Owning the responsibility for developing and maintaining an organization’s internally developed or highly configured Identity Management platform would be right at the top of my nightmare scenario list.
I won’t go into detail here on the benefits of Identity and Access Management. Suffice it to say, IAM is not only a critical element of security, it also contributes directly to the bottom line, automating complex provisioning (both on- and off-boarding), massively reducing the hours wasted retrieving or resetting forgotten passwords, and generating documented audit trails required to comply with federal and state regulations.
Few organizations have a greater upside, or downside, in deploying a robust Identity Management solution than today’s colleges and universities.
At any given time, most higher education institutions support a complex IT ecosystem consisting of decrepit legacy applications, shiny new (and often untested) emerging technologies, sensitive research systems, and student and staff financial as well as other HR data. What’s more, they’ll be managing this environment in the context of on- and off-boarding roughly 25% of their student population – and their largely unsecured mobile devices – every year.
Yet IT budgets and staff per user are consistently lower for colleges and universities than they are for equivalently sized commercial companies. Which is why “open” systems are often the siren call for these educational enterprises.
But open is not free. In fact, open is typically not cheaper, nor really open. It’s simply your proprietary platform instead of your vendor’s proprietary platform. Which means you own it, in all its glory or ignominy.
“[Y]ou’re still locked in with open source software, just not to the vendor. With open source, you’re locked in to your app. After you’ve opted for an open source app, it’s up to you to provide ongoing maintenance, upgrades and troubleshooting, as well as any needed end-user support. Congratulations! You’re now a software vendor. The high switching costs of commercial apps are now replaced by the high costs of supporting open source apps.” (Forbes, “Open Source Software: The Hidden Cost of Free”)
Identity Management is not an applet. Underneath the hood, it’s a complex piece of management software, touching servers, systems, and applications. It has to be deployed and implemented in your infrastructure, and integrated into your existing directory structure and application ecosystem.
As with most things, you get what you pay for. So-called open or “free” systems are typically unfinished and marginally supported. To fully develop and configure these systems to the extent that a diverse population of staff and new students will be able to use them (with minimal training and documentation) is not a trivial task.
And to ensure that the software keeps pace with advancements in the industry and increasingly sophisticated security threats? To think that access to my university’s research and financial data depends entirely on the performance of my one-off, self-maintained identity management system? Well, that would keep me Sleepless in San Francisco.
Because in the end – when users complain, data is compromised or intellectual property is protected insufficiently – the only neck I’d have to choke would be my own.