person touching virtual screen conveying idea of digital access
By proactively moving to an "identity-first" access management policy approach, Virginia Tech is one step closer to successful ERP modernization.

Identity and access management — the process of ensuring that every Virginia Tech student, employee, or affiliate can log into the systems they are entitled to access, and only those systems — has been in important part of IT operations at Virginia Tech ever since the university started using computers to manage data.

For decades, the university used a “just-in-time” framework for providing access, where information about the person logging in was sent to the application, and the service decided at login what, if any, data they could access. This worked well, but as the technology landscape evolved, the need to centrally manage who has access to what across many layers of functionality has become increasingly important. Additionally, the ability to remove access when needed is also critical to securing university data. 

As Virginia Tech prepares to transition to a new enterprise resource planning (ERP) model, the Division of IT’s Secure Identity Systems (SIS) group is modernizing its approach to identity and access management. By utilizing two powerful tools - Midpoint and Grouper - SIS can effectively centralize and automate identity access policy management across the university, moving to an “identity-first” framework.

With identity-first, access and authentication parameters (i.e., roles) are attached to each Virginia Tech user’s profile by first creating an “identity,” with associated data like name, date of birth, address, etc. in the identity system before provisioning it to other systems. As one’s roles and affiliations change, their access abilities change automatically. Basically, the identity-first system flips access management on its head: instead of a service checking a user’s credentials at the time of login, one’s access privileges are now pre-provisioned, or determined ahead of time and administered centrally. 

The benefits of these changes to identity access policy management are many, including:

  • Enhanced security. With identity access centrally managed and largely automated, we can be sure that access to services is provided to only the correct individuals at precisely the right level, based on that individual’s role at any given time.
  • Flexibility for future change. The new identity management tools, Midpoint and Grouper, are both highly scalable and flexible, allowing SIS to adapt identity management processes effectively as university data governance processes evolve.
  • Efficiency. The identity-first approach allows SIS to more easily reconcile special-use cases, such as temporary affiliations, as well as automate provisioning of roles and services across the university.