From Zero to Hero: Dealing with Active Directory & Identity Management in Higher Ed
From Zero to Hero: Dealing with Active Directory & Identity Management in Higher Ed
Normal is not normal anymore. Higher Education institutions face challenges as never before: User identity lifecycle management. People coming and going. New devices needing access. Permissions that change regularly. And in this new post pandemic world, these challenges continue to grow.
Hello, everyone. Welcome to the premiere of our new exclusive virtual event series, ID 30. Today's topic-- From Zero to Hero. Dealing with Active Directory and identity management in higher ed. We all know that normal is not normal anymore, and that higher education institutions are facing more challenges than ever before. Today's session digs into controlling your dynamic user populations and more.
Our speaker today, Todd Peterson, has more than 20 years of experience in security software, with deep expertise developing go-to-market messages for security, IAM, and compliance related topics. Todd has a BA in communications advertising from Brigham Young University and manages product marketing for One Identity. He is highly regarded for his thought leadership and ability to make complex technical topics easy. And we like to call him the face of IAM. Welcome, Todd.
Thanks, Lorraine. Hi, everybody, welcome. I'm glad you could join us today. I hope that you'll find some value in what we're presenting. So before we start, let's get a few logistics out of the way. There's a chat window there that we would love for anyone to interact, and ask questions, or whatever, during the session. Click on the chat window.
And to practice that, lets start. So since we're all in higher education-- if you're in higher education, you should be-- please go into the chat window and type in the mascot of your school and then the color of your rival school. So that color that you absolutely hate.
So for me, I went to Brigham Young University, as Lorraine mentioned. So our mascot's a cougar, and the color we hate is red, for the University of Utah. One of our supporters here is a University of Utah grad, and I'm sure he appreciates that. So go ahead and chat, and type in your school and your rival's color-- or your mascot and your rival's color, and see what we've got.
I see none coming in. My friend Wayne is going to say the Utes, and he'll say red. Pete says Hoosier and black and gold. Jeff, polar bear and purple. I didn't even know there was a polar bear. Awesome. Bobcats, blue. Glenn says terrier, yellow and black. Awesome. Pirates and purple. Looks like UNC Tar Heels, Duke blue. Awesome, well, thank you, everybody, for that. Let's start this session.
All right, as you saw from the title, our session's about Zero to Hero. So we've all heard a zero to hero stories, of people that come from humble beginnings, overcome seemingly enormous surmountable obstacles, and emerge triumphant with amazing accomplishments. You know who we're talking about. It's like Jesse Owens, JK Rowling, Colonel Sanders, Walt Disney, and Michael Jordan. And, of course, as seen on our screens, Steve Rogers, also known as Captain America.
I find these stories inspirational, and sometimes even motivational, but I can't relate. I come from an average beginning. My seemingly insurmountable obstacle is a loss in the student body election in the eighth grade, and my amazing accomplishment is happening right now. Me, spending 18 minutes talking with you about identity and access management. I'm much more Walter Mitty than Helen Keller. Maybe you're the same.
So what does this Zero to Hero thing have to do with dealing with Active Directory and identity management in higher ed? Well, let me try and draw some correlations. I'll try to do this by telling some stories about higher education institutions just like you.
There's 20 million post-secondary students in the United States right now. You have some of them, maybe you have lots of them. We'll start with an Atlantic 10 University that we'll call the Colonials. The Colonials have around 26,000 of those 20 million students, not to mention nearly 6,500 faculty and staff supporting 10 schools and colleges.
The university's humble beginnings-- maybe this rings true for you-- their humble beginnings are based on the fact that unlike commercial companies, higher education typically isn't a revenue generating enterprise. So investments in people and technologies to improve operations isn't necessarily in the picture.
Just like you-- or at least I would assume this is like you or you wouldn't be here listening-- the colonials have a highly fluid user base. Almost 40% of students transfer colleges, and of those, 50% transfer more than once. Between students, faculty, staff, alumni, customers, and even boosters, the task of making sure that all these different audiences can have the right access to the right resources is a never ending task.
So if we look at the numbers, we've got 20 million students at any one time. 12 million transfer at least once during the four years of college, so that's about three million changes annually. If we bring this down to the Colonials, they have 26,000 students. That's about 10,400 that will transfer at some point. And that's approximately 2,600 unplanned joiner/mover/leaver activities annually. That doesn't even take into account the incoming freshman class and the outgoing graduates, which is another 6,500 joining and 6,500 leaving every year.
