Case Study: Identity Management Capabilities
Rise in the Cloud
Maryland Institute College of Art
Securing the campus is no easy task. IT Departments at most colleges and universities have implemented identity and access management (IAM) at some level as one component of their security framework to limit the institution's exposure to risk. Many institutions begin by developing homegrown IAM applications to protect information about their constituents and to enable secure access to resources by authorized users. However, the cost to maintain and extend a homegrown IAM application to address a continuous stream of new systems and applications, new users and communities, and new business and trust models is forcing IT Departments to ask themselves: “Is this the best use of my IT staff and budget?” The Maryland Institute College of Art (MICA) concluded, "No."
After a less than successful outing with one IAM vendor, MICA looked at replacement IAM solutions; this time, including cloud-based IAM solutions. Fischer’s cloud-based Identity as a Service™ solution was selected as it provided greater capabilities, a contemporary technology platform and eliminated daily administration of the IAM solution. Specifically, MICA reported the following outcomes after switching to Fischer:
- Refocused staff on more critical projects
- Improved quality of service
- Reduced help desk calls for password resets by 75%
- Reduced provisioning errors to zero (0)
- Decreased "wait time" for new accounts
- Increased security
- Reduced preparation time for audits
"Critical success factors" and "lessons learned" are also provided.
Founded in 1826, Maryland Institute College of Art (MICA) is the oldest continuously degree-granting college of art and design in the nation. The College enrolls nearly 3,500 undergraduate, graduate and continuing studies students from all 50 states and 57 countries in fine arts, design, electronic media, art education, liberal arts, and professional studies degree and non-credit programs. Redefining art and design education, MICA is pioneering interdisciplinary approaches to innovation, research, and community and social engagement. Alumni and programming reach around the globe, even as MICA remains a cultural cornerstone in the Baltimore/Washington region, hosting hundreds of exhibitions and events annually by students, faculty and other established artists.
MICA’s Office of Technology Systems and Services supports the educational mission of the College as well as its business, administrative, and electronic communication needs. The department’s small staff helps guide the College in using technology with a goal of providing outstanding service and support to the College, its students, faculty, and staff. With its small size, the department focuses on helping achieve academic goals and proactively adopts methods that cost-effectively provide value to the College’s constituents. MICA had developed a partially-automated IAM solution in 2007 and replaced it in 2010 with a vendor solution to gain additional automation and integration capabilities.
MICA’s homegrown IAM solution could not address their business and technical requirements, such as supporting their migration from Exchange to Google Apps. Their first vendor solution resolved some issues, but created additional challenges.
Password Reset Challenges:
High Help Desk Volume Caused Poor Service Levels. Initially, with its homegrown solution, 65-70% of MICA’s help-desk calls were for password resets. During the first 3 weeks of each semester, about 90% of help-desk time was dedicated to password problems. MICA had to dedicate 2-3 people to respond to queries and problems. As a result, the college was unable to meet their targets for customer service levels to end users; e.g., users waited one-to-two hours for passwords to be reset and substantially longer during peak periods.
Users Sometimes Wrote Difficult-to-Remember Passwords in Non-Secure Places. Many end users continued to use the system’s randomly-generated password, and because calling the help desk was a hassle, many of these users wrote their passwords to remember them, often in non-secure places.
User Provisioning Challenges:
Influx of Students Created Delays at Beginning of Each Semester. The addition of new students each semester delayed other processes performed by the help desk. As students arrived, the volume of user account related questions and issues increased dramatically. This made it difficult for staff to respond to other requests such as computer configurations or network troubleshooting. In addition, problem resolution to provisioning related questions could take days to complete, which tarnished public relations with the new people. IT development was also delayed as troubleshooting account-related problems required about 25% of a developer’s time to determine whether an account had been provisioned, disabled, etc.
Incomplete Deprovisioning Resulted in Orphan Accounts. MICA had no standard process for deprovisioning user accounts and IT was usually not notified when a staff person left the institution, which led to 3,500 orphaned accounts. Also, the deprovisioning process was sometimes incomplete and did not disable all accounts for a departing user, as removing Active Directory access didn’t disable some types of accounts.
Reuse of Accounts Created Security and Compliance Problems. About a fourth of departing staff and students returned to the college months later and expected to use the same accounts, but that was often not possible: When an account was deleted, it was sometimes reused for another person, so for example, if John Smith left MICA, his JSMITH account would be deleted. If MICA then hired Joanna Smith, the JSMITH account would be recreated, which caused additional problems as the new person might gain access to confidential FERPA records of the previous person using the account.
Difficulty Responding to Urgent Requests for New Accounts. MICA provisioned user accounts once per day; although this did not directly cause problems, IT sometimes received desperate calls to provision new users, such as adjunct professors, who had not submitted paperwork to HR until just before they needed the resources. To provide immediate access, IT could run an ad-hoc provisioning routine, but this activity caused problems by circumventing some controls.
