Colleges and Universities appear a lot like other businesses on the surface. They have large employee populations, lots of customers, and central IT shops that provide the same kinds of technology services you’d expect at any big company. On campuses, as in corporations, you’ll find service offerings like networking, desktop support, administrative systems, email, collaboration platforms, parking, facilities access and more.
While the services are similar, organizational culture, business practice, and customer needs are very different in Higher Ed. Technology solutions built to solve enterprise problems (especially identity management solutions) often fall flat when it comes to addressing Higher Ed needs. As a Higher Ed identity management professional, your biggest frustrations are likely to come from 1) trying to strongarm enterprise software solutions to fit the use cases at your campus, and 2) trying to educate executives from corporate backgrounds that you should not terminate a user’s enterprise credential the moment their entry in the HR system expires (among other common re-education trials).
This article gives a high level overview of 5 key areas in which identity management in Higher Education is different than in enterprise. I shared these observations in a presentation at last year’s Identiverse conference and will be publishing a blog series soon to dive into each of these points in more detail.
- Collaboration is as important as competition
Businesses tend to invest heavily in defining clear boundaries around proprietary information and services. A primary focus for enterprise security is ensuring that anyone not employed by the enterprise has as little access as possible to the stuff inside the perimeter.
In Higher Ed, on the other hand, openness is a mandate. Here are a few samples from mission statements at large research universities:
“The distinctive mission of the University is to serve society through transmitting advanced knowledge…”
“To impact society in a transformative way — regionally, nationally, and globally — by engaging with partners outside the traditional borders of the university campus.”
“The discovery and dissemination of new knowledge are central to its mission.”
A corollary to the value placed on openness is the prioritization of collaboration as much as competition. In order to achieve intellectual and scientific breakthroughs, researchers must collaborate with colleagues around the world at other Universities, research organizations, and the private sector.
Enterprise security solutions that focus on limiting access exclusively to “internal” users can be counterproductive to Higher Ed identity professionals who need to provide access to a wide range of users in a secure fashion.
- Federation means much more than bilateral SAML integration
I learned about “federated” identity within the context of a large university (one of my first jobs as an identity professional was leading UC Berkeley’s efforts to join the InCommon Federation). Later in my career, I remember being very confused when I started reading about products that had the word “federate” in the brand name, but did not conform to the standards of multilateral federation that were essential to meet our campus needs.
Multilateral federation is widely adopted in Higher Education. Multilateral federation starts with an organization, the federation, that establishes a trust framework for member organizations. The federation defines baseline practices for establishing digital identities and managing user attributes. Federation members agree to abide by those practices, and register their Identity Providers and Service Providers with the federation. InCommon is the Higher Ed and research federation in the US and the metadata aggregate includes over 500 registered Identity Providers and over 4,000 Service Providers. Federation operators around the world have further collaborated to create a combined metadata aggregate, eduGAIN, which serves as a trust framework for hundreds of universities around the world.
The adoption of federation means that one university can host a global research project, and collaborators from across the globe can log in to the project’s collaboration platform with their home institution credentials – less time creating and managing access, more time doing the research! Federation has been so successful in Higher Ed and research that REFEDS (The Research and Education Federations Group) recently launched a new international initiative to envision the next generation of Federation.
Many enterprise identity solutions claim to support “federation”, meaning a bilateral SAML integration, but do not support participation in a multilateral federation out of the box. This can be a big challenge for Higher Ed identity management staff who are trying to explain to executives why the snazzy new cloud identity solution they saw at the last conference won’t magically solve a campus’ identity management headaches.
- Collaboration extends to building and supporting open-source software solutions
The need to provide a technology framework to support research collaboration turned into a collaboration of its own. University IT staff from across the country, in partnership with non-profits like Internet2, worked together to define a common data schema (eduPerson) that would facilitate the use of shared services. Collaborative efforts resulted in the creation of an institutional framework (InCommon in the US) and software (initially Shibboleth) that enable and extend multilateral federation.
As research organizations adopted federation, their use cases spawned the creation of new open source projects to address related identity management challenges. Over the past four years Internet2’s Trust and Identity in Higher Education and Research (TIER) initiative raised significant resources through cash and in-kind developer contributions from campuses across the country to further build and enhance open-source identity solutions targeted to Higher Ed and research use cases (see Nick Roy’s IDPro article from August 2018).