So just this one university has in the range of 15,600 major provisioning and deprovisioning actions each year. And we didn't even talk about the students that are consistently there, the ones that need their access paused during summer break. And to make it even worse, these actions aren't evenly spaced. They typically happen all at once in big chunks, at the beginning and the end of each term. And that's just joiners, movers, and leavers.
But what about the movers? We each know that with each new term, there's new needs for every student to access new systems and data, terminate access to systems and data they needed in the previous term, but don't need anymore, all to enable learning, which is really why we're all here anyway.
And don't forget about something as simple as the need to set up and change passwords every term. If having to manage accounts is taking a lot of time, we all know how much simply helping new students-- or I could say, dumb students-- set up their access and get logged in has taken away from that time. That all sounds like an insurmountable obstacle to me.
Unfortunately, it's an obstacle that's far too common and pretty much par for the course for most of us that may not even realize how much this constant state of change is dragging us down. What's it standing in the way of? What incredibly achievement is it preventing? Or bringing it down to our real lives, how much of a pain in the rear is it for each of us, personally?
For the Colonials, their best attempt to address this challenge was to buy one of those expensive complex and cumbersome IAM frameworks. I won't say which one, but it's one of the big names you always hear when you think of identity and access management. They use it to control the identity lifecycle management tasks, or the constantly changing user population. In other words, it was the provisioning engine for the university.
Several years into the deployment-- and, which, if you've ever tried to deploy one of these things, it's a never ending project-- several years into the deployment, they discovered it simply wasn't working and was costing them a ton of money. It required too much IT intervention. In fact, they had 12 full-time employees whose only job was to execute the provisioning tasks through the very tool that was supposed to automate and remove the dependency on IT.
The framework required lots of customization and resulted in lots of broken processes that couldn't keep up with the changes constantly thrown at it. For example, if you get changes every three to four months, every term, and it takes six to nine months to reprogram the system, you're fighting a losing battle.
The colonials figured out that almost all of their hard work was happening in Active Directory. A big portion of their issues would be solved if they simply mastered the account lifecycle management test in AD. So they looked for an AD provisioning tool that could do the heavy lifting for the majority of their workloads, and leave the expensive framework responsible for the leftovers.
They implement a tool from One Identity called Active Roles, which we'll tell you about a little bit later in our ninja tip at the end. It enabled them to go from 12 full-time staff doing nothing but provisioning, to five staff focused mostly on exceptions and oversight. When talking about this approach, the associate director of middleware and identity services said, and I quote, "This powerful tool reduces risk by giving us stronger security, more clarity and visibility, and automatic provisioning. It gives us a solid identity and access management foundation from which we can really build on."
So for this university, their triumphant, amazing accomplishment was to finally realize the vision they aspire to when they first started down the identity and access management path.
Another higher ed Zero to Hero story is an Ivy League institution. We'll call them the Big Red. They have 24,000 students, 1,700 faculty, and 7,500 staff. I think it's tough to claim that any Ivy League University has humble beginnings, but these guys set them up for a pretty humbling experience with their Active Directory environment.
So this university has the same joiner/mover/leaver challenges as our friends the Colonials, but they set themselves up for even bigger challenges by organically growing to more than 100 completely independent Active Directory domains. So for them, AD, which is the center of everything, was really the Wild West, even though they're located back east in New York State.
There was no consistency or oversight on how all these AD domains were set up and administered, no mandate on how and what AD security seconds are required, and no consistency on what type of authentication was used, or even what access was granted. It was up to the individual IT Teams in each department, and on each domain.
Consequently, the university had absolutely no knowledge of how secure, or not secure, these domains were and no insight into what everyone, and anyone, in IT was or was not doing. For a leading institution of higher learning, that's an awful lot of ignorance. The bottom line is the university's data and reputation were at risk. Can you say seemingly insurmountable obstacle?
But of course, with every trial comes the opportunity for triumph. The Big Red investigated the route of their AD permission problems and determined that with such a highly distributed environment, and so many administrators of varying skill levels across so many departments, if they could find a way to do delegate access to manage AD objects, they could get their arms around the problem.
A deeper look revealed the opportunity to not just address the problem, but raise the security bar in the process. In the Wild West approach, there was no control or structure around naming and no easy way to audit actions taken with admin credentials. If they could grant admins in other departments the ability to subdelegate access, they would get a level of control that previously seemed impossible.
