How Universities Can Protect Research Data & Avoid IAM Mistakes

Universities work with a wide range of external partners—edtech vendors, research collaborators, adjunct faculty, guest lecturers, seasonal staff, and government agencies. These relationships help expand learning opportunities and drive research, but they also introduce security risks. When non-employees have access to university systems, weak identity and access management (IAM) practices can create openings for cyberattacks.

Data breaches linked to non-employee identities are becoming more common. Hackers often target external accounts through phishing, credential theft, and ransomware attacks. In some cases, universities unknowingly grant broad or long-term access to temporary users, leaving sensitive information exposed. Student records, faculty research, and administrative data can all be at risk.

This blog looks at the challenges universities face in managing third-party identities, real-world incidents that highlight the risks, and steps institutions can take to improve security.

‍

The challenge of non-employee identity management in higher education

Universities don’t operate in isolation. They rely on a diverse network of external partners, including edtech vendors, research collaborators, adjunct faculty, and seasonal staff. These individuals and organizations need access to university systems, but they don’t fit neatly into traditional employee categories.

A full-time professor or staff member goes through a structured hiring and onboarding process. Their accounts are created in the university’s system, tied to payroll, and managed through internal HR processes. Non-employees, on the other hand, follow a different path. They may only need access for a semester, a research project, or a short-term collaboration. Some might require deep system privileges, while others just need a login to access a single platform. Because of this inconsistency, universities often struggle to manage their access properly.

‍

Who are non-employees in higher ed?

External users in higher education fall into several broad categories, each with unique access needs:

• Edtech vendors – Universities use external tools for everything from grading to student engagement. Learning management systems (LMS), AI-driven tutoring platforms, and cloud-based assessment tools often require vendor access to student data and academic records.

• Research collaborators – Faculty frequently partner with researchers from other universities, private companies, and government agencies. These collaborators might need access to grant-funded research, shared cloud storage, or specialized computing environments.

• Adjunct faculty & guest lecturers – Visiting scholars and part-time instructors often work at multiple institutions. Some may only teach a single course, while others return year after year. Their access needs can be temporary and irregular.

• Seasonal & temporary staff – Universities hire short-term employees for tutoring, IT support, event coordination, and administrative roles. Many are student workers, and their employment cycles may only last a few months.

• Government agencies – Institutions involved in research partnerships, grants, and federally funded projects may need to grant access to government personnel. These users often require tightly controlled permissions due to regulatory requirements.

‍

The problem with traditional IAM approaches

Most identity and access management solutions are designed for corporate environments, where employees have clearly defined roles and employment periods. In a business, when someone leaves, HR automatically triggers account deactivation. Universities don’t always have that level of coordination, especially when different departments manage their own non-employee access independently.

Here’s where things often go wrong:

• No centralized oversight – Departments onboard and offboard non-employees in silos. A research department might grant access to a collaborator, but it has no visibility into when their project ends.

• Inconsistent offboarding – When a visiting professor finishes a semester, their account might remain active for months—or years. Seasonal IT staff might still have access to systems long after their contract ends.

• Over-provisioned access – It’s easier to grant broad permissions than to carefully tailor access. A vendor integrating a new system may receive administrator rights when they only need read-only access.

• Lack of strong authentication – Many universities still rely on username-password logins for non-employees, rather than enforcing multi-factor authentication (MFA) or using role-based permissions.

• Unclear ownership of non-employee access – Who should be responsible for removing a guest lecturer’s credentials? The academic department? The it team? Without clear policies, accounts can slip through the cracks.

‍

The hidden risks of poor non-employee IAM

Each unmanaged account represents a security risk. Hackers know that universities have gaps in IAM, and they actively target these weaknesses. A vendor’s compromised credentials can be used to access student records. A research collaborator’s stolen password might expose unpublished data or grant access to proprietary research. An unmonitored adjunct faculty account could be exploited to manipulate student grades.

Higher education operates in a complex, decentralized environment. That makes IAM for non-employees particularly challenging—but also essential. Without clear processes for onboarding, managing, and removing access, universities leave themselves vulnerable to data breaches and compliance failures.

‍

‍

Real-world consequences: How weak IAM led to university data breaches

Universities deal with a wide range of security threats, but some of the most damaging breaches happen when non-employee identities and third-party accounts are compromised. The following cases show how weak IAM practices have led to real-world data breaches in higher education.

‍

Case study 1: Third-party vendor breach exposes student records

In July 2023, Michigan State University (MSU) learned that several of its third-party service providers, including the National Student Clearinghouse (NSC) and TIAA, had suffered a data breach. These vendors handled student records, meaning that the breach may have exposed sensitive student information.

This incident highlights a major risk in higher education: When universities rely on external vendors to manage critical data, they also inherit the security vulnerabilities of those vendors. Without strict access controls and continuous monitoring, universities may not even realize a breach has occurred until it’s too late.

IAM failures:

• Lack of vendor security assessments before granting access to student data.

• No continuous monitoring of vendor activity to detect potential threats.

Source: MSU Tech News

‍

Case study 2: Compromised researcher credentials lead to stolen research data

In May 2022, the FBI warned U.S. universities that cybercriminals were selling academic credentials on dark web marketplaces. Attackers had stolen login details from researchers, giving them access to sensitive academic and scientific data. Some of this research was tied to government-funded projects, raising concerns about intellectual property theft.

This breach highlights how poorly managed research accounts can become a major security risk. Universities often provide research collaborators with broad access to multiple systems, but without MFA or strict role-based controls, stolen credentials can be used to move laterally across university networks.

IAM failures:

• Lack of MFA for researcher accounts.

• Over-provisioned access, allowing stolen credentials to be used across multiple university systems.