By demonstrating interoperability with popular open-source solutions, commercial identity solution providers would likely gain not just better traction, but deeper appreciation and greater long-term business opportunities within the Higher Ed identity community.
- “External” Users are core to the business
Many businesses separate their identity efforts into enterprise identity and customer identity programs. Employees need access to enterprise systems, and customers need access to the company’s products and solutions. But even within the realm of “enterprise” identity, every business has users who do not qualify for an enterprise account but need access to enterprise systems. Those “external” users often include contractors, retirees, corporate alum, and collaborators.
In Higher Education, you might think of “enterprise” users as students, faculty and staff of the university, and “external” users as applicants, parents, alumni, research collaborators, continuing education students and more.
Higher Ed is like an amalgam of enterprise and customer identity in that many customers are essentially “external” users who need access to the same enterprise applications used by enterprise users. Many universities use the same Learning Management System for enrolled students as they do for programs geared toward “external” continuing education students. And parents are “external” users that log into the same enterprise billing systems used by students and staff.
When you take into account the hundreds of thousands of alumni and applicants, the number of “external” users at a university can easily dwarf the number of enterprise users. And those external users are critical to the university’s brand and funding strategy. So enterprise solutions that make it very difficult to grant access to “external” users might deliver more cost than benefit to a campus trying to streamline access to services.
- Account lifecycle management in Higher Ed has a different beginning, middle and end
Enterprise user account management is typically closely tied to the ERP. An employee is hired, entered into the ERP, and that spawns a workflow to create an identity record and prompt a user to create an account.
In Higher Ed, the user account lifecycle is different from enterprise at the beginning, middle, and end.
- Beginning – Universities often have multiple Systems of Record, such as a staff ERP, a Student Information System, and possibly an Alumni system, Medical Center, and more. A person entered as a new record in one system may already have an active record in another. So most universities build or buy an identity matching solution to reconcile these records and create an organization-level persistent unique identifier per person. This unique ID can then be easily integrated with a wide variety of identity solutions for provisioning and central access management.
- Middle – In Enterprise, an employee might change roles during their tenure, so access controls might need to be adjusted during the “middle” of an employee’s tenure. In Higher Ed, a user will often be fully terminated in one System of Record while their record in a second System of Record remains active. For example, a student might have a multiple campus job records start and terminate in the HCM before they graduate. Likewise, an active employee might return to graduate school and be added and removed from the student System of Record all while they maintain active employee status. These challenges are often not addressed well in commercial identity solutions.
- End – A common practice in enterprise identity is to revoke enterprise credentials as soon as an employee’s job record terminates in the ERP. If I had a dollar for every time a CISO or Internal Auditor asked me why former employees could still log in with their campus credentials, I would be a rich woman. In Higher Ed, users don’t leave. Their digital identity lifecycle runs in lockstep with their human lifecycle. Alumni and faculty emeriti have access for life. A former employee might be an alum, or might volunteer for the library. A mandate to terminate a user’s Single Sign-on credentials when employment ends is not consistent with the mission of the University (see point #1) and identity management solutions targeted to Higher Ed need to address the importance of managing authorization well so that users can enjoy lifelong authentication.
If you’ve read this far, chances are you either work in the field of Higher Ed identity or you provide software solutions that you would like Higher Ed institutions to adopt. If the former, I hope these points resonate with you and I’d love your feedback/input. Any big differences I missed that I should incorporate into the blog series? If the latter, I hope this articles gives you some ideas of how your products, integration plans, and/or documentation can be modified to address business needs in Higher Ed. I plan to launch to blog series next month, and you’ll find it at the Cirrus Identity blog.
Dedra Chamberlin
Founder and CEO of Cirrus Identity, a cloud-hosted digital identity solutions provider. She served as Deputy Director of Identity Management at UC Berkeley and UC San Francisco for many years. She speaks regularly at Higher Ed and Digital Identity conferences when she’s not building her company, rowing a boat, or traveling with her family. https://www.linkedin.com/in/dedrachamberlin/