Smart Access 2026 priorities: device compliance & log management

Read time: 4–5 minutes

Over the past year, Smart Access has moved from discovery and platform evaluation to focused execution using the tools and capabilities the university already has.

• In spring and summer, we gathered feedback through workshops and focus groups.
• In late summer, we shared the decision to defer expanded Microsoft licensing and outlined our Zero Trust focus areas and near-term direction, prioritizing progress with existing capabilities.
• In winter, we began sharing early device audit data and our visibility-first approach.

Today’s update moves from evaluation to execution. We are narrowing in on two initial concrete priorities for 2026:

1. Device compliance (via VPN HIP checks)
2. Log management infrastructure strategy

Both are foundational to advancing Zero Trust maturity in ways that are measurable and practical, aligned to university needs, and directly responsive to challenges IT professionals shared last spring.

Device compliance: from visibility to measured improvement

Where we are

As shared earlier, audit mode has been enabled across:

• DoIT VPN
• CALS – Genetics
• All WiscVPN services (as of December 22, 2025)

Audit mode allows us to evaluate device posture signals without enforcement. This includes data related to:

• Operating system version and patch level
• Endpoint protection presence
• Other host integrity posture (HIP) signals available through VPN

More details on audit mode available in this KB article.

This work directly advances the devices pillar and the visibility & analytics cross-cutting capability of the CISA Zero Trust Maturity Model.

Our approach has been deliberate:

Visibility first → informed decisions → intentional next steps.

What the data is telling us

The VPN device data shows variation across:

• Patch compliance levels
• Endpoint protection coverage
• Managed vs. unmanaged devices
• Differences between centrally managed and distributed IT environments

This confirms feedback we heard earlier about:

• BYOD complexity
• Gaps in inventory and visibility
• Concerns about inconsistent enforcement

A detailed breakdown is available in our VPN device data article.

The data gives us a more concrete baseline. It allows us to move beyond anecdote and toward measurable maturity.

2026 device compliance priorities

By April 2026

• Complete deeper analysis of VPN device posture trends.
• Finalize notification language for limited pilots.
• Conduct targeted compliance notification pilots (DoIT VPN + selected partners).
• Refine dashboards to improve visibility for service owners.

After April 2026

• Evaluate test results (clarity, usability, impact).
• Define threshold recommendations and exception handling models.
• Develop impact assessment documentation for broader notification options.

Enforcement remains out of scope for this phase of work.

Parallel efforts (initial planning still underway):

• Explore opportunities for encouraging device health with Duo; overall IAM strategy discussions remain in progress
• Virtual Desktop Infrastructure (VDI) and Secure Enterprise Browser exploration; initial planning is still underway.

This reflects our service principles, particularly growth through measurable impact and user experience and sustainability.

Log management: building sustainable visibility

Device posture addresses risk before access. Log management strengthens visibility after access.

Currently, the university relies on an Elastic-based log management environment that requires major renewal decisions in FY26. Sustainability, scale, and long-term supportability are core concerns.

The log management infrastructure analysis is focused on:

• Evaluating current architecture and operational burden.
• Defining business requirements for log collection and retention.
• Comparing on-premises, cloud, hybrid, and MSSP models.
• Aligning with compliance drivers such as UW System Policy 1041, HIPAA, CMMC, and NSPM-33.
• Advancing Visibility & Analytics and Automation & Orchestration maturity.

Log management timeline

Before June 2026

• Gather structured requirements from Cybersecurity, DoIT, Elastic users, distributed IT partners, and Gartner.
• Document required log types and retention expectations.
• Analyze architectural options and cost models.
• Make a short-term Elastic renewal decision, including evaluation of on-premises continuation versus migration to Elastic Cloud.

Target: June 2026

• Deliver formal analysis report with recommendations for long-term direction.

Post-analysis (late 2026)

• Define phased roadmap.
• Begin alignment toward sustainable architecture and expanded visibility capabilities.

This work ensures that future conditional access, detection engineering, and automation capabilities have a stable, scalable logging foundation.

How device compliance and log management fit together

These two priorities are mutually reinforcing:

• Device compliance efforts rely on a strong visibility and analytics foundation, which is facilitated by our Log Management strategy.
• Device compliance strengthens preventive posture.
• Log management strengthens detective and analytic capability.
• Together, they increase confidence in conditional access decisions.
• Both generate measurable progress that can be reflected in dashboards and sponsor reporting.

Zero Trust is not a single tool decision. It is an incremental, maturity-based journey.

As described in the CISA Zero Trust Maturity Model, progression occurs across pillars and cross-cutting capabilities over time.

Join the conversation: Smart Access office hours

To support transparency and structured input, Smart Access is hosting two focused office hours sessions.

These sessions are informal, discussion-based, and intended to gather input, surface concerns, and refine priorities.

Topic: Device compliance notifications

Friday, March 20 at 1pm 

Add to calendar

Office hours discussions will be primarily driven by attendees, however, here’s some potential discussion questions for the session:

• Do your users use GlobalProtect on personal or unmanaged devices? If so, do you use a departmental VPN or WiscVPN?

• Does your department support personal devices?
• What concerns do you have about compliance notifications?
• How do you anticipate your users will respond or request support when met with a compliance notification (Dean’s, Faculty, etc.)?
• What populations should be prioritized or excluded?
• What support resources would we need to support compliance notifications?
• How would you like to validate/report on your devices’ compliance?

Feedback will inform pilot notification design and impact assessment work.

Topic: Log management needs

Wednesday, March 25 at 3pm

Add to calendar

Office hours discussions will be primarily driven by attendees, however, here’s some potential discussion questions for the session:

• Are you currently using Elastic as your log management solution? If yes, how do you use Elastic (e.g., troubleshooting, compliance, security monitoring) and how critical is it to your daily operations?
• If you are not using Elastic, what log management solution are you using?
• What you are collecting and why? How long do you keep logs?
• What logs are most critical to your operations?
• How much “people time” do you invest in log management?
• What would you expect from a centralized log management service?
• Do you feel like you are in compliance with UW System Administrative Policy 1041?
• Do you have any other regulatory requirements for logging?

Input from this session will directly inform the June analysis report.

If you cannot attend but want to contribute:

• Request a 1:1 conversation.
• Volunteer to discuss your current log management practices.
• Invite Smart Access to a departmental meeting.
• Email the Smart Access Program team.