Fischer International Identity

Identity Management Made for Higher Education™

IDENTITY MANAGEMENT CASE STUDY

Identity Management Capabilities Rise in the Cloud

Maryland Institute College of Art
Executive Summary
Securing the campus is no easy task. IT Departments at most colleges and universities have
implemented identity and access management (IAM) at some level as one component of their security
framework to limit the institution's exposure to risk. Many institutions begin by developing homegrown
IAM applications to protect information about their constituents and to enable secure access to
resources by authorized users. However, the cost to maintain and extend a homegrown IAM application
to address a continuous stream of new systems and applications, new users and communities, and new
business and trust models is forcing IT Departments to ask themselves: “Is this the best use of my IT staff
and budget?” The Maryland Institute College of Art (MICA) concluded, "No."

After a less than successful outing with one IAM vendor, MICA looked at replacement IAM solutions; this
time, including cloud-based IAM solutions. Fischer’s cloud-based Identity as a Service™ solution was
selected as it provided greater capabilities, a contemporary technology platform and eliminated daily
administration of the IAM solution. Specifically, MICA reported the following outcomes after switching
to Fischer:
 Refocused staff on more critical projects
 Improved quality of service
 Reduced help desk calls for password resets by 75%
 Reduced provisioning errors to zero (0)
 Decreased "wait time" for new accounts
 Increased security
 Reduced preparation time for audits
"Critical success factors" and "lessons learned" are also provided.

Profile
Founded in 1826, Maryland Institute College of Art (MICA) is the oldest continuously degree-granting
college of art and design in the nation. The College enrolls nearly 3,500 undergraduate, graduate and
continuing studies students from all 50 states and 57 countries in fine arts, design, electronic media, art
education, liberal arts, and professional studies degree and non-credit programs. Redefining art and
design education, MICA is pioneering interdisciplinary approaches to innovation, research, and
community and social engagement. Alumni and programming reach around the globe, even as MICA
remains a cultural cornerstone in the Baltimore/Washington region, hosting hundreds of exhibitions and
events annually by students, faculty and other established artists.

MICA’s Office of Technology Systems and Services supports the educational mission of the College as
well as its business, administrative, and electronic communication needs. The department’s small staff
helps guide the College in using technology with a goal of providing outstanding service and support to
the College, its students, faculty, and staff. With its small size, the department focuses on helping
achieve academic goals and proactively adopts methods that cost-effectively provide value to the

Fischer International: Identity Management Capabilities Rise in the Cloud 1

College’s constituents. MICA had developed a partially-automated IAM solution in 2007 and replaced it
in 2010 with a vendor solution to gain additional automation and integration capabilities.

Challenges
MICA’s homegrown IAM solution could not address their business and technical requirements, such as
supporting their migration from Exchange to Google Apps. Their first vendor solution resolved some
issues, but created additional challenges.

Password Reset Challenges:

High Help Desk Volume Caused Poor Service Levels. Initially, with its homegrown solution, 65-70% of
MICA’s help-desk calls were for password resets. During the first 3 weeks of each semester, about 90%
of help-desk time was dedicated to password problems. MICA had to dedicate 2-3 people to respond to
queries and problems. As a result, the college was unable to meet their targets for customer service
levels to end users; e.g., users waited one-to-two hours for passwords to be reset and substantially
longer during peak periods.

Users Sometimes Wrote Difficult-to-Remember Passwords in Non-Secure Places. Many end users
continued to use the system’s randomly-generated password, and because calling the help desk was a
hassle, many of these users wrote their passwords to remember them, often in non-secure places.

User Provisioning Challenges:

Influx of Students Created Delays at Beginning of Each Semester. The addition of new students each
semester delayed other processes performed by the help desk. As students arrived, the volume of user
account related questions and issues increased dramatically. This made it difficult for staff to respond to
other requests such as computer configurations or network troubleshooting. In addition, problem
resolution to provisioning related questions could take days to complete, which tarnished public
relations with the new people. IT development was also delayed as troubleshooting account-related
problems required about 25% of a developer’s time to determine whether an account had been
provisioned, disabled, etc.