Source: FBI IC3  

‍

The bigger picture

These breaches are not isolated incidents. They reflect a larger trend: Universities often overlook the security risks tied to non-employee and third-party users. Research collaborators, vendors, and temporary staff may not be permanent employees, but they still need access to sensitive data. When their access is poorly managed, universities become easy targets for cybercriminals.

‍

‍

How universities can secure non-employee identities and protect research data

Universities need a structured approach to managing non-employee access. Instead of relying on manual processes or ad hoc decisions by individual departments, institutions should implement IAM policies that control who gets access, how long they keep it, and what level of oversight is applied.

Below are key strategies universities can use to strengthen security for non-employee identities and protect sensitive research data.

‍

Role-based and time-limited access controls

Not every non-employee needs the same level of access. A research collaborator might require entry into secure data environments, while a guest lecturer only needs access to a learning management system. A seasonal IT worker may need administrative rights for a few months, but a contractor working on a single project should have more limited permissions.

Best practices:

• Define role-based access controls (RBAC) that align permissions with the specific tasks non-employees perform.

• Set automatic expiration dates for non-employee accounts, ensuring access is revoked when no longer needed.

• Use just-in-time (JIT) access for high-privilege roles, requiring additional approval before granting access.

‍

Multi-factor authentication for non-employees

Many breaches occur because attackers exploit weak authentication methods. Universities often enforce strong authentication for full-time employees but overlook it for vendors, research partners, and adjunct faculty.

Best practices:

• Require MFA for all non-employee accounts, especially those accessing sensitive data.

• Use authentication apps rather than relying on SMS-based MFA, which is more vulnerable to interception.

• Enable adaptive authentication, requiring additional verification if a login attempt appears suspicious (e.g., from an unusual location or device).

‍

Automating onboarding and offboarding for research partners and temporary faculty

Manual onboarding and offboarding processes create security gaps. Universities need an automated system that grants access when needed and revokes it when the relationship ends.

Best practices:

• Integrate IAM tools with HR and contracting systems to automatically create and deactivate accounts.

• Require sponsor approval for all non-employee accounts, ensuring each user has an institutional contact responsible for their access.

• Implement automated deprovisioning that removes access as soon as a research project or teaching contract ends.

‍

Continuous monitoring and identity governance for vendors and research collaborators

Granting access is only the first step—monitoring how non-employees use their accounts is just as important. Universities need a system that can detect unusual behavior and flag potential security risks.

Best practices:

• Use identity governance tools to review non-employee access on an ongoing basis.

• Set up real-time monitoring of login activity, tracking anomalies such as unusual locations, failed login attempts, or excessive data downloads.

• Conduct regular access reviews to ensure non-employee accounts are still needed and properly configured.

‍

Ensuring compliance with FERPA, HIPAA, and research data protection laws

Universities must comply with strict regulations governing student and research data. Non-employee identities often fall outside traditional compliance frameworks, creating risks that can lead to legal and financial consequences.

Best practices:

• Restrict access to student records based on FERPA guidelines, ensuring non-employees only see what’s necessary for their role.

• Require compliance training for anyone accessing protected health data under HIPAA regulations.

• Limit access to research data based on grant funding requirements and intellectual property agreements to prevent unauthorized sharing or theft.

‍

Moving forward

Securing non-employee identities requires a combination of strong access controls, authentication policies, automation, and continuous monitoring. Universities that take a proactive approach can reduce the risk of data breaches, protect research integrity, and maintain compliance with privacy laws.

‍

Conclusion and key takeaways

Universities rely on a diverse network of non-employees—vendors, research collaborators, adjunct faculty, and temporary staff—all of whom require access to university systems. But when IAM practices don’t account for these users, security risks emerge. Data breaches involving non-employee accounts have already exposed student records, stolen research data, and compromised university systems.

To reduce these risks, universities must take a more structured approach to non-employee identity management. This means implementing role-based access, enforcing multi-factor authentication, automating onboarding and offboarding, continuously monitoring access, and ensuring compliance with regulations like FERPA, HIPAA, and GDPR.

Key takeaways

• Non-employee identities require the same level of security oversight as full-time staff and students. Universities must track who has access, what they can do, and when their access should expire.  

• Poorly managed non-employee accounts create major security risks. Over-provisioned access, weak authentication, and inactive accounts leave universities vulnerable to cyberattacks.

• Automation is essential for securing non-employee identities. Manual processes lead to security gaps, especially when it comes to onboarding and offboarding temporary users.

• Universities must continuously monitor non-employee access. Real-time identity governance and anomaly detection help prevent unauthorized access and detect potential threats.

• Compliance with student and research data regulations must extend to non-employees. Universities need to enforce policies that protect sensitive information, even when accessed by external users.

‍

Next steps for universities

1. Conduct an IAM audit – Identify security gaps in how non-employee identities are managed. Review access logs, inactive accounts, and vendor permissions.

2. Establish a non-employee identity management policy – Define clear rules for onboarding, offboarding, authentication, and monitoring third-party and temporary users.

3. Invest in IAM solutions designed for higher education – Use identity governance tools that automate access management, enforce MFA, and monitor non-employee activity.

4. Train faculty and administrators on IAM best practices – Ensure departments understand the importance of proper access control and follow university-wide security policies.

5. Regularly review and update IAM policies – Cyber threats evolve, and so should identity management strategies. Universities must continuously adapt their security practices.

‍

How we can help

A strong IAM strategy isn’t just about security—it’s about protecting students, faculty, and research integrity. By improving how they manage non-employee identities, universities can reduce risk, strengthen compliance, and safeguard their most valuable assets.

Contact us at info@anomalix.com to learn how we can help you secure non-employee identities, enforce strong authentication, and monitor access in real time—all while protecting research data and student records.