In our previous blog, we looked at how higher education institutions can ease the burden on IT by automating their identity management processes. While it is important to automate as much as possible to save time and resources, this cannot come at the expense of ensuring secure access.
Failure to secure the applications and infrastructure of higher education institutions has resulted in many being fined for data breaches, suffering reputational damage, and facing costly bills and downtime while they restore user data.
Students often have a lot of time on their hands and are naturally curious – which can be a good thing in the right circumstances. However, this curiosity can result in them trying to “push the envelope” and see what they can access on the network. In the best-case scenario, they won’t find anything and will lose interest. However, if students find something interesting, they may use the data they shouldn’t have access to as a trophy to prove their credibility among peers. Or they may change the data to, say, improve the grades that they have on record, use financial and medical data for personal gain, or even delete data causing significant disruption to teaching and research.
An example of breaking into a university computer system to change grades was reported in the Los Angeles Times in 2018. Adam Bowers, a computer science major, gained unauthorized access to the University of South California’s computer systems, changed his grades and sold his services to other students.
At the University of Central Florida, Ricky Joseph Handschumacher broke into the computer systems and deleted data causing significant damage and disruption to the university’s operations. It cost the university $200,000 to restore its systems.
Higher education institutions must protect their systems against such attacks as they prove expensive in terms of data protection fines, the cost of restoring systems, or reputational damage.
So, even though they may lack the budgets, resources and access to qualified security professionals, higher education institutions need to do everything they can to protect their applications, data, and network infrastructures.
Many higher education institutions have found that having an effective Identity Governance and Administration (IGA) solution helps them to protect their applications, data, and network infrastructures without adding a significant burden to the IT teams. In another previous blog, we discussed how deploying the right solution can increase their efficiency.
Let’s examine the areas that successful IT teams in higher education institutions consider when protecting their environments.
Over the years, there have been many reports of students “poking around” their college networks and discovering that IT has granted them access to systems they should not be able to access. There are two likely causes of why this has happened – they were either granted those rights inadvertently when they joined, or IT subsequently gave them additional access unnecessarily. Procedures in place to tightly manage the initial onboarding and granting of additional access prevent these situations from arising.
Administrators need to onboard many students and lecturers before the start of a new academic term. Performed manually, the onboarding process is time-consuming and prone to human error. However, through a combination of defining specific roles and entitlements ahead of time along with automation, administrators can onboard large numbers of students quickly based on the courses they are on.
For example, IT could determine that all users (e.g., lecturers, students and admin staff) need basic services such as email, printing services and a network drive. Then, for lecturers, they could determine that they need access to the HR system and the online student grading database. For students, they could look at splitting entitlements based on their course – for example, giving maths students access to statistics packages and computer science students access to programming tools.
With roles and their associated entitlements determined ahead of time, administrators can quickly assign the right access to students, lecturers, and other staff. This process can be optimized further by tying the identity management solution to authoritative sources such as the lecturer HR database and the student records database. From these sources, the identity management solution can determine everyone’s role automatically and assign them the correct entitlements.
During their time in education, a student may need to request additional access to systems to use more functionality, or they may need access to other systems. Before granting additional or new access, application administrators must ensure that the request is valid. An IT administrator is unlikely to be able to validate these requests as they do not have a complete understanding of specific applications or the requirements of individual students at different stages of a course. As a result, the IGA solution should be set up to route approvals to the most relevant person to make that decision. The approver could be a faculty head or an application owner responsible for the administration of the application. To maintain control over who has access, the approver should understand both the application and the course requirements.
While making it easier for IT to grant students and lecturers more access is essential, ensuring that IT only grants users the access they need is equally important. Over time, users are typically granted access to more systems as required, but very often, access rights that are no longer needed are not revoked. As a result, users have access to more systems than necessary, resulting in additional security and compliance risks as well as unnecessary increases in software licensing costs.
To prevent this escalation of unnecessary privileges, security administrators should regularly audit user access to all applications to verify that they still need access. As manually performing this audit is time-consuming and prone to human error, higher education institutions should look to automate this process. Fastpath Certification allows security administrators to schedule regular access certification campaigns where appointed application owners must certify that the access granted to each user is still appropriate. Suppose the application owners determine that access is no longer needed. In this case, it can be revoked, resulting in increased security and compliance as well as a potential reduction in software license fees.
Like onboarding, offboarding a large number of students who have finished their courses at the end of the academic year can be time-consuming and prone to human error. As described above, the best way to automate this process is to integrate an IGA solution with an authoritative system such as the student records database. When a student’s record changes to reflect that they are no longer studying at the institution, the IGA software will automatically de-provision user access.
Ensuring that students, lecturers and other employees in higher education institutions only have the access to the right systems at the right time is challenging. This challenge is tough due to the large number of students across many different courses that must be onboarded and offboarded simultaneously.
Higher education institutions that have deployed an IGA solution can automate the join-move-leave processes, which reduces the number of IT resources needed while ensuring high levels of security and compliance.
To find out more about how Fastpath can help you with the automation of your user management: