Recently, we discussed the importance of Multi-Factor Authentication (MFA) as a tool school districts should leverage to help prevent data breaches and protect against threat actors. MFA is a sure step towards securing access to district systems and applications; however, with at-home instruction being K-12 education’s new normal, schools need to take an even more comprehensive approach to securing their resources.
So beyond MFA, what else can districts do to stay ahead of security breaches?
At Identity Automation, we see access management as a cornerstone of a robust security strategy. While MFA takes additional steps to prove a user is who they say they are, schools also need to take into account securing different levels of access.
Most districts’ data security posture and identity management procedures are still limited to reactive measures. Districts that have taken action towards comprehensive security plans are usually doing so in response to a data breach or privacy threat and not proactively.
The recent migration from on campus learning to digital classrooms has only highlighted this fact. Classrooms are now located in living rooms and home offices, but many school districts are not prepared for their data to be accessed remotely.
Districts have increased their digital resources, such as adding Zoom for classroom instruction, but this has also increased their surface of attack. In the rush to adapt, districts have struggled to incorporate sensible controls to mitigate data and systems from risk.
This is where Access Management (AM) can make a huge impact. AM ensures access is granted to valid users and prohibited to invalid users by identifying, tracking, and regulating users' access to systems and applications. Simply put, AM ensures users are assigned proper access to resources based on an organization’s policies.
The State of Access Management in K-12
Access granted to an application is an entitlement, and for each system a user can access, there is an individual entitlement associated with it. For example, access to district email is a mailbox entitlement, and that entitlement is retained as long as the user still holds the applicable role or position. Without automated AM, all entitlement-based processes are manual and there is no system keeping track of entitlements.
As it stands today, most schools are still dependent on manually provisioning and deprovisioning entitlements to users district-wide.
This means IT personnel grant access in a manual and generally reactionary fashion. Teachers generally bear the responsibility of requesting access to applications supported by the district, such as textbook resources or behavior management applications, i.e. setting up accounts, verifying their identities, and maintaining their own access throughout the course of their tenure at that district.
So, if a teacher needs access to the learning management system Eduphoria, it would have to be manually granted by a member of the administrative staff and account setup completed by the teacher.
Going further into the school year, if that teacher needs access to additional third-party applications, such as BrainPop lessons or GoNoodle Brain Breaks, the teacher would have to create their own accounts using their district email. The problem is that the district is not able to keep track of these accounts, so there is zero oversight, thus creating a huge security liability.
Elevating Your District’s Access Management Capabilities
Basic Access Management
Some school districts are moving towards a basic level of AM. At a minimum, this requires there to be an engine in place that automates identity lifecycles across all systems and applications in the organization’s ecosystem and an entitlement repository, or a list of entitlements specific to the district and roles within the campuses, to be maintained.
With these in place, user access can be limited to programs and records associated with a user’s particular role within the district using role- and attribute- based access controls. This can be handled dynamically with more advanced levels of automation.
RBAC controls access based on the roles that users have within the system and on rules stating what access is allowed for users in given roles. RBAC is ideal for making access control decisions with broad strokes. For example, giving all teachers access to Google or all contractors access to email. However, many times, more granularity than this is needed or decisions need to be made under certain conditions. For these instances, there’s ABAC.
ABAC controls access based on three different attribute types: user attributes, attributes associated with the application or system to be accessed, and current environmental conditions. ABAC permissions can be conditional, so having the job title of “Teacher” or “Skills Specialist” gives a user initial access to district systems. However, having a department indicator, like “Mathematics” would also give the user access to the school’s mathematics resources.
Leveling Up Access Management
A more advanced level of AM is one where exceptional access is granted automatically based on approval procedures outlined in district policies. For example, a teacher generally doesn’t need access to directory information or political websites, but they may need temporary access for a lesson or campus improvement project.
If a district is only leveraging basic AM, the teacher would have to file a request with their campus technology specialist, who would then request access from district IT, who would then manually provision access. This takes time, and the human error associated with manual provisioning could mean that access is not revoked in a timely manner if it is revoked at all.
However, with an elevated level of access management, that same teacher could leverage self-service capabilities to request an access exception through an automated mechanism. District IT would then review the request to determine if access is needed. IT personnel would most likely consider factors, such as the sensitivity level and if licensing is associated before approving or denying the request.
It’s important to note that limits can be set on the duration of access, so the teacher requesting access would only have access for the time necessary. The generally accepted practice is that the more sensitive the application or data, the shorter the time-frame of access.
Privileged Access Management (PAM)
Privileged Access Management (PAM) is a subset of AM that provides additional protection for privileged accounts, or the primary accounts that are at an administrative or system level. Typically, PAM is handled through a process known as password vaulting, which is where the service account passwords continuously change until a user is granted access to use them.
So, if the administrative account is in AD, that employee would check it into the password vaulting service and send a request that stops the password reset process and communicates a new password to that user. Once the user authenticates, the account is checked back into the system and the password is vaulted and changed immediately.
Password vaulting ensures that no user has privileged credentials on a 24/7 basis and that there is a clear record of all approvals and check-outs. This is critical because shared service accounts are not used as often as personal accounts, so it’s less likely to be noticed in the event an account is breached. By keeping privileged access to a minimum, but still providing simple mechanisms to elevate access when needed, PAM not only streamlines access processes, but reduces overall security risk for districts.
Contingent Users in K-12
In some cases, a user not associated with the district needs access to district data on a contingent basis. It’s inevitable that schools will have contingent users— employees hired for a time period of one year or less with a specific end date. Contingent users can include substitute teachers, adjunct faculty, or special education contractors.
For example, substitute teachers are generally only granted access to their district email account, but what about when their lesson plan requires access to virtual lessons? All too often, teachers will write their own credentials on their substitute lesson plans, and that is a dangerous practice for a slew of security reasons.
Without automated access procedures for contingent users, access must be granted manually. Substitute teachers are last minute contingent users, so manually provisioning temporary access is usually low priority for IT. However, the lengthy process of manual provisioning can be mitigated completely with automated sponsorship capabilities in place.
On the front end, the external user is “sponsored” by a member of the administrative staff. Account access to the different applications is automatically granted based on predefined rules, all without active IT involvement, but still within pre-set organization-wide security and privacy policies.
It’s important to note that sponsored accounts have an expiration date by default, and that date is determined by the district. When an account is about to expire, the appropriate sponsor is notified with the option of extending access. If a sponsor does not recertify access by the deadline, it is automatically revoked.
Secure Your District’s Accounts with Automated Access Management
K-12 education is facing huge security challenges every day, and they’re doing what they can within budgetary constraints. All too often, schools are still taking a reactive approach to data security, even extending to basic access management procedures.
However, the face (and location) of education is constantly morphing and K-12’s security posture too must evolve. Districts must implement stricter policies to keep their valuable data both secure and accessible. This means that schools must be proactive. Automated access controls need to be a part of school districts’ security posture to curtail threats before they become a problem, and not a minute later.