When deploying a customer-facing identity solution, organizations always must think about how they can satisfy baseline security requirements while providing a user-friendly interface.
Focus all your effort on security without regard for UX, and you end up with overbearing authentication rules and hoops that delay authorized users from getting what they need. Likewise, blind devotion to UX without regard for security can land you an identity solution that is highly accessible – not just to authorized users but adversaries as well.
That’s why testing your IAM solution and observing the results is very useful for developing UX with standards-driven security measures. For Southern New Hampshire University (SNHU), that test group comprised 150,000 of its own students who — having grown up on a steady diet of Amazon, Netflix and Twitter – have high expectations for what a premier digital experience should look like.
SNHU isn’t your standard brick-and-mortar university, however. While a few thousand students make use of its campus located between Manchester and Hooksett, New Hampshire, the overwhelming majority of the student body are online-only, which means they need to be able to access lectures and classroom materials anytime and anywhere they may be logging in from.
That need to provide students a secure online learning experience motivated SNHU to rethink its whole approach to IAM. At the 2023 Identiverse conference in Las Vegas, SC Media had the opportunity to interview Matt Connors, Chief Information Security Officer for SNHU, who is spearheading the university’s IAM overhaul. Below are some of the key takeaways from our discussion with Connors.
IAM for the digital learner
If a large portion of your business model hinges on providing users maximum flexibility to interact with your services, then your IAM tools and policies should be able to support that flexibility.
“One of the challenges we face as a primarily online organization is that the barriers to ingress and egress are extremely different from the traditional brick and mortar campus-based college experience,” says Connors. “You don’t need to pack up the U-Haul and move across state or country to go to school. Instead, you’re going from one website to another on any given particular day.”
Rather than letting security drive the IAM decision-making, Connors aspired to deploy an identity solution that met the highest standards of the digital consumer marketplace. Strong security was still essential, but it wasn’t going to be the loudest voice in the room.
“We really wanted to meet our customers – our students and applicants – with the expectations that they’re seeing in the consumer marketplace, more along the lines of the Amazons and Teslas of the world.”
To do that, they required the partnership and support of the students themselves.
The power of IAM partnerships
In starting this process, Connors and his team devised a two-pronged plan. First, they would partner with the university’s marketing and student experience teams to ensure that customer service and student preferences – not security – would drive the IAM outcome. Second, they would roll out the IAM solution to only a subset of the population – prospective students and online applicants – before deploying it to the full university.
The partnership proved fruitful. The group settled on what Connors calls a “bring your own identity” approach after receiving feedback from applicants who desired not to have yet another email address or password to access the university portal. This gave students the power to use credentials that were already familiar to them rather than being prescribed something totally new and foreign. Additionally, it meant a greater focus on self-service functionality, empowering customer-facing groups with more options and tools to help applicants directly without waiting on tech teams to make fixes.
“While we still maintain our traditional IM specialists in-house on our team, we’ve also enabled those customer-facing groups to self-serve a lot of functionality themselves. That allows us to start differentiating between traditional IM specialists and someone who is now more customer science focused.”
The creation of these CX units has enabled SNHU to move away from much of its custom in-house developed content, and instead leverage commercial services to on-platform solutions at a much faster pace.
“By training our CX teams,” Connors says, “they can deploy new features and functionalities at their own pace as opposed to going into a traditional dev-test sprint cycle and then waiting months for results.”
Finishing IAM deployment
Having successfully deployed the IAM solution to applicants, SNHU now plans to release it to the entire student body and alumni as well. That might require adjustments here and there, but overall the CX-forward approach has exceeded expectations.
“We were really able to improve our student experience and increase our security in the process. For example, now we only introduce verification when it’s actually appropriate instead of applying it across-the-board or making it a person-driven verification process, which is clearly longer, more expensive, and more of a drag on the customer. And we’ve been able to retire roughly 80 percent of our custom code that we were relying on in a previous implementation.”
As his team looks forward to the next phase of the project, Connors says they’re keeping the focus on the student experience. They have a standing Voice of the Customer practice where they review top pain points reported by applicants, marketing and customer experience groups. They also plan to continue their partnership with marketing and student engagement teams to make sure the customer experience stays fresh and receptive to customer preferences.
We asked Connors if he has any final words of wisdom or recommendations for organizations that are attempting the type of smooth IAM rollout that SNHU has accomplished thus far.
“The number one thing I would say is to move beyond that next level of maturity and recognize that the customer experience is not just purely a security-driven function. I think folks are taken aback when they hear a CISO say that kind of thing, but that partnership that exists with our marketing team and our student experience team is absolutely critical in delivering those next-step expectations for our students.”
