How an IDaaS solution can reduce user on-boarding process costs while complying with data regulations

The Graduate Institute of International and Development Studies is a Swiss institution of research and higher education dedicated to the study of world affairs, with a particular emphasis on the cross-cutting fields of international relations and development issues.

 

Graduate Institute information system has 4 main user categories:

  • 1’000+ students who access online courses material trough Moodle, Swiss university network SWITCH and Google collaboration tools;
  • 500+ internal employees (professors, back office) that use 20+ cloud and on premise business applications;
  • 10’000+ alumni that access an internal social network and Google collaboration tools;
  • 5’000+ online applicants per year With increasing number of study programs, shorten programs, high user population rotation rate and increased usage of cloud solutions, Graduate Institute of Geneva wanted to improve its user identity governance and application security with a limited IT budget. These were the trigger to initiate an implementation of a dedicated identity management solution.

Challenges

IT project in cost saving context
Two months to go live for next summer student intake
Limited internal resources to work on project
Incomplete business processes analysis
Hybrid architecture: mix of cloud and on premises applications

Notre solution
Sécurité des applications

Under budget pressure with short deadline constraint and limited availability of internal resources the choice of an IDaaS solution was clear: no installation cost, limited administration, OPEX model vs CAPEX, encourage usage of standards vs custom development.

Based on an IDaaS market analysis Graduate Institute of Geneva choose Onelogin solution because of:

  • A pricing model adapted to educational world (limited cost for applicants and alumni)
  • Compliant with Swiss data regulation: hosting in Europe and data privacy policy
  • Large support of standard and custom application access management modules

We started the implementation project by focusing on the new student user category because of limited risk, high business value and expected ROI. First phase of the implementation project was dedicated to the analysis of the student on boarding business processes: clerk interviews and reverse engineering application analysis. This enabled us to simplify business process by removing unnecessary and low value steps, identify target application repositories, data structure and quality rules.

The implementation phase consisted in:

  • Activation of onelogin test and production instances
  • Setup of onelogin administration roles with privileged accounts security policies
  • Installation of onelogin agents on premises to enable internal identity repositories management
  • Implementation of identities rules and processes using onelogin configuration based tools: role based access management
  • Design of audit and reports

Transition and production phase were straightforward: import of the new student data, mail invitation campaign, administrator training.

Bénéfices

Shorten new student admission

The admission process duration lasted 3 days instead of 3 weeks. This is due to a central and unique tool to execute the process, a structured and automated communication between process actors, business rules enforcement.

Improved Identity data quality

Onelogin enable a single trusted identity data repository that simplified update process. The self-service feature delegates to end user data check and update process.

Simplified IAM solution maintenance

Usage a IDaaS solution removed internal homemade components and all maintenance related operations. Onelogin is now responsible of the SLA.

Compliance with European and Swiss data privacy regulations

Onelogin out of the box features provide: single account for all applications, second authentication factor for sensitive data access, GDPR compliant with user consent, pre-defined audit reports.

Improved balance between usability and security constraint

Onelogin application connector enables Single Sign-On for all on-boarded applications. Security rules are enforced regardless the user device. Forgotten and change password process are supported by self-service.

Partenaires