Case Study: Identity Management in Higher Education
University Moves ID Management to the Cloud:
Coppin State University, University System of Maryland
The allure of cloud-based security services attracts the interest of many organizations due to the potential for reduced cost and staffing requirements, increased predictability, security, and focus on core systems. Identity management is now among the growing number of security infrastructure components that is available as a SaaS service. As with any outsourcing relationship, organizations must evaluate and vet the service provider to be confident that the service can be delivered as expected. But unlike most managed security services, identity management as a service has a greater perception of risk due to the levels of access granted to internal systems: financials, HR, CRM, etc. Further vetting is needed to ensure that the client’s information assets are not only safe at the provider’s facility, but safer than if managed on the client’s premise.
This case study discusses Coppin State University's migration of their on-premise identity management solution to Fischer International's cloud-based Identity as a Service® environment, with an emphasis on the university's process for vetting the service provider and the results obtained.
Founded in 1900, Coppin State University is a historically black, four-year liberal arts university that offers 26 majors and 11 graduate degree programs in the arts and sciences, teacher education, nursing, graduate studies, and continuing education. Coppin State is a model for providing the highest levels of service to their 5,000 students and 1,000 faculty and staff members through the application of information technology. Recognition includes ComputerWorld Honors Laureate four out of the past five years, recipient of EDUCAUSE's award for Innovation in Networking, and reported by US News & World Reports to be one of the Top 20 “Wireless Campuses” in 2005.
Coppin State first implemented an automated user provisioning solution in 2003 to decrease the time and cost of manually creating and managing student and faculty accounts. However, the complexity of the solution made updates and adding new applications difficult, time-consuming, and error-prone. In 2005, Coppin State replaced the solution with Fischer Identity™ from Fischer International.
Coppin State deployed Fischer’s on-premise solution to streamline and accelerate enrollment and registration processes through automated user provisioning (reporting a savings of 20+ hours per week), role-based access control (to enable Day-1 access to resources), and password reset & synchronization (to enable users to reset their own forgotten passwords thereby reducing helpdesk calls by 90%). Additionally, Coppin State implemented Fischer's identity technology to provide a "single login" or "same sign-on experience" such that all users have the same user ID and password for all IT accounts, but without the added investment of a single sign-on solution. This further reduced helpdesk calls and increased productivity for all campus community members. The administration of the Fischer solution was shared among multiple IT staff and required one full-time equivalent (FTE).
The key systems and interfaces involved are listed and illustrated below.
- PeopleSoft Campus Solution
- PeopleSoft Portal
- Microsoft Active Directory
- Microsoft Exchange
Figure 1: Coppin State University: On-Premise Identity Management Environment
Like many organizations, Coppin State followed the development and adoption of cloud-based security services due the model’s potential benefits. Although Coppin State had a very successful on-premise identity management solution, they determined that their IT department could better contribute to university objectives and improve service levels by migrating to Fischer’s cloud-based Identity as a Service® (IaaS®) environment. Coppin State identified the following advantages of moving their identity management deployment to the cloud:
- Enable already-limited staff to focus on higher-value projects
- Increase focus on student and staff-facing applications
- Eliminate distraction / effort of software upgrades, patches, maintenance
- Improve visibility into identity practices and their value
- Leverage vendor expertise and best practices
- Utilize additional identity management capabilities
- Eliminate the need to maintain a test environment
Shown below is Coppin State’s identity configuration within Fischer’s Identity as a Service® environment. The identity platform formerly on-premise has been replaces with a small appliance (Global Identity® Gateway) which provides a secure connection between the IaaS® provider and Coppin State’s site.
Figure 2: Coppin State University: Cloud-based Identity Management Environment
Fischer's IaaS® environment is hosted in a hardened SAS 70 Type II facility, and is managed and maintained 24/7 by dedicated identity management specialists. As part of the standard service level agreement, Fischer proactively performs ongoing administration, software maintenance, version upgrades, troubleshooting, and provides several hours of professional services per month for use at Coppin State’s discretion. The following capabilities are available to Fischer clients in either on-premise or cloud deployments:
- Password Reset and Synchronization
- Automated Role and Account Management
- Self-Service Role & Account Management
- Privileged Account Management
- Access Termination
- Identity Compliance and Audit
Even though Coppin State was already a Fischer customer, and the identical product is used in both on-premise and cloud-based deployments (Fischer’s technology can be implemented either as single-tenant or multi-tenant), Coppin State performed a full due diligence by surveying all internal stakeholders to develop and test rigorous objectives. These objectives were designed to verify that there would be no loss of functionality or change to existing business processes, and to validate Fischer’s ability to deliver the service consistently, securely, and with expected levels of performance and support.
