Cleaning House: A Guide to Credential Management in Higher Ed

Cleaning Your Digital House and Adopting Sensible IAM Policies

It’s long been apparent that human error is a leading cause of cyber breaches, including in higher education, but the 2024 CrowdStrike Global Threat Report puts forward stark numbers that reinforced that understanding.

According to the report, 75% of cyberattacks in 2023 were identity-based, meaning attackers did not even need to deploy malware to complete successful hacks. Instead, social engineering, phishing emails and other ways identities can be compromised were to blame for at least three-quarters of breaches. One especially prolific criminal organization, Scattered Spider, was particularly effective in using social engineering to steal credentials from IT staff or those with access to financial resources.

So, what causes these breaches, and what does it have to do with identity? In this case, it’s all about minimizing damage.

Despite our best efforts, there’s no way to guarantee an employee won’t get duped by a phishing email or something similar. It’s going to happen. For cyber resilient higher education institutions with good data governance, however, a compromised identity only goes so far. When users don’t have access to anything more than they absolutely need, the impact of a breach is going to be far smaller than if that person has the keys to the entire network infrastructure.

There’s a decent chance that the last sentence made more than a few college CIOs and CISOs break out in a cold sweat. Thousands, tens of thousands or even hundreds of thousands of identities — from students, faculty and staff to applicants and alums — are active on university domains. Some are decades old, others are minutes old, and there’s a constant flow of identities in and out, all of which need to be properly governed. It’s a rare institution that has full confidence that all of those identities have the appropriate permissions.

You can learn much more about the intricacies of data governance and how policies can be set in some of our recent coverage, including:

The bottom line is that you’re going to need help to get your house in order.

It’s time to call in a cleaner to sweep away the buildup of IAM dust, one that won’t rest until every corner has been cleared.

Collaboration is Key to Setting and Enforcing Good Policy

It’s not that higher education IT teams lack the talent to manage identities, it’s that they don’t have the time. The scale of the project is massive, and universities already face a staffing crisis in IT that shows no sign of waning.

The ideal time to do this kind of work is in the very beginning, but as some higher education institutions are more than 100 years old, going back in time and resetting every identity is out of the question. Instead, something like CDW’s Rapid IAM Assessment gives universities insight into their current vulnerabilities as well as the status of the credentials IT teams are managing. It can answer a key question: Who are all of these people?

From there, we recommend taking each one of those identities and placing them in one of two buckets: students and staff. There will certainly be more buckets to come, but that’s a great starting point. We also recommend setting every account to a least-privileged status, making it the obligation of the user, their manager and/or the IT team to upscale certain credentials to access more secure areas of the network.

At the same time, IT teams must be collaborating with their colleagues across campus, something that usually starts at the top. Senior university leadership needs to create well-defined roles and conservatively assign permissions to those roles. Colleges are vast and varied ecosystems, and there’s no way a CIO or even a college president understands what permissions every unique role will require, and the buckets can eventually be quite detailed. What if there’s a student who becomes an employee in the IT department? What if a professor enters emeritus status? What if the research department wins a contract with the federal government and suddenly has new compliance rules to follow?

When those collaborative conversations are finished, the IT team should have access to a comprehensive list of rules that should guide any future requests for additional permissions, whether temporary or permanent. These permissions can be automated, but even then, we recommend having a manual check from a human on the back end to ensure the rules are being enforced correctly. The same rigor should be applied to every single new account that gets created.

Cleaning up the web of credentials and permissions on a college network is daunting, but failing to do so puts higher education institutions at an even greater risk of cyberattack. And cleaning up after one of those is far worse than cleaning up thousands of credentials,  even if you have to dig out the feather duster to get started.