< Back to Main Site

EDUCAUSE review onlineEDUCAUSE review online

What Higher Ed Leaders Need to Know about IdM

0 Comments

© 2007 Brian L. Hawkins. The text of this article is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 License (http://creativecommons.org/licenses/by-nc-nd/3.0/).

EDUCAUSE Review, vol. 42, no. 5 (September/October 2007): 84–85

Brian L. Hawkins is President of EDUCAUSE. Comments on this article can be sent to the author at (bhawkins@educause.edu) and/or posted to the Web via the link at the bottom of this page.

Today's institutions of higher education are both empowered by and dependent on electronic information for academic and administrative communications and services. Since much of this information is tailored to the needs and roles of individuals, it is important to have a good means of identifying those who use and modify the information. If a college or university is not concerned about the proper identification of those who access its information assets, institution leaders need only read some of the recent press about unauthorized intrusions into the confidential data of other colleges and universities. Although in the past, hackers were often looking for unprotected resources such as servers for sharing music or video, today professional gangs of criminals are intent on stealing personal identification and financial information from institutional systems and selling that information to others worldwide for use in criminal schemes. To manage these increasing risks, every institution must have a solid environment in place to properly identify all users of its systems and to validate, on a case-by-case basis, the authority of those accessing each system.

Such an environment requires that three things be in place for adequate protection and trust:

  • Identification: making sure that electronic credentials for access to a system are granted only to the right person
  • Authentication: checking the validity of these credentials at the time of access
  • Authorization: determining that the person so identified has been granted the authority to perform the requested actions

Since this approach must apply to all users of every sensitive system and application, both central and departmental, its implementation requires an organized, institution-wide approach, summed up in the term identity management, or IdM. The past implementations of user-names and passwords managed separately on each system have not and cannot meet the current challenge.

IdM is an issue that involves much more than the IT organization, since many others in the institution are involved—for example, in admitting and graduating students, hiring and terminating staff, and managing all of their roles and privileges. Effective IdM requires an integrated system of business processes, policies, and technologies that enable institutions to facilitate and control their users' access to online applications, as well as physical resources, while protecting confidential personal and business information from unauthorized users.

Numerous departments and units must be involved in the implementation of an institutional IdM environment. In many institutions, the technology is managed centrally (usually by the IT organization), but distributed authority and stewardship, as well as local decision-making, are retained by the departments involved. Policies must be instituted in advance to clearly state the roles and responsibilities of each player—from system manager to data steward to user—including who should do what in case of a break-in or a service failure. Awareness is critical. To maintain trust in the system and, indeed, the campus itself, key departments—such as the registrar, alumni association, human resources, and finance—must understand the importance of IdM.

Since IdM cuts across many departments and units, institutional sponsorship and commitment must come from the top. Boards and presidents need to understand this ownership issue and establish a governance committee to ensure that IdM is implemented and maintained throughout the institution. Schools and departments must implement campus policies and procedures to govern the use of their constituents' electronic identities and roles, as well as technologies to support that use.

Implementing IdM requires a high-level champion who views this issue as an institutional priority. A business case for IdM on campus needs to be made to upper administration (presidents, provosts, boards, associations, CFO, et al.). A wide range of stakeholders is involved, including the auditor and general counsel, the security officer, the controller, and risk management officers. Some institutions bring in an external consultant to explain this need. Preparing executive summaries to precede a full discussion can be helpful.

IdM policy must be considered in the context of other policy issues and must address privacy and institutional values. It should clarify and define roles, responsibilities, and accountability, and it should document guidelines and requirements. Compliance is an important factor, and institutions are increasingly being held accountable. IdM policy must be publicly documented with a feedback mechanism, approved, and communicated institution-wide.

Institutions must undertake risk assessment and risk management in order to evaluate the impact of public embarrassment, loss of trust and integrity, and financial loss. Not being adequately positioned with IdM infrastructure may also pose legal risks. Institutions have dealt severely with those in charge of securing sensitive data on campus when such data have been compromised.

Communication and training are both key to achieving success with any IdM implementation. Anecdotes of IdM victory and defeat at other institutions can be shared to good effect. Simple, ongoing messages, free of technical jargon, are best. This communication should be a shared responsibility integrated into established channels on campus. Legal counsel should be involved. Different audiences need customized messages that communicate the positive as well as the negative aspects of IdM. Campuses might consider including IdM training as a regular requirement for users.

