As K-12 accelerates their collective journey down the path of digital transformation, one key undertaking of midsize-to-large school districts is the improvement in the learning experience, at scale, while improving cybersecurity. That’s no small feat, especially as malicious online actors are increasingly targeting U.S. districts through a variety of attacks. In fact, education is the number one most targeted industry for ransomware attacks.
Most districts are at the point where they are evaluating or have implemented single sign-on services to simplify the login experience for students and educators to their online learning tools. That’s an important step forward, but it’s not the full solution districts need. In order to truly protect students and educators online, districts need to develop digital identity management.
Our goal with this blog series is to explain what digital identity management is and why it is so important. Additionally, we want to demonstrate why simple login syncing, such as OneSync by ClassLink, is not the same thing.
K-12 Cyber Threats are Mounting
One of the most common ways bad actors commit cyberattacks is to find weak spots in the authentication process, when the user’s digital identity is verified. Have you ever repeated your password on multiple systems because it’s too hard to remember them all? Chances are, your answer is yes. But what happens when that password shows up on the dark web?
Typically, a bad actor pays about $30 for your password, and then uses it to gain access to district systems. This bad actor then has all the same permissions you have. They can wreak havoc by stealing student data, committing identity theft of staff, or holding the district ransom by locking everyone (students and educators) out of their edtech ecosystem.
Needless to say, that’s a bad day.
A lot of districts who implement single sign-on are also considering login syncing services, which are often free of charge. Login syncing simply automates the account provisioning process to ease IT’s burden of creating and closing accounts for Office 365 or Google Classroom. For example, this process essentially equates to basic “Select All”, then “Copy” and “Paste” action. Good, but not great.
Because what if the password that gets synced is the same password that was purchased by the bad actor on the dark web? (That’s called getting “pwned”, pronounced “p-own-ed” or “p-awn-ed” by the way.)
Now imagine when that happens on a large scale. How many people in a district are reusing passwords? Take a guess. Maybe half of the people in a district of 50,000 students and educators? That’s 25,000 passwords that aren’t as secure as they should be.
How many of those passwords are available for purchase on the dark web? Wouldn’t you like a fast way to know so that you can easily take care of it?
This is the important context for the comparison between login syncing and true identity management. Hands down, the best way to drive progress on both fronts— learning experience and cybersecurity— is to place digital identities at the center of the district’s technology strategy. That means developing a strong identity management capability that takes your security capabilities far beyond login syncing.
Three Key Cybersecurity Concepts
There are three cybersecurity concepts one needs to know in order to discern the difference between login syncing and true digital identity management.
- Granular digital identities for all students, teachers, parents, and staff can be a powerful catalyst for achieving the levels of security, scale and responsiveness districts are striving to achieve with their technology strategies. Digital identities are the key to de-anonymizing your users, automating security measures, and developing true representations of the unique needs of your user.
- Centralized administration of digital identities allows the IT department to manage thousands, or even millions, of identities with consistent policies at very low cost and administrative burden without having to juggle multiple third-party tools.
- Unifying online authentication with digital identities. We’ll call this capability “eSSO IDP” for short. It stands for enterprise single sign-on (eSSO) and identity provider (IDP). It basically means your system can tell who the user is to verify their system permissions and maintain a simplified user experience that doesn’t let security measures stop them from being productive online.
Difference #1: Granular Digital Identities
Most districts today still think about identity management as simply the automated provisioning of accounts so that users get immediate access to the tools they need. However, there is so much more to it. Comprehensive digital identities are the key to cybersecurity, as well as long-term groundbreaking capabilities that drive incredible innovation over the coming years. Digital identities play an important role in protecting a district’s staff and students, and there are four important technical concepts to cover in this realm.
Digital identity management isn’t just about cybersecurity, it’s about providing your users with a great experience. Part of that experience is providing access to the systems a user needs immediately when they need it, even if that is before their technical start date. That’s what we call “zero-day access”. With a true identity management capability, you’re able to provide your staff, students, and parents access to the tools they need— as soon as they enter your district.
Compromised Credential Monitoring
How many of your users do you think are reusing passwords across their consumer accounts and your district systems? If your district is like most, then it’s a lot. Probably most users. If so, how many of those passwords are for sale on the dark web? Wouldn’t it be nice to quickly learn when your users are using credentials that have been breached? Digital identity management does just that. Not only can we help you find out whether your users credentials are compromised, we can also help you quickly shore up the vulnerability. Simple login syncing sure can’t do that.
Login Syncing Can “Break” Security Policies
You can think of a directory domain as a database with basic identity-specific data that is used as the primary record of who a person is within district systems. Often, districts have more than one directory domain. What’s most common is one domain used for students and one separate domain for staff. Districts may also isolate parent identities in their own domain.
The challenge of login syncing tools is that they ignore the differences in data structures for each domain and simply “copy-and-paste” one of the data structures into the other. That creates major challenges for districts managing multiple domains because security policies tied to access for various user types can break, which creates security vulnerabilities. In summary, if you ignore the difference in domain data structures, then you break security policies, creating security vulnerabilities.
Sponsorship for Third-Parties
Most districts work with organizations to provide on-site service providers who need short-term access to district systems. Contractors, vendors, visitors, and partners are common examples of third-parties who need temporary access. The problem is that these accounts are typically created on an ad-hoc basis and someone has to remember to go back and deactivate the account, usually not knowing exactly how long the accounts are needed for.
While these people need the same identity lifecycle management as staff and students to keep the environment secure, they just need it on a temporary basis. It’s important to give and revoke system access quickly in order to help them efficiently serve the district without creating security vulnerabilities. When these accounts are forgotten and left active, they create a massive vulnerability.
Continue on with Part Two
Ready to learn more? Don't stop here, read on for part two of this blog series, where we dive into the remaining critical concepts that separate identity management from login syncing tools—centralized administration of digital identities and unifying online authentication.
In addition, you can also download our new eBook to learn more about why login syncing tools are "better together" with digital identity management.