Incomplete Deprovisioning Resulted in Orphan Accounts. MICA had no standard process for
deprovisioning user accounts and IT was usually not notified when a staff person left the institution,
which led to 3,500 orphaned accounts. Also, the deprovisioning process was sometimes incomplete and
did not disable all accounts for a departing user, as removing Active Directory access didn’t disable some
types of accounts.

Reuse of Accounts Created Security and Compliance Problems. About a fourth of departing staff and
students returned to the college months later and expected to use the same accounts, but that was
often not possible: When an account was deleted, it was sometimes reused for another person, so for

Fischer International: Identity Management Capabilities Rise in the Cloud 2

example, if John Smith left MICA, his JSMITH account would be deleted. If MICA then hired Joanna
Smith, the JSMITH account would be recreated, which caused additional problems as the new person
might gain access to confidential FERPA records of the previous person using the account.

Difficulty Responding to Urgent Requests for New Accounts. MICA provisioned user accounts once per
day; although this did not directly cause problems, IT sometimes received desperate calls to provision
new users, such as adjunct professors, who had not submitted paperwork to HR until just before they
needed the resources. To provide immediate access, IT could run an ad-hoc provisioning routine, but
this activity caused problems by circumventing some controls.

Inefficient Workflow Processes for Account Naming. As part of their user provisioning process, MICA
has had a longstanding policy to allow user input regarding their own account names. For example, if
someone named Edward was known as Ted, his account names would reflect what he was actually
called. However, to support this policy when someone’s name changed, many manual processes were
required by multiple people. Delays resulted as MICA didn’t have a good notification system for when
each person needed to take action.

Risk of FERPA Violations. Distributing credentials to new users was an error-prone mail-merge process.
MICA faced an on-going risk of FERPA violations if credential letters were lost, mis-delivered or shared
with the wrong person.

Help Desk Challenges:

Inefficient and Error-Prone Password Resets. The help desk required training to make password resets
on multiple systems. The processes that were developed were inefficient and had significant error rates
as staff had to sign into multiple systems to take a single action: One system provided information to
assure that they were working with the right accounts, and then they managed the accounts using
another system.

IT Personnel Could Access End-User Passwords. Numerous IT people had access to a database
containing most end user passwords, which meant that any of them could have potentially logged into
an end-user account by pretending to be an end user.

Lengthy Audits Caused by Insufficient Processes and Tracking. MICA was unable to track when or why
accounts were provisioned or deprovisioned due to a lack of standard processes; therefore, MICA
required a large amount of time during financial audits to answer questions about IT access.

Difficulty Managing and Auditing Accounts for Contractors. Manual processes for provisioning
contractor accounts lacked accountability of exactly who was using accounts, who sponsored the
accounts, and for what purposes. This led to long deprovisioning delays when a contractor departed.

Fischer International: Identity Management Capabilities Rise in the Cloud 3

Challenges with First IAM Solution Vendor:
MICA’s first commercial solution provided additional automation for user provisioning and
deprovisioning, which provided some relief, but the solution failed to address some key requirements,
and created additional challenges.

Help Desk Remained Overburdened. Only 5% of users actually adopted the first solution, so when a
user forgot a password, calling the help desk continued to be the only option to reset the password.
Also, distribution of credential letters was inconsistent or inaccurate, causing further burden to the help
desk to correct the problems.

Some Requirements Were Not Addressed. The solution failed to manage access for contractors and it
needed a programmer to write code to perform required actions.

Unexpected Expenses. The vendor’s licensing model proved to be unclear so that expanding to alumni,
parents and others would not be affordable.

