A Set of Complex and Unique Challenges
It didn’t take long to notice the university’s unusual IT challenges. From an identity perspective, it's a complicated place. In a traditional organization, people typically onboard with one role or job, and get promotions, change roles, or take on new responsibilities over time. When someone leaves, that account is terminated.
Our university has an unusual blend of students, professors, contractors, staff, visitors, IT, and more. Our user roles can change and even pause over many years, and many people hold multiple roles concurrently. Many of our employees are also students, and they may switch roles based on whether they access the system from a student persona or an employee persona.
Our hospital environment adds to the complexity, as some students are also employees with access to Protected Health Information. A lot of people have access to a lot of sensitive data, so we have to ensure that the access they have from each role is appropriate and that controls are in place to safeguard that information. Managing all those permissions, privileges, and access is exponentially more difficult than it is in a more traditional organization. It’s difficult to ensure the right people get the right access to the right things, without compromising security or productivity. All of that is especially critical in the context of privileged access.
We do a good job of provisioning accounts when somebody gets a new role or when an employee or student joins the university. The harder part is managing these accounts or removing them if the user changes role or leaves the university, and keeping track of all those moving parts. Knowing who has access to what isn't enough; we have to know what role or persona is associated with that so that we can add and remove the right things for people with many roles. We had to increase visibility into our accounts and reduce our risk. Specifically, we had to improve the way we handle privileged accounts.
We use an identity governance solution that helps us to try to manage those identities and those personas and try to keep the roles separate, but it doesn’t cover everything. We needed to do better.
You can't protect what you have unless you know what you have—and we had no idea what we had. The hospital is a well-managed environment, and we had a good handle on user access and activity. The university campus side, however, was a different story. No one knew what hardware or software resources we had available, let alone all of the accounts. No one could see which people had access to which privileged accounts, or how to manage them. Many privileged accounts were managed on spreadsheets. We have system scanners that scan the networks, but they don't analyze accounts to see how service or privileged accounts are used. It was a major blind spot.