Identity and Access Management Framework Book

As an identity management “professional” (a term for which I qualify because people have been foolish enough to pay me for this nonsense), I’ve had to deal not only with the matter of the technology, but also the individual business requirements of my clients, i.e. the stuff they sweat. I’ve learned a lot about a lot of businesses, industries, verticals, market segments, and so on. Public or private, they all have their own issues and compliance requirements. They also have their own identity and access issues.

One of the more peculiar and aggravating set of requirements is found in HIGHER EDUCATION. Universities often have IT staffs with incredibly long tenures and low pay scales. Nothing much ever changes. When you have meetings, EVERYBODY shows up. It breaks up the monotony. But these people are very dedicated, and know every corner of every system. They’ve built lots of kludgy scripts to create accounts on their unix systems, or to kick off cron jobs for cleanup purposes. They must do a lot with very little budget. They provide space for little skunkworks projects that all have their own databases. There’s lots of sensitive information in pockets all over the place.

Most of my higher ed customers have either Peoplesoft or Banner for their HR app. That’s the easy part, getting users into the system. After that, it gets hairy. Provisioning is largely done by the help desk.

Corporations think they have it hard trying to figure out how to provision and govern access for employees, customers, partners, contractors, and vendors. But higher ed has it even stranger. They’ve got

• Applicants and registrants
• Undergrads and grad students
• Faculty and staff
• Alumni
• Adjuncts and assistants
• Regular employees
• Retirees and emeritus

These different designations are often called AFFILIATIONS. It gets even more interesting when you consider that a person can easily have multiple affiliations. For example,

• A student going back for a second degree is also an alumnus
• Grad students are often assistants
• Plenty of students are also employees (book store, cafeteria, etc.)
• And so on

In addition to these user types, they might also have high schoolers who are given guest accounts, as part of a recruitment program, or to take early college credit courses; program managers for local merchants or municipalities who get free labor from the students in exchange for signing off on community service hours; and associated schools with whom the university might have an exchange program.

At one east coast school I visited, they operate a teaching hospital, with doctors (employees) who are alumni, pursuing additional degrees as grad students, and also teaching. These users have a spider’s web of affiliations.

So what’s the problem there? CONTEXT. A very common app at universities is Blackboard, for managing curriculum, communications, classroom materials, you name it. Well, what if you’re teaching as well as taking classes, and therefore use Blackboard as with multiple contexts? This can be handled creatively through roles or group memberships, of course, or badly by handing out multiple id’s to a user. But wait! At one community college, they showed me their many, many combination roles: student-employee, student-athlete, student-assistant, etc. I showed this to my math-teacher wife, who did some funky things with factorials and figured out that these geniuses could theoretically generate about a billion roles.

On inane thing that many, many schools do is provision a user as quickly as possible, then take forever to revoke that same access. You signed up for the fall term? Here’s your email account, space on the file server, cafeteria card, and dorm access card. Oops, you never showed up for classes, not even once? Well, nobody’s looking, so you get to keep all that stuff until at least Christmas, if not summer. Remember, the turnover at these places is astounding. Students, employees, and student-employees come and go in large numbers each year. Kids sign up for classes and/or jobs, then never show up.

This is where certification is a very good thing. Have all the teachers certify, after the official cut-off (usually a few weeks into the semester), that everybody on the class list actually attends. De-certify the no-shows, so that your excellent provisioning system removes their access to class material. Never came to the dorm? The R.A. should de-certify them as well, killing their access card. They’ve been decertified from all their classes? Then kill their email account, even if it’s being used. In fact, ESPECIALLY if it’s being used. Oh, and also kill their space on the file server, which is likely filled with MP3 files and Torrents of pirated movies.

In the USA, schools must comply with FERPA, the Family Educational Rights & Privacy Act, a federal law that protects the privacy of student education records. FERPA applies to all schools receiving funds from the Department of Education. For younger kids, parents get pretty much any info they want, except in the case of a divorce, where the guardian/parent decides who can see what data. In the case of higher ed, however, the student gets to decide, even if the parent is paying for school. Universities have reported many instances where divorced parents have tried to weasel information out of a school about their kid’s grades, costs, etc. American schools also deal with CALEA, the Communications Assistance for Law Enforcement Act. If you provide internet access (like schools do), you must provide the necessary surveillance capabilities, in case you're asked. While an identity initiative may have nothing at all to do with CALEA, just mentioning it makes it sound like you've done your homework.

Schools with medical or psych programs often videotape exam sessions, and need to stringently protect that media, which is often digitized and stored on a server. If a school has no clinic or medical services, they might still be keeping medical info, and therefore HIPAA matters. If they do provide medical services, then HIPAA really, really matters.

All schools accept credit cards. Many simply accept the numbers but don't store them. Many outsource so they don't have to sweat PCI compliance. One school lost half a million credit card numbers, and paid millions for credit monitoring.

Even though they’re not necessarily corporations, schools believe that SOX compliance is a matter of time. Schools that receive corporate grants must regularly comply with requests related to the money they’ve received.

Another pesky thing that school regularly deal with is subpoenas. Authorities come to them with paper asking for information on

• Who paid a student’s tuition
• Email contents, incoming and outgoing
• File folder contents (what did the stupid kid download?)

Most schools can set their own policy on how long to keep a user’s email around for analysis before they blow it away. They try keeping this timeframe as short as possible.  

This is just a snapshot of what there is to know with higher ed and IdM. If you’re an IdM professional, you also know that schools have been accustomed since the 1970’s to getting hardware and software cheaper than anybody else. You can thank a couple of vendors in particular for that. I won’t name names, because I’ve got enough people who already want me dead.