Solution
As MICA has limited IT staff, they sought solutions that combined comprehensive capabilities with user-
friendly self-service interfaces and low administrative requirements. MICA’s prior experience with SaaS
applications led them to evaluate and to ultimately select Fischer’s cloud-based Identity as a Service®
solution in 2011 to further automate provisioning and deprovisioning activities for key applications.
Fischer’s identity portal enables end users to securely reset their own forgotten passwords and
authorized end users can request / approve access to resources. All provisioning and password
management activities in the solution are recorded for audit and reporting purposes.

The Implementation Process

Detailed Planning Included Cost-Benefit Analysis. During the implementation process, MICA knew
PeopleSoft would be the source of authority for IAM, and that they wanted to build on what had been
accomplished with the first vendor solution; however, planning involved rolling up their sleeves for two
weeks to answer many other questions, such as exactly which data elements would be needed by each
system for each process. MICA determined which resources to automatically provision based on their
expected results. In doing so, they considered their level of pain, the anticipated impact of automation,
as well as how widely the resources were used.

Automated and Self-Service Processes Were Implemented in Phases. During the first phases, MICA
automated provisioning and deprovisioning for several applications, including groups/roles for Google
Apps, PeopleSoft Campus, PeopleSoft Portal and Active Directory. This included automatically
provisioning resources for students, faculty, alumni and staff. The self-service portal provided password

Fischer International: Identity Management Capabilities Rise in the Cloud 4

reset capabilities and enabled authorized users to request additional resources. MICA chose to not
automate provisioning for applications that have few users or for applications that are rarely used.
Fischer performed the implementation and MICA tested the solution prior to placing it into production.

Key Decisions Led to Success. MICA made key decisions that positively impacted the implementation as
well as improving user acceptance. First, they decided to minimize changes during the implementation
by continuing to use their existing PeopleSoft processes to extract information about provisioning
events such as matriculation, new hire, etc., which shortened the discovery and implementation
processes. Also, for the account distribution process for new users, MICA chose to require users to enter
information that would enable them to later reset forgotten passwords. New accounts are activated
immediately after an end user completes this task.

Results
MICA achieved their goals by using the Fischer solution:

Password Management Improved Quality of Service. MICA has had a 100% user adoption rate with
Fischer. Users securely reset their own forgotten passwords within a couple minutes instead of waiting
for the help desk. The solution also synchronizes each user’s passwords so they have fewer passwords to
remember.

Reduced “Wait Time” for End Users. Automated user provisioning further improves quality of service by
reducing wait times for faculty, students and staff to receive required accounts and privileges. When a
student matriculates or when someone is hired, resources are provided based on their start dates. Also,
adjunct faculty who don’t complete HR paperwork until their first day of classes can now access their
own accounts in time for their first classes.

Streamlined Process for New Account Distribution Eliminated Risk of FERPA Violations. MICA no
longer distributes new account passwords. Instead, users securely create their own initial passwords
that are easier to remember than generated passwords.

Help Desk Refocused on Customer Service After 75% Reduction in Calls to Reset Passwords. MICA’s
help desk has refocused its efforts to concentrate on improving customer service, especially at the
beginnings of semesters when new students and employees are welcomed to MICA, as password-reset
calls were reduced by 75%. Training for staff to use the Fischer solution is minimal and, since Fischer is a
comprehensive solution, only one system is required to validate users and reset passwords.

“Zero Error Rate” for Automated Provisioning and Improved Accuracy of Manual Activities. MICA
relies on the accuracy of Fischer’s automated provisioning solution as their error rate for automated
provisioning has been reduced to zero. MICA can also correct keyed errors, such as when HR incorrectly
inputs that an employee has been terminated: Once HR corrects the error, the person’s access is re-

Fischer International: Identity Management Capabilities Rise in the Cloud 5

enabled and no data is lost. The Fischer solution also automates account name changes to improve
accuracy and timeliness, and it notifies the persons required for manual name change activities, such as
PC maintenance.

