year, many accounts can easily become orphaned or dormant as the roles of students, professors, and other staff constantly evolve and change with course offerings, matriculations, and graduations.
The university life cycle is complicated, and the manual, ad-hoc, and traditional systems that institutions often choose as their course to maintain security and governance are far from sufficient. The strength and automation of an Identity Access Management (IAM) solution, however, can enhance the controls that halt the growth of misappropriated, dormant, and orphaned accounts without the difficulty of home-grown, legacy implementations.
Unregulated Entitlements and Credentials Create Risk
Across any organization, and especially with higher education networks and systems, identities, entitlements, and credentials are dynamic and ever-evolving:
- Identities – records of people and nonhuman personas. In university systems, this includes everyone from students, professors, administrative staff, and more.
- Entitlements – which grant identities access rights. In a higher education scenario, entitlements can change across academic timelines, class schedules, and departmental changes and transfers, etc.
- Credentials – used by identities to sign into systems. They include passwords, tokens, or certificates.
Identities, entitlements, and credentials are created, updated, and deleted as needed throughout an academic year. But in a typical four-year structure, colleges and universities are turning over thousands of graduates each spring, revoking entitlements, changing identities, and reorganizing credentials. And in the fall, new entitlements must be assigned to many more thousands of recently enrolled students.
This active, overlapping, and manual process is rife for human error and misappropriated accounts and profiles. When the process breaks down, orphaned, dormant accounts propagate. These stray accounts increase risk and vulnerability to bad-actors in an unmonitored state.
An Automatic Solution Creates Opportunity
An IAM solution automates and augments this process by strengthening governance and reducing vulnerability. By introducing automatic access deactivation and control processes, an IAM implementation cuts down on the number of inappropriate access rights and lost accounts.
Utilizing an orphan, dormant account and profile control mechanism, an IAM system can:
- Find orphan accounts not associated with an owner.
- Find orphan user profiles that have no accounts.
- Find dormant accounts with no recent login activity.
- Find dormant user profiles, which contain only dormant accounts.
- Submit these results to a request to automatically disable and/or remove them. Actions may be automatically or manually approved.
Within the vast hierarchy, complexity, and overlapping higher education timelines, the manual operation of this control mechanism can be a monumental task. At the university level, without active and consistent analysis, these stray accounts and profiles can grow exponentially, leaving your organization less agile and, ultimately, more vulnerable.
Moreover, by implementing an IAM solution and its automatic yet robust control processes, monitoring these accounts going forward will make it easier for institutions of higher learning to purge legacy access rights and retrofit home grown solutions that would otherwise take ages in a manual-only process. It’s a win-win.
People often revere universities for their hallowed halls, but schools should be diligent so that orphaned and dormant accounts don’t become part of that deep history long after people have departed. Consider an IAM solution to keep your organization’s system and digital hallways clean, tidy, and secure.
Although cyberattacks continue to be on the rise in higher education, many colleges and universities are still working with limited budgets to protect against this...
Months have passed since the DarkSide Colonial Pipeline ransomware attack, yet some antivirus vendors are still unable to detect the malware used. This demonstrates...