For the Big Red, the way to tame their briar patch that their AD had become, was to centralize administration of AD across all the domains with a single tool. But it was mandatory that the tool granted the individual administrators sufficient rights to do their jobs, but not so many rights that they could do damage to other domains or departments, even if the damage was unintentional. At its simplest terms, this Ivy League institution needed to implement a least privileged model for a bunch of disjointed administrators on a huge number of disappointed domains.
You don't think I'd be telling you this story if the university didn't triumph over adversity? Of course they did. About 10 years ago, this university implemented the same solution our friends in the A 10 did. While, of course, the Big Red also benefited from the automation of account lifecycle management processes, the big payoff for them was in terms of security.
The leader of the university's IAM team said, and I quote again, "Active Roles provided several key features right off the bat, including delegation and subdelegation, naming convention enforcement, change history, and enforcing policies for AD objects." And then he continued, "We planned out a good model for managing delegation, naming standards, OU structure, and access to AD for several hundred admins. That model has been working for close to 10 years now."
I might add that it works so well that by implementing an Active Directory bridge- it's a technology that allows Unix and Linux systems to become full citizens in AD-- they were able to extend the administrative and security strategy to their entire Unix and Linux environment. Another huge benefit.
So the hero aspect of this story is several-fold. Our friend reports that trust in the central IT organization's ability to deliver reliable service has increased, risk has been reduced, and security has increased. More hero stuff.
So far, we've only been talking about US-based Zero to Hero stories. Let's take a look at a couple of international institutions to discuss some other opportunities to optimize identity and access management processes, with a special emphasis on the hybrid AD infrastructure that we all rely on so heavily.
First, I'd like to tell you about the University of West Scotland. I did some research to find out their conference and their mascot, but apparently, they don't do that in Scotland, or at least they don't put it on their website. So we'll call them the Groundskeeper Willies, after everyone's favorite animated Scotsman.
The Groundskeeper Willies have 20,000 students, 2,000 staff, and are actually the result of the merger of two colleges back in 2007. When they did their merger, they were faced with the insurmountable obstacle of getting two very different sets of solutions unified into a cohesive and productive whole.
Really, it amounted to migrating a bunch of Novell IAM and GroupWise stuff from one University into the Microsoft-based stuff for the other University. So the result, when they got all done, was a single cost-effective Active Directory for the whole new university. It was difficult, but it was totally the right thing to do, and resulted in a pristine AD environment.
The challenge came, when, like any other higher ed institution, the Willies had to start addressing their incoming, outgoing, and evolving user populations, just like the Colonials and the Big Red. So they made the wise decision to not only migrate to a pristine AD environment, but to also manage it in a manner that keeps it that way. They actually did both admin delegation and account lifecycle automation through the Active Roles solution and reported some very nice results.
They met a target of cutting annual IT costs by 10% through delegating a certain task to second-level IT staff, which then allowed them to divert the top-level staff to more important and strategic initiatives. They're able to actually reduce staff, while also dramatically improving operations and security, another big hero move.
Maybe my favorite international university, just because it's such a fun name, is the Canadian University of Dubai. I have no idea what their mascot is, though. It's a mid-sized university with 4,000 students and 400 staff. They actually approach their overall IAM strategy from an enterprise level and implemented a full strength IGA framework very successfully. Coincidentally, it just happens to come from the same people that bring you Active Roles. But the part I'd like to focus on is how they address their password management needs.
So while they totally mastered the provisioning and governance aspects of making sure that the right people have the right access to the right resources and that you can prove it-- which consequently condensed the average time to do an IAM activity from between 24 and 48 hours to only five minutes-- in spite of all that, there was still the human factor of students, faculty, and staff having to claim their access, and the burden on IT to help them. Probably sounds familiar to lots of us.
Explaining the problem, the IT applications manager said prior to implementing our solutions, every user started out with default passwords, and it was their responsibility to come to the IT department to change it. That typically took more than 24 hours, a risky and inefficient process.
The solution was an Active Directory-based self-service password management tool that not only allows users of all types to securely reset their own passwords, without IT intervention, it also provides the power to implement more granular password policy than is natively available in AD. Just this one simple technology addition empowered the new students, or returning students, to actually change the password from their office, or remotely, on their mobile phone in about five minutes.