Eliminated Risk of Inappropriate Access to User Accounts. When a person departs MICA, information
entered into PeopleSoft automatically initiates deprovisioning processes to prevent orphaned accounts.
Also, authorized persons can use self-service to terminate the access of departing persons. MICA also
reduced risk by eliminating the user credential database so that user credentials cannot be accessed by
administrators.

Reduced Risks Associated with Contractor Accounts. MICA deleted contractor accounts whose users
were unknown and now holds responsible the sponsors of contractors. Sponsors use the self-service
interface to request access for the contractors and to specify the contractor’s modifiable termination
date; also, requests must be approved prior to fulfillment.

Improved Control by Preventing Reuse of User IDs. MICA’s account IDs are now unique and are no
longer reused. If a person later returns to MICA, his/her accounts can be easily re-enabled as all account
information is retained for one year before it is automatically deleted.

Reduced Time for Identity-Related Audits by 50% - 67%. MICA simplified their auditing processes for
reporting who has access to each resource as well as for reporting password reset activity. Automated
audit and reporting capabilities enabled MICA to reduce by half to two thirds the time required to
answer questions from auditors and others.

Next Steps. MICA’s future plans include extending the solution to allow parents of students to request
their own accounts and granting earlier access to resources for recruits. They also plan to automate
tasks required to selectively transition temporary workers to become permanent workers.

Critical Success Factors

Several elements were key to MICA’s success.
1. Goals and expectations for the solution were clearly articulated.
2. The solution was implemented in multiple phases with goals specified for each phase.
3. IT and business units worked together to ensure affected processes would provide desired
results.
4. Change management assures that all solution changes are made through the Fischer solution
itself, rather than through another process, such as scripting.

Lessons Learned

Fischer International: Identity Management Capabilities Rise in the Cloud 6

Lesson 1: IAM is the Backbone for Other IT Projects: MICA came to understand that an institution is
never finished with IAM; rather, it’s a process and you have to pace yourself. MICA viewed Fischer’s
solution as the “glue” that could tie-together systems and applications. They realized that if other IT
projects were to succeed, the IAM solution must continually evolve, and at a pace that supports current
IT investments as well as new IT Projects.

Lesson 2: IAM is a Communal Project, Not an IT Project. An IAM project models, and potentially
redefines, business processes. MICA engaged business people to influence requirements and decisions
about workflows in an effort to garner support, as well as to avoid expenses and disruption after going
live. Involving business people was vital as MICA found that the most difficult part of implementing an
IAM solution was mapping the workflows and business logic.

Lesson 3: Pick High-Value Resources for Automated Provisioning. MICA learned to be selective
regarding resources for automated provisioning and they chose resources used by many people on a
frequent basis. They chose not to automate provisioning for specialized applications as projected
benefits were not commensurate with projected costs.

Lesson 4: Select a Partner, Not Just a Vendor. According to MICA, schools don’t usually describe their
experiences with vendors as “positive.” However, MICA learned from the Fischer project that a vendor
can become a trusted partner and can be invested in the College’s success.

Summary
MICA’s experiences prove the value of a well-planned IAM solution as well as the potential complexity
and the pitfalls in choosing and implementing solutions. IAM affects many aspects of an institution and
can have wide-ranging implications that affect quality of service, costs, security, public relations and
even an institution’s abilities to recruit and retain talented people. As such, it’s vital that IT selects the
right solution and works closely with business units to assure they understand and positively impact key
processes. Performed well, IAM positively impacts institutions of all sizes.

Fischer International: Identity Management Capabilities Rise in the Cloud 7

Fischer International Identity
5801 Pelican Bay Boulevard
Naples, Florida 34108
+1 239-643-1500
www.FischerInternational.com

Document MCC-13-150B September 2013

Copyright © 2010-2013 Fischer International Identity, LLC. All rights reserved.

Fischer International, Fischer International Identity, Identity as a Service, Ignite IT, Ignite Federation, Identity Management Made for
Higher Education and IaaS are the trademarks and/or registered trademarks of Fischer International Identity.