Changing the way we think about education security

Dean Wiech | January 09, 2017

Recent Articles

When we think of education technology, we typically think of its use within a classroom environment. When we think of education security, the physical safety of the students and staff are first to mind.

How do the two concepts merge into ensuring the identity and data security for students and staff within educational and technological environments?

Identity and access management (IAM) and access governance (AG) are typically presented with business scenarios in mind because they are most easily framed within those environments. To simplify, IAM supports the "IT identity" needs of an enterprise (provisioning, authentication, resource connectors, IT admin, etc.), while AG supports the "business identity" needs (defining business roles as they translate to users; management of birthright and requested entitlements; the creation, attestation and reconciliation of access rights; etc.).

However, IAM and AG use cases within the education sector are less immediately clear. When we prioritize students' education experience — and rightfully so — we commonly think of education in relation to the classroom experience, physical or virtual, where it becomes more difficult to frame IAM and AG in the context of day-to-day student activity.

Even though education experience is the priority, district and school staff roles at all grade levels remain responsible for FERPA compliancy and managing myriad student- and employee-sensitive data and personally identifiable information (PII) — including social security numbers, financial information, health records, parent/guardian information and more.

If we expect these individuals to secure that data to the same degree as any other enterprise's confidential or privileged information, so too, then, should those staff members operate with respect to the principles of "least privilege" — that users are restricted to only the essential resources and data needed for their roles.

Expanding technology's role

Education technology's role is typically regarded as the leveraging of that technology — whether user account access and provisioning; learning apps; learning management systems (LMS); learning object repositories (LOR); or other educational, testing and heuristic resources — to enhance the student experience in its entirety.

Even when we consider education technology with respect to pedagogy, the focus is predominately on how to support teachers, increasing their access to additional resources and lesson plans, and further technology with the same aim of enhancement.

While essential to the inherent aims of education, this emphasis on the classroom experience unfortunately neglects the critical need for greater scope or additional technology to safeguard the sensitive data and PII located on our schools' networks and systems.

These school- and district-office needs extend well beyond giving IT better account provisioning capabilities, encompassing the entirety of managing identities, enforcing "least privilege" and the active organization and protection of data. To address these needs, we need to expand the notion of technology's role within education.

IAM currently provides the best bridge between a school's classroom and office needs by supporting both through the end-to-end management of identities. According to Gartner, IAM is the "security discipline that enables the right individuals to access the right resources at the right times for the right reasons."

Both students and teachers requiring access to educational resources, as well as office staff requiring access to PII, fall under the IAM discipline. Further, IAM's capability to manage identities with multiple roles and the associated resource entitlements means that students, teachers, and staff can all operate under the same structure.

Many IT professionals in education have come to rely on account provisioning solutions designed to assist with the massive turnover and upkeep challenges faced by schools when trying to manage grade-level advancement, graduation and new students. However, account provisioning can be limited to AD accounts, falling short of connecting users to resources for students and teachers that are located further downstream.

Conversely, provisioning solutions that only focus on connecting those student and teacher resources to the classroom can leave school staff without sufficient management capabilities for the Windows environment many schools have built their IT infrastructure around. IAM retains the provisioning capabilities and expands them to link AD and Windows environment provisioning with all of the downstream educational resources that enhance the classroom experience, especially when combined with additional capabilities like single sign-on (SSO).

More than just provisioning

IAM has evolved beyond the provisioning capabilities to become a more encompassing manager of users and resources. Centralizing both IAM and AG capabilities in a single interface allows for greater administrative control. Even simple AG structures can place different organizational units along horizontal and vertical hierarchies to enforce "least privilege" on the baseline entitlements granted to each user account upon provisioning.

Right from the generation of the user account, students, teachers and staff can be restricted to only the resources they need. Workflow support grants greater flexibility within IAM, allowing for future entitlement requests should new resources become available or temporary access is needed for a specific app or data.

From more "in the weeds," the technical capabilities of IAM alleviate the buildup of minor tasks that accumulate into major pain points for schools. Delegation functions allow for IT to permit nontechnical business roles to make acceptable decisions and actions within IAM, such as HR given the entitlement to perform specific parts of the onboarding process for new hires — valuable beyond permanent employees for positions such as substitute teachers.

An IAM solution with robust logic drivers provides technical and nontechnical staff with a greater depth and agility to operate while remaining within their AG defined purview. Even greater, perhaps, is the ability to easily knock out the IT minutiae that bogs down help desks such as username format, name changes, eliminating duplicates and more.

If a school or district finds itself unable to implement access governance beyond what IAM entails, a different approach could be to assess and organize the existing data contained on the networks and systems. By cleaning up that data pollution and securely placing PII in folders or locations under the control of IAM, schools and districts can better protect their sensitive information with more control over which users are permitted access.

Within education or commercial environments, IAM achieves the same end goals:

allowing verified users to access the resources necessary for their role (staff to enterprise resources; students and teachers to education resources)
letting IT professionals to focus on more productive work
helping the school and district as a whole to operate more efficiently

Share this article

Recent Articles

VIEW ALL ARTICLES

Dean Wiech

Dean Wiech is managing director of Tools4ever, a global provider of identity and access management solutions. Dean has worked with businesses, educational entities and municipalities for more than 20 years, helping them identify solutions that make their businesses and operations more secure, efficient and easier to manage. He is responsible for Tools4ever's U.S. operations and has written dozens of articles about identity and access management, security, IT audits, strategy, BYOD, the cloud and managing IT solutions for small businesses to enterprise systems.

Industries

Changing the way we think about education security

Recent Articles

Expanding technology's role

More than just provisioning

Recent Articles

Dean Wiech