Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Mar 31 2025
Security

IGA: What Is It, and How Are Universities Using It?

Identity governance and administration tools simplify user identity management for higher education’s diverse IT and user bases.

In January 2025, PowerSchool’s student information system was hacked, exposing the names, addresses and other information of more than tens of millions of schoolchildren and their parents.

“Private assessments of the hack show the company failed to take basic steps to protect students’ data … [and] found no evidence that the hackers used malware or found a backdoor into PowerSchool’s systems,” NBC News reported. “Instead, the hacker simply obtained a single employee’s password. That granted access to a ‘Maintenance Access’ function that let them download millions of children’s personal information.”

Like K–12 schools, colleges and universities share the challenge of managing large populations of students, professors, instructors, assistants, administrators and contractors who use a variety of internal and cloud-based systems for a wide array of functions, likely at different levels of access authorization.

Click the banner below to identify the right security strategies for your institution.

 

How can institutions keep track of it all to assure IT and network security?

What Is Identity Governance and Administration’s Role?

College and university IT departments use identity and access management — and in some cases cloud identity entitlement management (CIEM) — to administer and monitor user identities. This allows IT staff to assess activities internally and in the cloud, but these technologies might not suffice in a large, diverse user environment if there isn’t an overall technology framework within which to place them.

Identity governance and administration (IGA) provides this overarching framework, along with identity policies and security solutions.

Like IAM security, IGA can track user access and activities on-premises and in the cloud. However, IGA can go further, because IAM functions can be linked to IGA software to create a complete, seamless solution that can manage all user identities across the cloud and on-premises. While this is similar to IAM, IGA additionally addresses audit needs and automates compliance requirements in a uniform way across all assets, which IAM can’t do.

DIVE DEEPER: Compare identity management solutions for your institution.

The ability to integrate identity policies, identity operations, and audit and compliance requirements in a single piece of software — with IAM and possibly CIEM fitting neatly underneath the IGA umbrella — provides greater security and gives IT administrators stronger control over user identity access and actions in both cloud and on-premises environments.

Why Is IGA a Good Fit for Institutions of Higher Learning?

The complexity of higher education environments creates a need for an all-encompassing IGA approach that can govern, administer and monitor access at all points.

The job of managing access for tens of thousands of users — ranging from instructors and professors to students, contractors and administrators — is daunting, with users frequently changing or serving in multiple roles. Students graduate or transfer to other departments, for example, and new students enroll. A student in medical school may lecture part-time in the chemistry department as a teaching assistant.

Layered over this is the decentralized nature of academic institutions, which often have multiple campuses, buildings and networks, in addition to online, remote learning.

IGA allows IT departments in higher education to address all of these complexities.

What Is the First Step to Implement Identity Governance and Administration?

The first step in a total IGA strategy has nothing to do with software. Instead, institutions of higher learning should assemble IT and key administrative and academic players to determine what the rules of identity governance and behavior should be.

DISCOVER: Get the guide to credential management in higher education.

This isn’t easy to do since many education users today move deftly between clouds with ease, with few governance limitations. Plus, people, time, resources and budgets are likely limited for a project that might not be popular.

But can educational institutions afford to look the other way?

According to an October 2024 Microsoft report, the education industry is the third-most-popular target of cyberattackers, averaging 2,507 attacks per week. Microsoft stated that it was blocking more than 15,000 emails per day that targeted education institutions with malicious QR codes.

What Is the IT Team’s Role in Creating a Roadmap to IGA?

A university’s board of regents and top administrators will understand this risk, but it’s up to IT teams to explain what IGA is, how it can achieve optimal security and what’s required to implement it. CIOs should also develop IGA roadmaps that can rightsize their IGA efforts to the budgets and operational bandwidths of the institutions they support.

To do this, CIOs should first procure support from key stakeholders by meeting with them individually to explain the need for IGA as an overarching security technology and policy platform for digital security.

2,507

The average number of cyberattacks per week against higher education institutions in 2024

Source: microsoft.com, “Education under siege: How cybercriminals target our schools​​,” Oct. 10, 2024

In these discussions, CIOs can present the long-term benefits of an IGA program that can streamline user identity verification across many services while also easing audits and automating compliance. At the same time, IT leaders should be honest about the likelihood of pushback, because users won’t be able to access IT resources as readily as they could in the past.

For these reasons, the strategic roadmap for IGA should consider the need for minimally disruptive business and user adoption as well as the speed of technology implementation.

One way to do this is to create a phased implementation approach that tackles the most mission-critical and sensitive systems first before extending to other areas of IT.

As part of the plan, a cross-departmental governance committee for institutionwide security, compliance and governance should be created. The committee should include executive management, the IT and legal departments, auditors, and key stakeholders from the administrative and academic sides of the institution. Ideally, such a steering committee would review and provide IGA direction, and it would develop an annual budget and implementation plan for IGA.

UP NEXT: Automation helps short-staffed IT departments protect data in higher education.

pixdeluxe/Getty Images