How Higher Ed IT Teams are Increasing Efficiency with Cloud Identity and Access Management (IAM)

According to a recent survey, 39% of higher education apps run in the cloud today, and that number is expected to increase to 62% by 2021. 81% of colleges and universities plan to increase their cloud spend in 20171 . Google Docs, Office 365, Canvas, Ellucian, Blackboard, and Workday, among other cloud apps, are becoming ubiquitous in higher education. But while many colleges have a cloud-first mindset for the future, most are operating in a hybrid IT environment today, with a mixture of cloud and on-prem applications. And, most use a combination of on-prem identity and access management systems including Shibboleth, ADFS, Oracle, and IBM, as well as manual processes to manage access to these resources. Current approaches to IAM on most campuses present significant opportunities for achieving efficiencies in manual operations, infrastructure, and maintenance costs.


WPR higher ed it teams chart


In a recent survey of higher education IT leaders, 46% said reducing IT costs was a top initiative in the next 12 months2. Unnecessary costs associated with legacy approaches to identity management include:

Password Resets: Self-service password recovery is a capability that most internet users have come to expect, but many existing IAM deployments either fail to implement this critical feature, don’t cover all applications, or don’t take advantage of modern approaches like password recovery via SMS or other factor. The problem is further exacerbated by the large populations that colleges serve. A large university we spoke to counted 3,500 IT calls annually to reset passwords. According to our data, on average, IT spends 15 minutes resetting a forgotten password. This equates to roughly 875 IT hours spent resetting passwords for this particular organization.

Lifecycle Management: The lifecycle of a student in particular is constantly changing. Students transition from being an applicant, to an active student, to ultimately graduating and becoming an alumnus. Without a fully integrated and automated identity management solution, IT is marching on the treadmill of manually provisioning students’ access to each application. One college we spoke with said that 25 different people were involved in provisioning a single student’s accounts. Further complicating matters, when a student profile changes, IT must also manually update profile changes to any downstream apps that rely on this information. Colleges and universities that have on-prem identity systems often dedicate IT headcount just to these tasks, when connectors to downstream applications haven’t been implemented.

Reliability: An IAM solution is the gateway for access to most, if not all, applications and so, it must be more reliable than anything it connects to. Yet, in our recent survey, nearly 50% of teams reported that reliability was a top IAM challenge. Ensuring high availability with on-prem solutions comes at a high price. First, these systems must be implemented in a way that allows for maintenance and upgrades without downtime. Second, they must be deployed with failover and disaster recovery. All of this infrastructure requires care and feeding of an experienced and highly skilled team that could add benefits to the organization on more differentiated tasks. Apart from making infrastructure resilient, IAM requires that connectors be up-to-date for all target systems. When any application is upgraded, connectors must be tested and validated, and this often custom work yields further unnecessary cost. On average, it costs $15,000-$25,000 to build a connector for a new app, with connectors to on-prem identity systems costing between $50,000 and $100,000. Connector maintenance is roughly 15% annually. Colleges often need dedicated IT resources, with specialized expertise in building and maintaining connectors.

Scalability: Scalability is particularly critical in higher education. Colleges and universities add a new class of students each year. Yet, graduating students aren’t deprovisioned; rather, they become alumni. As universities mature, the number of identities they manage continues to grow. With this unique model, higher education needs an identity solution that quickly scales up to meet those needs.

Managing Multiple Domains: Student, faculty and alumni identities are often stored in multiple AD or LDAP domains. Without one centralized place to manage these identities, a lot of IT redundancies exist. Instead of one center of excellence from which to manage users and apps, there are several. This is an expensive, and inefficient use of IT resources.

Over the past decade, Cloud IAM delivered 100% as a service has matured to the point that it can handle full fledged enterprise requirements while addressing the significant operational inefficiencies identified above. Cloud IAM significantly reduces the number of help desk tickets related to password resets with modern and future-proof self-service capabilities. Cloud IAM nearly eliminates IT time spent managing the student lifecycle by automating provisioning requests and updates to profiles. And, because cloud identity is a service, service reliability/maintenance costs, connector costs (for new apps) and ongoing connector maintenance are completely eliminated.

The Okta Identity Cloud is the leading cloud identity and access management solution. The Okta Identity Cloud helps colleges and universities of all sizes all over the world increase efficiency by lowering IT costs. Colleges realize immediate value through a reduced number of IT help desk tickets and by eliminating the purchase of additional legacy identity products. With Okta, IT is much more efficient. The Okta Identity Cloud enables students and faculty to be onboarded faster and equipped with the full set of tools and permissions they need to be productive on day one. The time and cost required to build, secure and maintain access and authentication solutions is eliminated. And manual integration and provisioning work becomes automated. All of this together frees IT resources to spend more time on valuable strategic work.

Okta is uniquely able to help colleges and universities realize cost savings in a number of ways. With Okta Single Sign-On (SSO), IT teams spend less time administrating and more time on strategy. Okta has the broadest and deepest set of over 5,000 integrations to cloud, mobile, and web apps. And, the Okta Identity Cloud takes care of cumbersome and costly integration work, so colleges and universities don’t have to. With Okta SSO, IT teams realize a 50% reduction in help desk calls related to password resets. Okta also provides a much better user experience for your students and faculty, with a customizable dashboard, an interface tailored to each device, and centralized notifications for new apps, password changes, and messages from IT.

Okta’s Lifecycle Management product automates every aspect of the student lifecycle, beginning with custom self-service registration/onboarding and throughout the student journey via rules, policies, workflows and API’s (for full customization). Lifecycle management automatically detects differences in profile attributes across apps and updates them. Okta has 80 pre-integrated apps for provisioning and deprovisioning. It also enables extensible integrations to critical higher education apps like Ellucian, Blackboard, and Canvas. Real time provisioning can be triggered by an HR system, Student Information System, or any other designated application. With Okta, IT saves 30 minutes on every single provisioning request, and another 30 minutes on determining and configuring groups and entitlements.

Okta is 100% born and built in the cloud. Because of that, the Okta Identity Cloud can centrally monitor, manage and upgrade its service, and scale to meet any university’s needs. With Okta, IT teams don’t maintain apps or connectors; Okta does that for you. All Okta customers share the same underlying environment, and that environment is extremely robust in terms of scale and redundancy. And, the Okta platform is completely stateless; all components can immediately be scaled up or down as needed. If any individual component fails, the system will re-route it.

Okta’s Universal Directory provides one place for IT to centrally manage all students, faculty, alumni, groups and devices from any number of master directories of any type. Universal Directory completely eliminates any redundancies across multiple domains, and establishes one center of excellence for the institution. It enables IT to provide shared services for an entire university without forcing them to consolidate domains.

IT resources at colleges and universities are finite. But by moving from an on-prem identity solution to a cloud based service, colleges can reduce costs and increase IT efficiency. In doing so, IT is able to dedicate resources to valuable strategic work, as opposed to tedious tasks like manual profile updates to downstream apps, password resets, and connector maintenance.


WPR securing cloud access identity cloud