Inefficient Workflow Processes for Account Naming. As part of their user provisioning process, MICA has had a longstanding policy to allow user input regarding their own account names. For example, if someone named Edward was known as Ted, his account names would reflect what he was actually called. However, to support this policy when someone’s name changed, many manual processes were required by multiple people. Delays resulted as MICA didn’t have a good notification system for when each person needed to take action.
Risk of FERPA Violations. Distributing credentials to new users was an error-prone mail-merge process. MICA faced an on-going risk of FERPA violations if credential letters were lost, mis-delivered or shared with the wrong person.
Help Desk Challenges:
Inefficient and Error-Prone Password Resets. The help desk required training to make password resets on multiple systems. The processes that were developed were inefficient and had significant error rates as staff had to sign into multiple systems to take a single action: One system provided information to assure that they were working with the right accounts, and then they managed the accounts using another system.
IT Personnel Could Access End-User Passwords. Numerous IT people had access to a database containing most end user passwords, which meant that any of them could have potentially logged into an end-user account by pretending to be an end user.
Lengthy Audits Caused by Insufficient Processes and Tracking. MICA was unable to track when or why accounts were provisioned or deprovisioned due to a lack of standard processes; therefore, MICA required a large amount of time during financial audits to answer questions about IT access.
Difficulty Managing and Auditing Accounts for Contractors. Manual processes for provisioning contractor accounts lacked accountability of exactly who was using accounts, who sponsored the accounts, and for what purposes. This led to long deprovisioning delays when a contractor departed.
Challenges with First IAM Solution Vendor:
MICA’s first commercial solution provided additional automation for user provisioning and deprovisioning, which provided some relief, but the solution failed to address some key requirements, and created additional challenges.
Help Desk Remained Overburdened. Only 5% of users actually adopted the first solution, so when a user forgot a password, calling the help desk continued to be the only option to reset the password. Also, distribution of credential letters was inconsistent or inaccurate, causing further burden to the help desk to correct the problems.
Some Requirements Were Not Addressed. The solution failed to manage access for contractors and it needed a programmer to write code to perform required actions.
Unexpected Expenses. The vendor’s licensing model proved to be unclear so that expanding to alumni, parents and others would not be affordable.
As MICA has limited IT staff, they sought solutions that combined comprehensive capabilities with user-friendly self-service interfaces and low administrative requirements. MICA’s prior experience with SaaS applications led them to evaluate and to ultimately select Fischer’s cloud-based Identity as a Service® solution in 2011 to further automate provisioning and deprovisioning activities for key applications. Fischer’s identity portal enables end users to securely reset their own forgotten passwords and authorized end users can request / approve access to resources. All provisioning and password management activities in the solution are recorded for audit and reporting purposes.
The Implementation Process
Detailed Planning Included Cost-Benefit Analysis. During the implementation process, MICA knew PeopleSoft would be the source of authority for IAM, and that they wanted to build on what had been accomplished with the first vendor solution; however, planning involved rolling up their sleeves for two weeks to answer many other questions, such as exactly which data elements would be needed by each system for each process. MICA determined which resources to automatically provision based on their expected results. In doing so, they considered their level of pain, the anticipated impact of automation, as well as how widely the resources were used.
Automated and Self-Service Processes Were Implemented in Phases. During the first phases, MICA automated provisioning and deprovisioning for several applications, including groups/roles for Google Apps, PeopleSoft Campus, PeopleSoft Portal and Active Directory. This included automatically provisioning resources for students, faculty, alumni and staff. The self-service portal provided password reset capabilities and enabled authorized users to request additional resources. MICA chose to not automate provisioning for applications that have few users or for applications that are rarely used. Fischer performed the implementation and MICA tested the solution prior to placing it into production.
Key Decisions Led to Success. MICA made key decisions that positively impacted the implementation as well as improving user acceptance. First, they decided to minimize changes during the implementation by continuing to use their existing PeopleSoft processes to extract information about provisioning events such as matriculation, new hire, etc., which shortened the discovery and implementation processes. Also, for the account distribution process for new users, MICA chose to require users to enter information that would enable them to later reset forgotten passwords. New accounts are activated immediately after an end user completes this task.
MICA achieved their goals by using the Fischer solution:
Password Management Improved Quality of Service. MICA has had a 100% user adoption rate with Fischer. Users securely reset their own forgotten passwords within a couple minutes instead of waiting for the help desk. The solution also synchronizes each user’s passwords so they have fewer passwords to remember.
Reduced “Wait Time” for End Users. Automated user provisioning further improves quality of service by reducing wait times for faculty, students and staff to receive required accounts and privileges. When a student matriculates or when someone is hired, resources are provided based on their start dates. Also, adjunct faculty who don’t complete HR paperwork until their first day of classes can now access their own accounts in time for their first classes.
