1

IAM Brings Higher Security to Higher Education

See how six universities around the world have deployed advanced IAM solutions from One Identity to improve security and visibility of their always-changing populations

www.oneidentity.com

EBOOK

22

Campus identity management, a challenge like no other In higher education today, students, faculty and staff must have ready access to the information, applications and systems they need for their studies or to do their jobs from anywhere and at any time. That doesn’t count external third parties—researchers, partners, suppliers and service providers—who need remote access to campus networks, too.

But delivering this kind of seamless accessibility can be tough for colleges and universities. That’s because their users are always changing. A guest researcher might need access for just a few days, and some students may enroll for just one month-long class. Then there are the tsunamis, like when 5,000 graduates become alumni on one day, or when 5,000 new students arrive on campus at the start of an academic year.

33

To address these challenges, higher-education institutions need to consider deploying an identity and access management (IAM) solution across their entire IT infrastructures and application platforms. Of course, doing so can be easier said than done

Of course, one goal would be to accelerate onboarding and deprovisioning of users, which can be complicated by the changing roles and needs of users. What’s more, IT departments must also standardize those roles and maintain compliance with their own and government-imposed security and privacy regulations.

Identity and access management, a key to securing higher-ed networks and resources

44

Identity Manager With Identity Manager, colleges and universities can unify security policies and meet governance needs with these kinds of capabilities:

• Automates enterprise provisioning to any system, platform or application, replacing outdated systems and manual procedures

• Integrates policies for all non-privileged and privileged users

• Extends investment in governance beyond on-premises applications

• Satisfies compliance and audit requirements

• Unifies policies from multiple sources to reduce risk exposure

• Verifies and enforces SAP-optimized segregation of duties

• Facilitates user self-service and single sign-on

One Identity Safeguard. More and more, many colleges and universities are also deploying Safeguard to take the risk out of shared privileged credentials. It automates, controls and secures the process of granting privileged credentials with role-based access management and automated workflows. In addition, it easily meets compliance requirements for privileged accounts and makes creating audit reports faster and easier.

Active Roles Active Roles provides administrators of Microsoft Active Directory (AD) and cloud-based Azure Active Directory (AAD) with automated tools for user and group account management. Benefits include:

• Protects critical Active Directory and Azure Active Directory data

• Regulates administrative access via a least-privilege model

• Automates user/group account creation and deletion

• Manages identities for Exchange Online, Lync, SharePoint Online, Office 365 and many more

• Provides a single, intuitive tool for hybrid AD/AAD environments

• Generates audit-ready reports

• Deploys quickly for rapid time-to-value

• Keeps track of who made what change and when

One Identity solutions for hardening higher-ed security That’s where One Identity IAM solutions can help. Easy to deploy and use, their features and capabilities can save IT staff time savings. User experiences can be vastly improved. And, most important, security can be strengthened across the entire higher-education enterprise.

5

On the following pages, learn how these six global universities are improving and simplifying IAM for their users and IT staffs:

Wayne State University Identity Manager and Starling Connect

6

7

8

Western Carolina University Identity Manager and Identity Manager–Data Governance Edition

Radboud University Identity Manager

9

10

11 Cornell University Active Roles

Canadian University Dubai Identity Manager and Password Manager

Ankara University Safeguard for Privileged Sessions

5

Discover how six universities around the world have deployed One Identity solutions to strengthen their security

6

“It’s definitely been a massive improvement … the ability to create business roles in Identity Manager and assign those to groups.”

Eric Dau, Lead Applications Technical Analyst, Wayne State University

Today, Wayne State University … has the IAM solution it needs to improve security, data protection and service levels. In addition to increasing IT uptime, boosting staff efficiency and decreasing complexity, the university can now easily scale its offerings to support growth and change. Wayne State University achieves this by:

Customer Profile

Company: Wayne State University

Industry: Higher Education

Country: United States

Employees: 9,000

Students: 27,000

Solution: Identity Manager and Starling Connect

Partner: Immersion Technologies

Simplifying and improving data protection and accessWayne State University increases efficiency and security by streamlining IAM workflows with One Identity solutions

Giving the right people the right access• Students, staff and faculty

gain quick access to the digital resources they require—and only those resources—whether it’s financial, health, credit card, class, student or research data.

Enforcing the right level of control • Users’ access is based

on their assigned business roles and user groups.

• Standardized IAM workflows ensure compliance with HIPAA, FERPA, GLBA and SOX regulations.

