How Privileged Access Management (PAM) Helps Higher Ed Cybersecurity

What Problems Does PAM Solve for Higher Education?

In higher education environments, IT managers have more reasons than most to consider implementing PAM. Higher ed IT systems have vast amounts of very personal and sensitive data on students and staff. So, best-practice technologies such as PAM are now a baseline for building defenses to protect personally identifiable information (PII), financial information, academic records, and sensitive and proprietary university research data. University lawyers and auditors are also likely to be enthusiastic about PAM as it pertains to compliance with laws like HIPAA and the Family Educational Rights and Privacy Act, or FERPA.

Then, there are the uniquely collegiate challenges that higher education IT managers have to navigate. For example, most universities have a highly decentralized IT environment with individual departments and research groups running their own systems and sometimes building infrastructure. Those departments or research groups still have to share some responsibility with centralized IT, however, and must answer to many types of auditors.

Another example: Colleges and departments that are independent of central IT often use their own tools and may contribute to an exceptionally broad application portfolio compared with that of a similarly sized organization. PAM’s centralized management and unified approach to access control help higher education IT teams support decentralized IT and a wide array of applications while minimizing risk, delivering consistent controls, and enabling oversight and accountability at a lower cost.

RELATED: Federal research partnerships give universities a competitive edge.

University IT teams usually find that PAM helps in research environments where collaboration between research groups, both internal and external, may call for granting some privileged user access outside of normal policies. In this scenario, a consortium of research institutions may have shared resources located on one campus that require external collaborators to have administrative control of IT systems, a perfect environment for hackers to gain remote access.

PAM has the ability to require much higher levels of authentication (such as multifactor or certificate-based authentication) before delivering access to these shared resources. PAM products can also support more complex authentication and access control decisions, such as restrictions based on country or institute of origin, to help further reduce the risk of unauthorized access. Some PAM products can even integrate with federated access systems, such as Shibboleth, InCommon and eduGAIN.

Challenges to Implementing PAM in Higher Education

Although PAM offers many benefits for university IT environments, there are also special challenges that higher ed IT managers should keep in mind.

One major difference between higher education and traditional enterprise deployments is the level of turnover and change management required. Because PAM must accommodate students joining and leaving projects and courses every few months, the number of move-add-change transactions will be much higher than at a comparably sized enterprise. For IT managers, this means looking at PAM designs that have streamlined the process and procedures for handling MACs.

Full integration with existing on-campus directory services is a valuable PAM feature in a high-turnover environment. This can simplify the number of steps required to get students the access they need. For example, if the class registration system pushes group and identifier information into the central directory when a student enrolls in a class, this will help flow that registration information into the PAM solution to give the student the proper access. Or, in cases where automatic enrollment is not appropriate, the PAM solution can use class or workgroup identifiers as a second check to make sure that someone hasn’t been given access accidentally.

Click the banner below to dig into research compiled in the 2024 CDW Cybersecurity Research Report.

A second major difference between higher education and other enterprises is the pattern of access. While university administrative staff may follow a traditional work schedule, students and faculty are going to need access at all hours of the day and night, with special urgency at the end of the semester and before grant application deadlines. University environments won’t have consistent and predictable access patterns when it comes to these groups, but PAM products often include suspicious activity monitoring, a great feature to help identify and block unauthorized access.

These access pattern differences mean higher ed IT managers should focus on PAM designs that have anomalous activity detection with enough flexibility to accommodate the wildly varying schedules of their student and faculty populations. Anomaly detection will need to be balanced carefully to ensure that students and faculty have the access they need when they need it, without compromising this advanced feature of a good PAM deployment.

Another aspect of the high turnover in university environments is the need for constant training and support for an ever-changing user community. IT managers should put special emphasis on user training and self-service features when designing PAM for their campus. A well-designed graphical user interface for end users will help smooth overall operations. User awareness training is also important at all levels to help everyone on campus understand the value of PAM in the context of university information security.

LEARN MORE: Stanford student Kyla Guru shares insights on Gen Z and cybersecurity.  

Picking the Right PAM Features for Higher Education

Higher education IT managers looking at PAM designs will be bombarded with options and ideas on how to solve every access control security problem on campus. A key to successful deployment is to start small and work outward as you gain experience with products and procedures. Saying something like “Let’s secure all of our network infrastructure devices” or “Let’s start with the Unix servers” is a good way to get your feet wet without being overwhelmed.

However, there are some features that always need to be top of mind, even at the first stages of deployment:

• API flexibility. Higher education IT teams will want to automate provisioning and deprovisioning of users, as well as audit reporting, though application programming interface access to the PAM products.
• Single sign-on. A full PAM deployment means that staff users will encounter the PAM product multiple times per day — perhaps multiple times per hour — as they do their jobs. Integration with federated identity systems and single sign-on technologies is critical.
• SOC integration. As security operations centers track incidents and suspicious behavior, they will need to quickly and accurately match privileged access between system logs and PAM logs. PAM consoles need to be able to export data to security event and information management systems and other analytical tools in such a way that events merge seamlessly, and the SOC can immediately see what is happening.
• Higher education is increasingly required to deliver reports and audit information to a wide variety of internal and external parties. IT teams looking at PAM designs should bring auditors to the table early to ensure that their reporting requirements can be met quickly and without aggravation.