By Megan Anderson Posted December 14, 2019
The IT staff at educational institutions see the need for implementing cutting-edge technologies, but work on a razor-thin budget. Paradoxically, that often means that the identity and access management (IAM) infrastructure at schools and universities exists somewhere between innovative and outdated.
For instance, educational institutions would ideally be able to grant their users — both students and staff — one identity per person. This identity would work campus-wide, as well as for any third-party solutions the institution requires.
However, most single sign-on (SSO) solutions are outside the budget. As such, IT admins of educational institutions usually settle on less-than-ideal arrangements to compensate. The options for schools might seem limited, but let’s evaluate the solutions.
Single Sign-On Compromises
When it comes to identity and access management (IAM), many educational institutions are stuck in one of three less-than-desirable scenarios:
- Relying completely on a legacy system such as Microsoft® Active Directory® (AD) or OpenLDAP
- Relying on G SuiteTM or Office 365TM as their sole identity provider (IdP)
- Effectively going unmanaged — users simply log in to each IT resource separately
Unfortunately, each of these approaches comes with its own challenges.
The Cost of Active Directory and OpenLDAP
Both AD and OpenLDAP require dedicated servers on-prem, which need to be maintained. Any IT admin responsible for these servers knows how pricey they can be. Plus, in order to run AD, you need to renew the Windows® license. Additionally, if you haven’t upgraded your AD server since 2008, you’re going to need to buy a new one.
Moreover, AD does not extend its identities to non-Windows cloud applications. This forces users to have multiple credentials that need to be managed separately, leading to inefficiencies in workflow for both the end user and the IT department. Also, if staff are able to bring in their own devices, there’s no guarantee they will all be Windows machines, meaning that those with Mac® or Linux® machines will require many workarounds to manage.
This is especially important to note as Mac machines steadily gain business value. For instance, in 2016 IBM claimed to save $543 per user when switching from Windows to Mac. The claim is based on the difference in time IT support is dedicated to Mac versus Windows. Windows users reportedly sent in twice the amount of support calls than Mac users and 27% of the time, those calls required in-person assistance. Compare that to the 5% of in-person assistance Macs in their company needed, and Windows became three times more expensive to manage than Macs.
In the coming years, there may be more of a drive for such institutions to transition off of Windows- and Microsoft-only platforms as a way to save money. Soon, it may not be cost-effective or even practical for educational institutions to keep a Windows-centric environment.
Managing Accounts Across Multiple Applications
If your institution has users on G Suite, Office 365, and any other applications, managing multiple identities separate from one another for each user can quickly become a headache.
Like with Active Directory or OpenLDAP, managing identity sprawl can become expensive and time-consuming. The more time an IT admin has to spend tracking down access to each resource, the less time they can devote to other projects that would provide greater benefit to their institution.
Trust is Not Enough
Trusting the user to always practice security standards inherently involves serious risk. Since educational institutions are one of the top five industries targeted by cybercriminals, cybersecurity should be one of their top priorities. As such, having users log in to each IT resource separately — especially without enforcing password policies or requiring multi-factor authentication (MFA) — introduces a higher probability of risk.
For example, even though it’s one of the easiest ways to get hacked, many people use the same password for various online services. PandaSecurity found that in a database of over 28 million users with 61 million passwords, 52% used the same or very similar passwords for different services. These passwords are often dangerously simple, with the most common passwords for web applications being “123456” and “password,” according to SplashData.
One way educational institutions try to reduce the risk is by training staff in basic security practices. However, without any form of managed SSO, there’s no way to ensure those practices are being put to use.
Some browsers like Chrome will automatically generate complex passwords whenever one is created or being reset. Initially, you may think this eliminates the risk of unmanaged SSO. However, it only takes 12 lines of code to hack into a user’s Chrome profile, so users are still at risk of cyberattacks as they would be using the same, weak passwords for every application.
Is There a Reliable SSO Option for Education?
AD works well for institutions that do not use many third-party cloud applications, have the budget needed for keeping their Windows license and upgrading their AD server, and provide Windows computers for their staff and students.
However, most schools don’t fit this profile. BuiltIn reported that education-oriented cloud computing is estimated to have a market value of $25 billion by 2021. Educational institutions are migrating to cloud computing and it is unlikely that trend will stop any time soon. Plus, as schools migrate onto non-Windows platforms in favor of cost-efficiency, trying to use Active Directory to manage them may end up costing more in the work hours IT dedicates to it.
Fortunately, there is another option. One of the best ways for schools to ensure the safety of their staff and students’ information is to use a cloud-based directory. Not only are cloud-based directories more easily scalable than those that rely on hardware, but because it’s based entirely in the cloud, hackers don’t have a single network to target. The network hackers would be looking for is a collection of IT resources that are located anywhere in the world, preventing them from being easily pinpointed.
Single Sign-On in the Cloud
JumpCloud eliminates the need for multiple identity management tools and ensures that everything runs smoothly on the IT side. JumpCloud even integrates with Office 365, G Suite, and Active Directory, so you can import your existing users from those platforms in seconds. “.edu” solutions such as PowerSchool or Infinite Campus can also be integrated tightly through LDAP and SAML.
The benefits of this approach add users to JumpCloud and granted access to a wide range of solutions that staff and students need — all with one identity. Adding, modifying, and deleting accounts can be done in bulk via CSV, APIs, or through the UI. In short, education IT admins will have full control over access to their IT resources.
The first 10 JumpCloud users are always free for life, but because we know how often schools must work with high user counts on tight budget constraints, educational institutions are granted a special discount. Give JumpCloud a test drive today!