Articles and presentations that forge tighter relationships between the campus functional offices and information technology are needed across the higher education community. An event with an EDUCAUSE partner association is being considered for late 2007 or 2008 that would bring together leaders from other campus areas to discuss how to move ahead with IdM implementations on their campuses. The sharing of best practices, costs, tools, and experiences will be extremely beneficial.

Presidents, provosts, and boards need to understand the risks of not having a robust IdM system in place: bad public relations, public terminations, lawsuits, students who leave and do not return, alumni who refuse to continue to donate, and the high costs of being in a reactive mode. They need to make decisions based on solid data. If an institution does not have an IdM plan, there is little or no recourse when confidential data are compromised. A trusted environment in which the institution knows the identity and access authority for every user is excellent insurance. Lest this sound like scare tactics, another consideration is that the leading institutions in IdM also enjoy an environment that saves time, effort, and money in dealing with the omnipresent recurring failures of legacy user-name and password systems and one that enables ever more powerful applications that span beyond institutional systems to virtual communities sharing information, communications, and physical resources for the betterment of research and education.

Brian L. Hawkins

Brian L. Hawkins was president of EDUCAUSE from 1998-2007. Prior to joining EDUCAUSE, Hawkins was senior vice president for Academic Planning and Administrative Affairs at Brown University. In this capacity, he oversaw academic planning, instructional budget management, campus computing, enrollment management, institutional research, summer programs, admission, financial aid, and student registration. Hawkins went to Brown in 1986 as vice president for Computing and Information Services. In 1989, he filled in as senior vice president for Finance and Administration, and then was appointed special assistant to the president for Academic Planning while he spearheaded Brown’s strategic planning processes. In 1997, he served as part of a three-person team standing in for the president of Brown University.

Before going to Brown, Hawkins was associate vice president for Academic Affairs at Drexel University. At Drexel, he was responsible for general academic planning and the first academic program in the nation to require access to a microcomputer, as well as integrating the use of technology throughout the curriculum.

Hawkins is a management professor by training and the author of one book and many articles on organizational behavior. He received his bachelor’s and master’s degrees from Michigan State University and his doctorate from Purdue University. He taught at The University of Texas at San Antonio (UTSA) and served there as department chairman and assistant dean of the College of Business. His organizational work focused on organizational structure, conflict management, communication, and performance appraisal. He earned tenure as faculty member at both UTSA and Drexel.

Hawkins has combined his academic and business experience to serve as a consultant to more than 350 organizations. In 1983, the governor of Pennsylvania asked him to initiate a corporate, industrial, public, and educational partnership in Southeastern Pennsylvania to create start-up companies and develop new jobs. Nearly two decades later, this program is still thriving.

Throughout his career, Hawkins has served on a variety of boards and committees. He is currently a member of the board of directors of the Forum for the Future of Higher Education and the Washington Higher Education Secretariat. Hawkins served as a member of the board of trustees of the University of Richmond and the Consortium on Financing Higher Education (COFHE) General Assembly and as chair and member of the boards of Educom and CAUSE. He also served on the boards of the Coalition for Networked Information (CNI) and the International Consortium for Educational Computing. Additionally, Hawkins has been a member of higher education advisory boards for Apple, IBM, NeXT, Sun, and Microsoft and has served on more than 60 advisory panels for various colleges and universities.

He has written extensively, including four books, numerous articles, book chapters, and monographs on information resources, academic planning, and the use of technology in higher education. Hawkins has received two honorary doctorates of science. In 1991, he received the CAUSE ELITE Award, a lifetime achievement award for Exemplary Leadership and Information Technology Excellence. He has served actively on accreditation teams as a chair and member, as well as the standards committee for North East Association of Schools and Colleges. Hawkins has been an invited speaker at professional meetings including the American Association of Higher Education (AAHE), Educom, CAUSE, the Society for College and University Planning (SCUP), the American Association of Publishers (AAP), the Association for College Research Libraries (ACRL), the National Association of College Stores (NACS), the National Association of College and University Business Officers (NACUBO), and the National Association of State Universities and Land-Grant Colleges (NASULGC).

 

Tags from the EDUCAUSE Library

Tags from the Community

Most Popular

Stay Up-to-Date

RSS Email Twitter

Share Your Work and Ideas

Issues coming up will focus on designing the future of higher ed, digital engagement, and new business models. Share your work and ideas with EDUCAUSE Review Online.

E-mail us >
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.