Using the right processes• Instead of writing code to manage

needed changes in IAM—such as adding connections between applications—IT staff use prebuilt connectors and a point-and-click interface.

• Automated provisioning and deprovisioning workflows make required changes to the university’s Active Directory, so these processes are no longer manual.

• Because the new IAM solution is less complex and easy to scale, the university has simplified managing growth and turnover in the university population.

Read the full Wayne State University case study here6

7

“We have a 360-degree view of our users in Active Directory with Identity Manager. As a result, we got rid of 70,000 inactive profiles, which cuts risk.”

Stanley Hammer, Chief Technologist, Western Carolina University

Today, Western Carolina University … has identified and cut 70,000 inactive accounts to improve security, freed up 2,000 hours of IT staff time yearly for other tasks, and saves $5,000 annually in software subscriptions supporting students or applicants. Western Carolina University achieves this by:

Customer Profile

Company: Western Carolina University

Industry: Higher Education

Country: United States

Employees: 1,600

Students: 10,800

Solution: Identity Manager and Identity Manager–Data Governance Edition

Partner: Immersion Technologies

360-degree insight into users’ profiles cuts riskImproving security, student services and savings, while reducing IT support calls by 24 percent

Giving the right people the right access• Applicant and student user profiles

are automatically provisioned and deprovisioned based on changes in the student information system.

• The university substantially reduced the number of administrative accounts that can change passwords.

Enforcing the right level of control • When university applications

are received by the student information system, applicants are notified by email within 8 minutes to activate their account using the provided student ID and one-time-use URL.

Using the right processes• During the activation process,

applicants set their passwords and choose to take advantage of the self-service password-reset feature.

• Each profile is associated with specific roles and access privileges, so IT staff can see all the roles associated with each person and whether they are active—and determine how access originated.

Read the full Western Carolina University case study here7

8

“Identity Manager differentiated itself from other solutions due to its completeness—it allowed a single product to tackle all of the issues we face, on both a provisioning level and a governance level.” Jos Groenewegen, Senior Manager, Radboud University

Today, Radboud University’s … IAM solution combines both access provisioning and governance to simplify IT’s work, freeing up time for other tasks. The university can respond much faster to changing legal requirements and deployments of new technologies. Radboud University achieves this by:

Customer Profile

Company: Radboud University

Industry: Higher Education

Country: The Netherlands

Employees: 40,000

Students: 19,000

Solution: Identity Manager

Partner: Intragen BV

University cuts enrollment time by 50 percentRadboud University boosts agility, cuts costs and positions itself for the future with effective identity and access management

Giving the right people the right access• Given the university’s large

stores of sensitive data, role-based access ensures that users have only the access to the resources they need at any given time and nothing more.

Enforcing the right level of control • Role-based IAM helps the

university avoid “entitlement creep”—when individuals accumulate retained access privileges simply by changing jobs within the university.

• By combining identity provisioning and governance in a single solution, the university has strengthened its overall security.

Using the right processes• With security processes running smoothly,

the university greatly reduces user avoidance of security measures or workarounds, thereby improving compliance and, ultimately, the university’s security posture.

• By modeling entitlements and unifying user identities, the university has improved the user experience, including cutting enrollment time from 2-3 days to just one.

• The new IAM solution has facilitated change management within the university’s organization, further reducing IT’s workload.

8 Read the full Radboud University case study here

9

“The suitable price, the ease of use, the strong technical support as well as the smooth operation—all convinced us that we made the right decision when we chose Safeguard for Privileged Sessions.”

Riza Ayhan, Manager of IT Department, Ankara University

Today, Ankara University … has much more visibility and control of the access that third-parties have to its networks and servers, especially remotely supported ones. These include UNIX/Linux servers running Oracle RDBMS and Windows machines running .NET framework, Microsoft SQL server and the Student Information System. Ankara University achieves this by:

Customer Profile

Company: Ankara University

Industry: Higher Education

Country: Turkey

Employees: 11,600

Students: 66,500

Solution: Safeguard for Privileged Sessions

Partner: Profelis Bilisim Ltd.

Preventing data loss at Ankara University Ankara University mitigates the risk of providing access to external service providers

Giving the right people the right access• The university improved the control

and monitoring of the remote desktop (RDP) and secure shell (SSH) connections by external third-parties that support five internal servers hosting mission-critical functions and sensitive user data.

Enforcing the right level of control • To improve secure server

access further, the university also implemented its solution’s credential store and four-eyes authorization options.

• External service providers are more cautious during their remote sessions because they know their actions are being watched.