• Make the identity management solution work EXACTLY as it did on-premise
• Validate provider’s ability to perform administration, maintenance, and support tasks (accuracy, responsiveness)
• Satisfy team’s concerns related to control, security, functionality, performance, availability, user experience
• Migrate to cloud without any disruption of production capabilities or services
• Validate provider’s ability to maintain compliance with key regulations, e.g., Family Educational Rights and Privacy Act (FERPA)
Coppin State designed and executed a rigorous RFI process and proof-of-concept (POC) with Fischer to achieve the project objectives. The approach included the following activities.
- Duplicate the current production environment in Fischer’s IaaS® environment for testing
- Execute all existing use cases to validate that all identity solution components (e.g., triggers, workflows, policies, password reset behavior, etc.) produced identical results as the on-premise environment. This included log file and audit trail examination in addition to validating outcomes.
- Conduct multiple roundtable discussions and product demonstrations with key stakeholders to address concerns and establish trust
- Review and verify Fischer’s operational and information security polices and practices
- Validate Service Level Agreement to ensure that Coppin State’s requirements are met
- Conduct usability testing to ensure consistent user experience.
Many issues were addressed during the vetting process. The most critical issues for Coppin State, and how Fischer addressed them, are listed below.
Security: the key concern for most organizations considering cloud-based services is the security of their information and systems. Fischer satisfied Coppin State’s security concerns both at product- and organizational-levels:
- Topology: uses established connections/ports (http/https) and can securely connect without opening holes in the firewall to each back-end system
- Data Transfer: data is encrypted through the cloud using SSL from VeriSign® (examined Fischer log files to verify)
- Access Control: data access by provider’s personnel is restricted to “named administrators.” Additionally, the provider does not require access to PeopleSoft tables containing sensitive information (e.g., SSN #, etc.)
- Information Security Practices and Procedures: Fischer provided extensive documentation of policies and practices for security and privacy.
Availability: Coppin State validated that the impact of an internet outage to cloud-based identity management is much less severe (and frequently undetectable) as compared to common cloud applications, e.g., CRM systems are generally inaccessible during outages. In the event of an outage, all provisioning actions are automatically processed when connectivity is restored, and password resets can be temporarily performed by the appropriate internal department.
Exit clause: Fischer's technology can be implemented either in a single-tenant configuration (for on-premise) or in a multi-tenant configuration (for SaaS environments). The solution can export an entire identity configuration so that it may be easily imported to an alternate model. Coppin State has the option to return to an on-premise configuration at any time for a known cost.
In less than one month, Fischer migrated Coppin State from their on-premise deployment to a muti-tenant SaaS environment without any disruption to production capabilities or services. Additionally, Fischer was able to address all of Coppin State’s concerns related to control, security, compliance, functionality, performance, availability, and user experience.
The immediate benefits of outsourcing identity management included quantifiable cost savings, increased focus on student- and staff-facing applications (one FTE has been redeployed to address other tasks), improved visibility into identity practices and elimination of distraction caused by software upgrades and maintenance. Coppin State is also working with Fischer’s identity management specialists to extend their IdM capabilities to more business processes and use cases, and to maximize the partnership over the long-term.
CRITICAL SUCCESS FACTORS & LESSONS LEARNED
As a follow-on exercise, Coppin State produced the following summary of critical success factors as an aid to other organizations considering cloud-based identity management.
- "Cloud” does not mean loss of functionality/flexibility: Fischer has an enterprise-class solution
- Establish a common understanding early:
- Identity-related use cases, requirements, planning
- “Service Level” use cases & requirements
- Concerns (yours and your provider’s)
- Establish a high confidence level in provider (responsive, committed, effective, accurate)
- Restrict Partner access to student and staff information on need-to-know basis (specific database tables)
- Ensure you can take solution back in-house at known cost
Document MCC-10-340D October 2010
Copyright © 2010 Fischer International Identity, LLC. All rights reserved.
Fischer International, Fischer International Identity, Managed Identity Services, Managed Identity Services Technology, Identity as a Service, IaaS, the Fischer International Logo, Global Identity Architecture, Built for Business…Yours, and all other Fischer product or service names are the trademarks and/or registered trademarks of Fischer International Identity.