The applications manager described it like this. "With one click, they're able to access the portal. They receive a temporary security code via SMS and after verifying their identity, they can easily create a new password. Password Manager--" which, that's the highly creative name of the solution that they use-- "Password Manager makes sure it adheres to our security policy and IT doesn't have to get involved at all. It even reminds them when it's time to reset their password, which was impossible before."
So here we have humble beginnings of just a simple manual password management task, the not-that-big obstacle of taking a really long time for IT to help, and the incredible benefit of moving IT out of the picture altogether. Happy students, happy and productive IT staff, and better security. Again, I'd say that's very heroic.
Now, imagine if you had the abilities to do the type of automation security and user enablement I've been describing for the past several minutes just four or five months ago. How would your life be different now, particularly with the new school year barreling down on us?
So let's sum this all up. We all are facing very big challenges when it comes to identity and access management for our constantly changing user populations. This expresses itself in a number of ways.
First, major inefficiency, particularly at those high volume joiner/mover/leaver times at the beginning and end of each term. Second, security challenges-- We know the disjointed approach to privileged access and no oversight into which admins can and should do what. Third, a heavy burden on IT to do the tedious but necessary tasks to grant students, faculty, staff, and others the access they need. For example, passwords and AD group memberships.
Most of us are starting at zero, or probably more realistically, at least in the single digits, since we have already doubled down on Active Directory, which is a great start. We started close to zero, but we can well be on our way to hero status with just a few fundamental strategy changes, some assistance from the right technologies, and a willingness to fight through those insurmountable obstacles.
We've talked about a few institutions that achieve hero status. They're Thor, Iron Man, Superman, and Batman. Hopefully, you're on the same path. Me? I'm more like Captain Caveman, or maybe Robin if I'm having a good day, thanks.
Thank you, everyone. Let's go to our ninja tip. Remember, I promised you earlier that we would have a ninja tip on how to do some amazing things with these types of Active Directory-centric tools. So Greg, in the control room, can you play our ninja tip now?
The higher education space has some unique and complex requirements to manage the user community. Tackling things like multiple roles, or personas, a person can be such as students, faculty, staff, alumni, and others can be cumbersome with native Active Directory tools. Additionally, with each role, there could be multiple roles for the same person. Such as a professor may also be a student seeking a postgraduate degree. Handling those roles in Active Directory can be challenging with native tools. But in Active Roles, you have some key features to help facilitate managing that user community.
Let's take a look at an Active Roles feature called managed units. A key feature of Active Roles is the ability to have a flexible, rules-based view of Active Directory, without the need to restructure Active Directory itself.
For example, in this university setup, I have managed units based on a variety of criteria to determine my user community for ease of management, identification, security, and entitlements. As I go through these managed units, you'll see each user that's within each that managed unit.
And notice, for example, my tenured professors. They're located within OU structures throughout my Active Directory, but they're all here in one location for ease of management. I even have my students broken down by the years. So say, for example, your first year students are required to take an orientation course. I could simply select all of them, add to group, and there we go. All my first year students now have access to the orientation course.
Also, a user can be in more than one managed unit that meets the criteria. For example, Janet, who is a non-tenured professor, is also a student seeking another postgraduate degree. So she shows up in the managed unit for post graduates. So she can be in multiple managed units and the account can be managed in either location. It's up to you.
Let Active Roles managed unit drive efficiency in your Active Directory environment, with distributed administration independent of OU hierarchy.
Here's a quick bonus ninja tip, too. Another Active Roles key feature is the concept of group family. This allows you the ability to create groups automatically and its memberships based on criteria you specify. They can be scheduled or run on demand. For example, I've created a family group for graduating classes. As soon as I run it, it's automatically going to create the groups and the year of every student that graduates that year and fills that membership. As soon as I refresh it, there we go. I've got each graduating year. And within it, all the respective students that will be graduating that year.
Do more, do it efficiently with Active Roles in higher education.
Thanks, Wayne. Appreciate that ninja tip. Let's see if there's any questions coming in the chat. We'd love to answer them, we'd love to provide more insight. If you have a question, go ahead and input it there.
Well, let's run a poll first. So if you go into the polls now-- what's the most significant consequence you've seen from the recent pandemic? And go ahead and enter your answers. Choices are, our AD is messed up, we were not well-equipped to deal with the unplanned changes and profiles, security suffered because we had to move too quickly, our budget and priorities had to shift, and no noteworthy change. Go ahead and within the polls area, enter your answers. Let's see what we've come up with.