Using the right processes• The university securely stores

its external service providers’ user sessions in time-stamped files and can search these records if forensic evidence of malicious activities is needed.

9 Read the full Ankara University case study here

10

“One Identity Manager provides the tools we need to control and manage all of the roles and security permissions we have to deal with. Its level of flexibility and governance across our very diverse identity landscape is ideal for us.”

Mohammad Fayaz. IT Applications Manager, Canadian University Dubai

Today, Canadian University Dubai … his much more secure overall, saving substantial amounts of IT staff time and improving the experiences of its many thousands of users. In particular, it has overcome a huge IT bottleneck at the start of each semester. Canadian University Dubai achieves this by:

Customer Profile

Company: Canadian University Dubai

Industry: Higher Education

Country: United Arab Emirates

Employees: 400

Students: 4,000

Solution: Identity Manager vand Password Manager

University drastically reduces identity administration time and effortCanadian University Dubai streamlines its identity admin and governance processes, cutting provisioning time from 48 hours to 5 minutes

Gives the right people the right access• Despite an extremely

diverse identity landscape, the university has given all users the ability to remotely change their default passwords from their offices, homes or mobile phones.

• Depending on their respective roles, users can access different resources and applications they need without sacrificing security.

Enforces the right level of control • Role-based IAM has helped

keep access privileges aligned with responsibilities, preventing users from accumulating multiple credentials they don’t need in their jobs.

• The university eliminated extra permissions that were sometimes mistakenly given users, which increased security risks.

Uses the right processes• By centralizing and automating

standard IAM activities, the university was able to reduce the average provisioning time from up to 48 hours to as little as 5 minutes.

• Password issuance and management ensure user passwords adhere to the university’s security policy—even issuing reminders when it is time for a reset—without IT’s involvement, freeing up tremendous amounts of IT staff time.

10 Read the full Canadian University Dubai case study here

1111 Read the full case study about Cornell University here

“Because of Active Roles, I believe that the trust in our central IT organization’s ability to deliver reliable service has increased — not to mention the reduction in risk and corresponding increase in security.”

Muhammad Arif, Identity Management, CIT, Cornell University

But that’s not the case today … Cornell University centralized and automated its AD identity and access management with an institution-wide policy and operational AD model that also governs Unix/Linux users. This greatly reduced the risk of intrusions and data theft while still providing administrative flexibility. Cornell University achieves this by:

Customer Profile

Company: Cornell University

Industry: Higher Education

Country: United States

Employees: 10,071

Students: 23,600

Solution: Active Roles

Partner: Active Roles

Cornell makes the Active Directory security honor roleCornell University suffered risks common to higher-education:transient students, contractors, and staff can either be subject to phishing and other attacks, perpetrate attacks, and be lax with login credentials. Possessing over 100 independent, unmonitored Active Directory (AD) domains added to those risks.

Gives the right people the right access• The university can operate its diverse AD

environments with full confidence that nothing can happen unless it is within the established policy and many actions can now happen with no IT intervention.

• Admins get the permissions needed to do their jobs, which can be rolled back if needed, and actions can be tracked and audited.

• Additionally, IAM for the university’s Unix/Linux user communities, Azure AD domains, and numerous web applications can now all govern and control within the IAM administrative model using an Active Directory bridge.

Enforces the right level of control • IT centralizes

administration of 100+ AD domains yet supports flexible options such as Temporal Groups, template-based workflows and sub-delegation of admin privileges.

Uses the right processes• The university implemented

new features in its AD management model to meet new requirements.

• IT can provide such capabilities as delegation and sub-delegation, naming convention enforcement, change history and enforcing policies for AD objects.

12

#GetIAMRight

Industry experts recommend One Identity solutions for IAM

Leader Gartner

September 2019 Magic Quadrant

for Identity Governance and Administration

Readers’ choice

Award winner for Governance, Risk and Compliance by Information

Security magazine

Awarded Best IAM Project by KuppingerCole at EIC to Identity

Manager customers three years in a row

Comprehensive leader

and product leader in the KuppingerCole Leadership Compass

for Access Management and Federation

Recommended Identity and access

managementsolution providerby SC magazine

12 Learn more about how you can #GetIAMRight with One Identity.

13

oneidentity.com

© 2019 One Identity LLC. ALL RIGHTS RESERVED. One Identity and the One Identity logo are trademarks and registered trademarks of One Identity LLC in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit our website at www.oneidentity.com/legal.

All other trademarks, servicemarks, registered trademarks and registered servicemarks are the property of their respective owners.