By Jesse Drake
More people are using more applications in more places.
Where mobility and authentication converge, the Identity & Access Management team in UIT's Information Security Office is there, enabling "the right individuals to access the right resources at the right times for the right reasons."
Authentication platforms must span not only apps and access points, they must give users hassle-free entry – daunting when users are as likely to share files, submit class assignments online, check UMail, and view paychecks on the go as they do at their desks.
"In general, higher education is a more complex environment compared to IAM at a corporate level, given the transitive nature of students, use of affiliates, and the various stakeholders," said IAM Operations Engineer Josh Gross.
IAM governs and enforces the mission-critical need of securing user access to university technologies like Box, Canvas, and Campus Information Services (CIS), all while meeting rigorous compliance requirements. Learn more about IAM's scope, objectives, governance, etc. on IAM's "about" webpage.
"We all work together to make sure we’re operating smoothly as a university," said IAM Operations Engineer Warren Malupo.
Sometimes operating smoothly is a high profile initiative like two-factor authentication (2FA), which was deployed to 45,000 users, and allowed the university to move beyond familiar, but vulnerable, username-plus-password credentialing. The 2FA rollout encompassed all current employees, users accessing VPN and clinical servers, and offshore vendors, impacting 150+ applications related to Security Assertion Markup Language (SAML), e.g., Shibboleth, and 600+ campus-hosted web apps, e.g., PeopleSoft, Ruby, Java, and PHP.
Forward-thinking is a point of pride for the team.
"We're always looking at our processes with an eye towards the future," said IAM Associate Director Chris Stucker. "How do we improve the way we document things, automate what makes sense, and make life easier for our users?"
An example of a less-visible, but equally important, IAM initiative is lifecycle management of a user's identity, also known as the Joiners, Movers and Leavers (JML) process. The core objective of an IAM system is one digital identity per individual. An identity firmly established must be maintained, modified and monitored. When, for example, an employee at the university starts, he or she is provisioned to use particular applications, systems and databases. Through the course of a career at the U, roles and responsibilities, and therefore, access requirements change. Lastly, when the person ultimately departs the university, IAM must close the identity/access loop.
While the JLM end game is to automate provisioning, reprovisioning, and deprovisioning, humans still significantly factor in. User access reviews via SailPoint IdentityIQ, for example, will require all managers to periodically review employees' access to a list of high-risk applications.
"There are certain things you should have access to simply by virtue that you're at the University of Utah, or by virtue of working in UIT ... or if you're a nurse or physician,” Stucker said. “Access can come inherently based on a person's role, or it may be associated with a particular building."
Day-to-day IAM operations include things like consolidating the U's central Active Directory (AD) systems to be "more logical, more manageable, and more secure," Stucker said. The AD is the directory service developed by Microsoft that automates network management of user data, security, and distributed resources. IAM is responsible for AD issues on an enterprise, or domain, scale. Other tasks include setting up new user accounts, processing employee termination requests, and supporting users while on- and off-boarding various systems.
"One of the more enjoyable things about working in IT, period, is there's always something new, (and) a new way to configure things," said IAM Systems Engineer Steve Adams.
IAM Systems Administrator Bryan Wooten lauded collaboration as key to IAM's success.
"We actually touch every department on campus," Wooten said. "We have the opportunity to meet and work with every department, from the hospital to the campus side, to the different colleges ... For me, they always bring up new challenges and new ideas, and it’s nice to work with other people. We have a fairly broad view of the campus. Everything on campus goes through us, whether they know it or not. ... Nothing happens without logging in."
"We know we're making other people's jobs easier," added IAM Systems Engineer Cody Hudson. "I think that's the best part."