So it looks like we got a lot of people's budgets were messed up and priorities had to shift. That makes perfect sense. Security suffered, that's about a quarter of you. 10% had messed up ADs, or more messed up ADs. Not equipped to deal with the changes-- Now, it's interesting that absolutely nobody had no changes. That's understandable, but it would've been cool if we had been warned and could be prepared for this to happen.
So it looks like we're pretty even with security suffered, about 35%, and budget and priorities had to shift at 40%. 13% messed up their ADs, and 6% the unplanned changes to profiles, like sending users remote. That was another one that was mentioned, as well.
So as you can see, there's a lot of things that had to happen when this pandemic hit. And we had to change user are profiles, we had to, all of a sudden, go to remote learning in many cases. And if we weren't anticipating it, which very few of us were, there's a lot of things that would have to shift. And now, we have to bounce back from it. And I know lots of schools are going back to fairly normal operations in the fall, but lots aren't, as well. So it's a new world that we live in and our IT processes have to be able to address it.
Let's go to the next poll. This would be, what's your biggest challenge in identity and access management? So you can see the choices are account administration and provisioning in AD, account administration and provisioning in other systems, governance and attestation, privileged access management-- access management, that would be things like authentication and single sign-on-- and the ability to support cloud and emerging technology, so the ability to deal with change. Go ahead and-- what's your biggest challenge?
Looks like PAM, privileged access management got the early lead, but then quickly was passed by ability to support cloud and emerging technologies. Access management is getting a little bit. Provisioning in AD is not getting that much action, about the same as provisioning in other systems. Governance is lagging behind with access management.
So it looks like we're fairly evenly spaced across them. The biggest answer, the most popular at 41%, was the ability to support cloud and emerging technologies, which, that makes perfect sense. Where we can't rely on our mainframe from 30 years ago anymore. We can't rely just on a Windows network anymore. We've got to deal with a lot of different things. And then AD made a big surge there at the end, right along with PAM at 16% each. The others have about 8% because probably one or two people answered it.
And that's just your biggest challenge. I'm sure that all of us are facing pretty much all of these challenges, but the one that's the highest priority right now-- looks like it's being able to support emerging technologies.
Let's go to the next poll. So what's the most significant-- That's not the right one. The polls-- go to the third one. Let's see-- there we go. What percentage of your AD environment is based-- what percentage of your whole environment is based on AD or Azure AD? We've been beating that horse to death during this past 20 minutes, of how important it is to do things right in AD, but how much of your environment really is AD? We've got 0% to 25%, 25 to 50, 50 to 75, and then 75 or more.
Looks like, so far, everybody's saying that-- I've got one 25 to 50. So I wonder if that's a 25% or 49%? We should have made these maybe a little bit more granular in the choices. But it looks like almost all of us have a very heavy reliance on Active Directory, which makes perfect sense. Active Directory is the dominant directory service in the world. 95% of Fortune 1,000 companies have Active Directory. 85% have Azure Active Directory and that's growing quickly. And in higher ed, it probably skews even a little bit higher than that because of the ease of use and the ubiquitousness of the Active Directory environment. So thank you for your responses there.
And I'm going to go to the chat and see if we have any questions in the last minute or two. Yeah, we have one question from Richard. With delegated administration, does that mean an admin in the science department will only have access to objects that they control? Yeah, Richard, that's exactly what it means.
So like we were talking about with the Ivy League University-- which happened to be Cornell, by the way-- that was their problem, is that you grant every admin unlimited permissions to do whatever an admin needs to do. That means that a single admin in the science department, in theory, could go and mess up things in the English department, could go mess up things in the administration, could go mess up things in athletics, or whatever. Could do it on purpose, could do it accidentally.
And so the ability to delegate-- you only issue each admin the permissions necessary to do their job, nothing more and nothing less. So it's impossible for them to touch a domain outside of their area. It's impossible, then, for them to run a task that they're not approved to run because you've got it all set up by policy. There's even capabilities of doing temporal groups and time-based tests, where an admin is given elevated rights for only a certain period of time to do certain things. And then once that is done, they're able to roll back. So excellent question, Richard, thank you for that.
Well, we are at the end of our 30 minutes. We promised you 30, and only 30. So I'll leave it there. I thank you all for attending. I hope you found this valuable. Keep an eye out for some contact from your One Identity representative with your exclusive guidance on how to use this stuff. And there's also a special offer on our Password Manager Solution to get you some free password management for the next six months or so.
So thank you very much for attending. I appreciate it and have a great day.