Does K12 Education need Identity & Access Management?
YES! Especially in secure and private data storage and management
“I understand that Mr. Jones was no longer supposed to have access to Jimmy’s sensitive and private records but my question is why didn’t you have technology in place to ensure that he didn’t have access or, if you did have such technology, why didn’t it work?”
Picture yourself as a K12 leader in front of a board of inquiry and this question is posed. There is no good answer to this question. Not only were laws broken, but people were hurt, time wasted and reputations tainted. Identity and Access Management (IAM) technology protects the districts, students, teachers and leaders from this type of security breach. IAM is composed of two main applications of security technology that work together: 1. Identity Management and Administration (IdM); and 2. Access Management with Authorization and the associated Federation. These technologies then fit into the supporting applications within the district by managing all of the identity types who use these systems (students, faculty, administration, parents, and contractors). Two important systems of note are The Student Information System (SIS) is usually the main genesis and source of authority for district identity data, and the Directory that becomes he main reference source for consolidation of people for authentication and grouping them for the purpose of authorization of access to digital systems, among others.
Identity Management is the foundation of IAM. It provides a single system to manage and administer the user’s lifecycle within the district. As an example, when Sally is enrolled she’ll be entered into the District’s SIS and then will be given accounts, and a or often several usernames and passwords in a variety of digital applications for administration and academics: the learning management system, an email address, assessment and other edTech. Some of Sally’s teachers like new internet applications for learning and assessment so she signs up for those as well. Some of these apps will be in available on the internet and some will be blended as an iPad accesses “Cloud” storage to record and measure Sally’s progress. At the same time Sally’s teacher, Miss T, will also be set up in the SIS, given an email account, one or maybe several usernames and passwords, and access to edTech so she can monitor and maintain Sally’s progress data. Behind the scenes, Access Management authentication and authorization information is being maintained so that Sally and Miss T can log into these applications. Some of the authentication information is stored in the directory and some locally in the applications.
IdM will take care of automatic and reliable creation of Sally’s and Miss T’s accounts in these applications, called “digital resources”. Furthermore IdM will create consistency with the SIS, maintain a single username and password, provide a place for self service password and identity data management, remind users of password policies. Maybe most importantly, IdM will remove and restrict Miss T’s access automatically should she terminate with the district based on changes in the SIS by maintaining the authentication information in the resources and in the directory. IdM also provides a central place for the “big red button” to remove all access for a singe user in those cases where protection of sensitive and private data must be restricted “on demand”.
Historically, the complexity of the technology in the district was manageable with only a few apps. Manual processes and integrated systems handled the management of access and account creation. Now, the rapid proliferation of edTech and other educational management technology created more complexity increasing the load on those performing manual processes and increasing the risk of errors, inconsistency and delays. This problem is exacerbated by internet or “Cloud” applications as districts and educators delegate data to these off-site / remote storage locations. These remote repositories of data introduce a perceived loss of control and exposure to the risks of the internet, but those risks are generally misunderstood. Providers of these remote or “Cloud” applications generally have as high or higher security than most districts, because of their contractual responsibilities.
So the exposure is not their security infrastructure as much as it is in the authentication and authorization that is employed in protecting the data stored in these systems. In short, only someone with an active login and password and the right authorization or privileges can access the data. If the account information is not up-to-date with the user’s actual authority, then the sensitive data is exposed. So the security exposure is not affected as much by where the data is stored but most importantly how the the access to this data is controlled. This is where IAM secures both the on-site, internal data, as well as the off-site, or “Cloud” stored data. If IdM keeps the access control consistent with the authoritative source and authorization information maintained at the district instantaneously, and the Access Management system ensures that only those with authorization and active credentials are allowed to see the sensitive information, then the district is secured and privacy assured.
With properly implemented IAM, the board of inquiry will have no leg to stand on because the district will have eliminated access to sensitive and private data instantaneously, regardless of where that data is stored.
Copyright Aegis Identity Software, Inc.