In a landmark effort to bolster the university’s cyber defenses, WashU IT recently completed a massive initiative to disable inactive WashU Keys—the first project of its kind in the university’s history.
Roughly one-third of all existing WashU Keys were recently retired in this project under CyBear, marking a significant milestone in how the university manages identity and access. Identity and Access Management had the support of the Office of Information Security in this effort.
A Massive Undertaking
Since work began last fall, the project team identified and retired more than 114,000 stale accounts, the bulk belonging to non-activated or WashU Key accounts from legacy source systems. While approximately 236,000 WashU Keys remain eligible for active use, the removal of these inactive credentials dramatically reduces the university’s “attack surface.”
Reducing the number of stale keys makes it significantly harder for bad actors to gain a foothold in the environment using unmonitored accounts.
A Cultural Shift in Identity Management
This project was more than just a technical cleanup; it represented a fundamental change in the university’s approach to security. Leanne Carver, Assistant Director of Identity Governance, described the effort as a “cultural shift.”
“This really touched a lot of different areas,” Carver said, noting her team worked across many areas within WashU IT, as well as with University Advancement, the Office of the Registrar, Student Affairs, and Human Resources.
The collaboration across Shared Infrastructure and Information Security was essential to ensure that legitimate users maintained access while high-risk, dormant accounts were cleared.
Modernizing for Scale and Security
For years, the sheer longevity of these credentials presented a unique challenge for the IT organization.
“Until this project, a WashU Key was effectively permanent,” said Ken Koch, Senior Infrastructure Architect. “We managed risk at the account level across hundreds of systems, which doesn’t scale and leaves gaps. Closing a gap like that, on a service as widely used as the WashU Key, is where the meaningful security wins happen.”
Carver and Koch both report up through Chief Technology Officer Greg Hart’s organization, which prioritized this effort to ensure a more stable and secure environment for the entire WashU community.
Technical Excellence and the Path Forward
Carver specifically highlighted the work of Systems Engineer IV Sidney Johnson, whose “remarkable work” was pivotal to the project’s success. Johnson was responsible for identifying the complex patterns used to determine key eligibility across disparate data sources.
The success of this project is not just a one-time win. The logic and patterns developed by the team have been integrated into WashU systems so that key disablement will now happen automatically moving forward. This ensures that the university’s identity environment remains lean, secure and manageable for years to come.