What Problems Does PAM Solve for Higher Education?
In higher education environments, IT managers have more reasons than most to consider implementing PAM. Higher ed IT systems have vast amounts of very personal and sensitive data on students and staff. So, best-practice technologies such as PAM are now a baseline for building defenses to protect personally identifiable information (PII), financial information, academic records, and sensitive and proprietary university research data. University lawyers and auditors are also likely to be enthusiastic about PAM as it pertains to compliance with laws like HIPAA and the Family Educational Rights and Privacy Act, or FERPA.
Then, there are the uniquely collegiate challenges that higher education IT managers have to navigate. For example, most universities have a highly decentralized IT environment with individual departments and research groups running their own systems and sometimes building infrastructure. Those departments or research groups still have to share some responsibility with centralized IT, however, and must answer to many types of auditors.
Another example: Colleges and departments that are independent of central IT often use their own tools and may contribute to an exceptionally broad application portfolio compared with that of a similarly sized organization. PAM’s centralized management and unified approach to access control help higher education IT teams support decentralized IT and a wide array of applications while minimizing risk, delivering consistent controls, and enabling oversight and accountability at a lower cost.
RELATED: Federal research partnerships give universities a competitive edge.
University IT teams usually find that PAM helps in research environments where collaboration between research groups, both internal and external, may call for granting some privileged user access outside of normal policies. In this scenario, a consortium of research institutions may have shared resources located on one campus that require external collaborators to have administrative control of IT systems, a perfect environment for hackers to gain remote access.
PAM has the ability to require much higher levels of authentication (such as multifactor or certificate-based authentication) before delivering access to these shared resources. PAM products can also support more complex authentication and access control decisions, such as restrictions based on country or institute of origin, to help further reduce the risk of unauthorized access. Some PAM products can even integrate with federated access systems, such as Shibboleth, InCommon and eduGAIN.
Challenges to Implementing PAM in Higher Education
Although PAM offers many benefits for university IT environments, there are also special challenges that higher ed IT managers should keep in mind.
One major difference between higher education and traditional enterprise deployments is the level of turnover and change management required. Because PAM must accommodate students joining and leaving projects and courses every few months, the number of move-add-change transactions will be much higher than at a comparably sized enterprise. For IT managers, this means looking at PAM designs that have streamlined the process and procedures for handling MACs.
Full integration with existing on-campus directory services is a valuable PAM feature in a high-turnover environment. This can simplify the number of steps required to get students the access they need. For example, if the class registration system pushes group and identifier information into the central directory when a student enrolls in a class, this will help flow that registration information into the PAM solution to give the student the proper access. Or, in cases where automatic enrollment is not appropriate, the PAM solution can use class or workgroup identifiers as a second check to make sure that someone hasn’t been given access accidentally.
Click the banner below to dig into research compiled in the 2024 CDW Cybersecurity Research Report.