Ongoing innovations in pedagogy and learning strategies in the K-12 industry have spurred school districts to rapidly adopt digital tools for the classroom, while reducing their reliance on traditional print-based educational resources. To deliver their services, digital curriculum vendors require timely access to accurate and up-to-date student, teacher, and class roster data.
Schools are then faced with a choice: place an undue burden on teachers to manually input student roster information or turn to a solution that can automate the rostering process. The former method is manually intensive, time-consuming, error-prone, and insecure, leading many to turn to the latter: choosing a data rostering provider that manages credentials and automates the rostering process.
While targeted rostering solutions are a step in the right direction, not all solutions put the same emphasis on ensuring secure rostering. School districts need to take a security-first approach towards rostering, and that means choosing a solution that goes beyond rostering capabilities.
What is Automated Rostering?
Rostering solutions allow campus IT administrators to streamline and automate the data rostering process, ensuring hassle-free curriculum delivery. These solutions pull up-to-date student roster data from Student Information Systems (SIS) and put it into the various formats required by vendors.
Through a variety of exchange standards, the data is then synchronized to the target systems on an ongoing basis. Roster information remains up-to-date, ensuring the correct number of licenses are assigned to the correct students, helping to control licensing costs. For example, if a student makes a course change, roster data is immediately updated in vendor systems, so the student doesn’t show as still being in the class and therefore, taking up an unneeded license.
Where Schools Get Rostering Wrong
Schools Lose Control Over Data
Rostering vendors require a list that contains basic information about their user population, but sometimes schools send too much of their users’ information out. Targeted rostering solutions are not security solutions. They make your life easier, but not more secure.
As roster data is very closely associated with identity data, there’s recently been crossover of data rostering vendors into the identity space. For example, rostering vendors need a list of student names grouped by class, and logins typically must link back to a user’s course, grade level, and school building to complete rostering automation.
Once the service has all of that information, they roster each identity to the school’s third-party provider, but that introduces a lack of data control on the school’s part. Once that information is given, it’s gone to a third-party consumer, and there’s no way of knowing how that information may be used beyond the service. At the end of the day, schools have no way to track where their data is going.
This may seem like something inconsequential in the short-term, but it introduces a lapse in data protection. The fact is that anytime and anywhere students or teachers are connected to the internet, they are at risk of falling prey to cybersecurity threats. Rostering solutions were designed for sharing hierarchical information with digital curriculum vendors, not to handle the complexities of securing identity data or meeting compliance regulations.
So let’s look at another example: student rosters are constantly changing, especially in low income districts whose populations are more transient. Without a rostering solution in place, teachers are expected to update credentials manually. In any manual entry situation, human error is inevitable. In this case, student accounts may remain open, and those orphaned accounts are a weak point for threat actors to exploit.
It’s also important to take virtual instruction into account, especially in the wake of the COVID-19 pandemic response. All too often, teachers are the last to know when a student has transferred out of their class, and that lapse in communication is exacerbated in a digital classroom. Districts without automated rostering solutions in place are at a huge disadvantage.
Schools need to take an enterprise approach to rostering. Instead of entrusting their data with targeted rostering vendors, they should choose a vendor whose roots are in security, restricting that data to their own districts.
Targeted Rostering Solutions are NOT Security Solutions
Rostering vendors usually come with two capabilities: rostering and single sign-on (SSO). Districts allow rostering vendors to manage their data and assume that their data is secure, but the fact is that SSO and rostering are more of a convenience play.
By not addressing security as a necessity along with rostering and SSO, school districts leave their data vulnerable. Due to rostering solutions’ limitations, districts will sometimes try to fill identity management gaps with scripts, thereby creating further security gaps because the scripts just address identity concerns, but are not designed with security safeguards in mind.
Choose an IAM Vendor for Your Rostering Solution
Schools need to have processes or solutions in place for managing identities, as well as managing rostering data. Districts that choose to outsource data rostering must adopt an enterprise mindset when choosing a vendor, and the context of that is understanding to whom access is granted. This is where choosing a rostering vendor whose solution is part of an Identity and Access Management (IAM) system offers important advantages over point solutions for targeted rostering.
IAM solutions that also offer data rostering capabilities successfully bridge the gap between these two needs, while enhancing security. IAM solutions are purpose-built to address the security complexities associated with managing identity data by also offering robust identity management capabilities that go well-beyond those of basic rostering solutions.
For example, modern IAM solutions automate identity lifecycle management tasks for students, teachers, staff, and external users. Students can be automatically provisioned with access to correct resources based on their grade level, teacher, or class using role- and attribute- based access controls. This is indispensable at the beginning of the school year, when provisioning can otherwise take a team weeks or months to complete repetitive tasks, such as creating new accounts or assigning privileges for users. Conversely, when students are no longer enrolled in a class, their access is automatically deprovisioned, thereby increasing data security by eliminating entitlement creep and orphaned accounts.
A complete IAM solution also has SSO capabilities, offering the same convenient student experience as a rostering solution, i.e. allowing users to access a variety of applications with one set of credentials, rather than entering a unique password for each. This is a huge advantage in an industry whose users are uniquely diverse and have large differences in digital literacy as it streamlines the log-in process and minimizes the classroom distractions associated with managing password issues and resets.
An identity-driven approach is a policy-driven approach. Policy governs the visibility, sharing, and application of data and entitlements. For example, what assurance do you have that data that informs the identity of a student, or a teacher, or a parent, is properly applied in your roster strategy? Without a policy, or a mechanism to enforce and protect that policy, you don’t.
Your Best Bet is a Solution With Roots in Security
Automated rostering is a necessary component to keep schools up-to-date with the latest digital learning programs. Asking teachers to manually roster students for every digital resource is time-consuming and a poor use of school resources. However, turning to targeted rostering is only a point solution and still leaves security and functionality gaps.
Furthermore, rostering solutions depend on third-party learning platforms to handle student information and unfortunately, schools have no way of tracking what those third parties will do with student data.
Schools should instead take an enterprise approach to rostering that puts security first by leveraging a complete IAM solution that offers both rostering and complete identity management capabilities. Robust IAM bridges the gap between rostering efficiency and identity management without compromising security, providing K-12 with another resource in their arsenal to ensure their private data stays private.
Comments