Streamlined Process for New Account Distribution Eliminated Risk of FERPA Violations. MICA no longer distributes new account passwords. Instead, users securely create their own initial passwords that are easier to remember than generated passwords.
Help Desk Refocused on Customer Service After 75% Reduction in Calls to Reset Passwords. MICA’s help desk has refocused its efforts to concentrate on improving customer service, especially at the beginnings of semesters when new students and employees are welcomed to MICA, as password-reset calls were reduced by 75%. Training for staff to use the Fischer solution is minimal and, since Fischer is a comprehensive solution, only one system is required to validate users and reset passwords.
“Zero Error Rate” for Automated Provisioning and Improved Accuracy of Manual Activities. MICA relies on the accuracy of Fischer’s automated provisioning solution as their error rate for automated provisioning has been reduced to zero. MICA can also correct keyed errors, such as when HR incorrectly inputs that an employee has been terminated: Once HR corrects the error, the person’s access is re-enabled and no data is lost. The Fischer solution also automates account name changes to improve accuracy and timeliness, and it notifies the persons required for manual name change activities, such as PC maintenance.
Eliminated Risk of Inappropriate Access to User Accounts. When a person departs MICA, information entered into PeopleSoft automatically initiates deprovisioning processes to prevent orphaned accounts. Also, authorized persons can use self-service to terminate the access of departing persons. MICA also reduced risk by eliminating the user credential database so that user credentials cannot be accessed by administrators.
Reduced Risks Associated with Contractor Accounts. MICA deleted contractor accounts whose users were unknown and now holds responsible the sponsors of contractors. Sponsors use the self-service interface to request access for the contractors and to specify the contractor’s modifiable termination date; also, requests must be approved prior to fulfillment.
Improved Control by Preventing Reuse of User IDs. MICA’s account IDs are now unique and are no longer reused. If a person later returns to MICA, his/her accounts can be easily re-enabled as all account information is retained for one year before it is automatically deleted.
Reduced Time for Identity-Related Audits by 50% - 67%. MICA simplified their auditing processes for reporting who has access to each resource as well as for reporting password reset activity. Automated audit and reporting capabilities enabled MICA to reduce by half to two thirds the time required to answer questions from auditors and others.
Next Steps. MICA’s future plans include extending the solution to allow parents of students to request their own accounts and granting earlier access to resources for recruits. They also plan to automate tasks required to selectively transition temporary workers to become permanent workers.
Critical Success Factors
Several elements were key to MICA’s success.
- Goals and expectations for the solution were clearly articulated.
- The solution was implemented in multiple phases with goals specified for each phase.
- IT and business units worked together to ensure affected processes would provide desired results.
- Change management assures that all solution changes are made through the Fischer solution itself, rather than through another process, such as scripting.
Lesson 1: IAM is the Backbone for Other IT Projects: MICA came to understand that an institution is never finished with IAM; rather, it’s a process and you have to pace yourself. MICA viewed Fischer’s solution as the “glue” that could tie-together systems and applications. They realized that if other IT projects were to succeed, the IAM solution must continually evolve, and at a pace that supports current IT investments as well as new IT Projects.
Lesson 2: IAM is a Communal Project, Not an IT Project. An IAM project models, and potentially redefines, business processes. MICA engaged business people to influence requirements and decisions about workflows in an effort to garner support, as well as to avoid expenses and disruption after going live. Involving business people was vital as MICA found that the most difficult part of implementing an IAM solution was mapping the workflows and business logic.
Lesson 3: Pick High-Value Resources for Automated Provisioning. MICA learned to be selective regarding resources for automated provisioning and they chose resources used by many people on a frequent basis. They chose not to automate provisioning for specialized applications as projected benefits were not commensurate with projected costs.
Lesson 4: Select a Partner, Not Just a Vendor. According to MICA, schools don’t usually describe their experiences with vendors as “positive.” However, MICA learned from the Fischer project that a vendor can become a trusted partner and can be invested in the College’s success.
MICA’s experiences prove the value of a well-planned IAM solution as well as the potential complexity and the pitfalls in choosing and implementing solutions. IAM affects many aspects of an institution and can have wide-ranging implications that affect quality of service, costs, security, public relations and even an institution’s abilities to recruit and retain talented people. As such, it’s vital that IT selects the right solution and works closely with business units to assure they understand and positively impact key processes. Performed well, IAM positively impacts institutions of all sizes.
Document MCC-13-150A April 2013
Copyright © 2010-2013 Fischer International Identity, LLC. All rights reserved.
Fischer International, Fischer International Identity, Identity as a Service, Ignite IT, Ignite Federation, Identity Management Made for Higher Education and IaaS are the trademarks and/or registered trademarks of Fischer International Identity.