In conversations earlier this year, IT professionals shared concerns about the difficulty of meeting current device compliance requirements and whether Smart Access might add to that burden. The Smart Access team heard that feedback clearly and it guided our immediate focus.
Our immediate focus is understanding the devices connecting to the university network so we can make informed, risk-based decisions without adding new obligations beyond what’s already required by policy (SYS 1036, UW-526). To do that, we first need better visibility into the devices accessing our environment.
This work is grounded in supporting what’s already expected under existing policy and compliance requirements. The insights we gain will help identify where additional support, tools, or coordination can make compliance easier and more consistent across environments while building a clearer understanding of the university’s overall device landscape.
What we’re doing
Our most immediate focus in the months ahead is evaluating device data from VPN connections to answer questions such as:
- How many UW-managed devices connect without Qualys or other managed agents?
- How many devices connect without current and active anti-virus?
- How current are their operating systems and patch levels?
- Are there patterns or gaps that signal higher institutional risk?
The goal is to understand risk before using new controls. These insights will inform how we design future conditional access policies that are both effective and workable for the university and aligns with our Adapt with Purpose principle.
This analysis is grounded in supporting what’s already expected under current policy and compliance requirements, not adding new obligations. The insights we gain will help identify where additional support, tools, or coordination are needed to make compliance easier and more consistent across environments.
Why this matters now
With the decision to defer expansion of Microsoft A5 licensing, Smart Access is focusing on progress we can make with the tools we already have.
Systems like VPN, Qualys, and campus identity services already provide valuable signals about device risk and compliance. By analyzing data from these existing tools, especially VPN logs, we can strengthen our understanding of the university’s device landscape.
Gaining clearer insight into the security state of devices accessing VPN helps advance the Devices pillar and the Visibility & Analytics capability in the CISA Zero Trust Maturity Model (ZTMM). This work helps us take practical, measurable steps toward Zero Trust maturity while using data we already collect responsibly.
Commitment to privacy and transparency
As with all Smart Access initiatives, privacy and transparency are priorities.
We are working with the Office of Compliance to review the specific data that will be evaluated and to confirm how it may be used under university policy.
Once the review is complete, a Knowledgebase article will be published outlining:
- What information is collected
- How it is used to assess risk
- What safeguards are in place to protect privacy
Transparency and trust remain central to UW–Madison’s Zero Trust journey.
Looking ahead
This work represents an early but critical step in advancing Zero Trust maturity, building the insights and coordination needed for future conditional access decisions.
By focusing on evidence, collaboration, and existing compliance expectations, we’re laying the groundwork for smarter, more adaptive security that protects the university’s research, teaching, and operations without unnecessary disruption.