State University Systems: Federation Is Not a Security Strategy

Executive Summary

State university systems are federated by design, which makes them efficient at academics and inefficient at security. This article looks at how shared services models, board governance, and tuition driven budgets shape what is realistically possible at the system level, and where centralization actually reduces risk versus where it only adds politics.

State university systems were designed to share. Shared procurement lowers cost. Shared identity simplifies transfer credit and cross enrollment. Shared infrastructure makes research collaboration possible. Every one of those design decisions was correct on its own terms, and every one of them is now a security consideration that the original architects did not have to model.

The Shared Blast Radius Problem

When a regional campus in a state system is compromised, the question is no longer whether that campus has a problem. The question is whether the federated identity provider, the shared ERP, the shared library systems, the shared research storage, and the shared HR platform are now part of the incident. In most state systems we have assessed, the answer is yes by default and no one has formally decided that.

Where the Gaps Live

Three structural gaps tend to define the risk picture.

1. Trust between campuses is implicit. A faculty account at one campus often has standing access to systems at another campus with no recurring review.
2. Logging is fragmented. Each campus runs its own SIEM, its own EDR tenant, and its own log retention policy. Correlating an incident across the system requires manual effort that does not happen in time.
3. Incident command is undefined. When an incident spans campuses, the question of who declares, who decides, and who communicates is often answered in real time during the incident itself.

Research Computing as a Separate Universe

Most state systems include at least one R1 or R2 research institution. Research computing operates on a different risk model than administrative IT, with HPC clusters, controlled unclassified information (CUI) under CMMC scope, export controlled work under ITAR or EAR, and faculty who legitimately need root on systems they fund through their own grants. Trying to apply administrative IT controls uniformly to research environments has failed everywhere it has been attempted. The answer is segmentation and a separate, documented control regime for research, not a single policy for the entire system.

What Actually Works

State systems that have matured their security posture share a few patterns.

• A system level CISO with budget authority, not just advisory authority, over campus security programs.
• A shared SOC or MSSP arrangement that aggregates telemetry from every campus into one analyst queue.
• A documented incident command structure that names roles before an incident, including who speaks to the press and who speaks to the legislature.
• A research security program that is funded separately and led by someone who understands grant compliance, not just IT operations.

Federation is a strength when it is intentional. It becomes a liability when it is inherited.

Sources and Citations

1. EDUCAUSE, Top 10 IT Issues and Information Security Almanac, 2023 and 2024 editions.
2. REN-ISAC, Higher Education Threat Landscape reports, 2023.
3. State Higher Education Executive Officers Association (SHEEO), State Higher Education Finance reports, 2023.
4. Internet2 NET+ security service catalog and case studies on shared security services in higher education.
5. National Association of State Chief Information Officers (NASCIO), State CIO Top Ten Priorities, 2024.