By Michael Webb, CTO, Identity Automation.
In K-12 school districts, one of the most challenging technology conflicts is between productivity and security. Students and staff want quick, reliable access to online resources. They’d rather not be logged off the system every 20 minutes or have to call the IT department to reset passwords. During class especially, teachers don’t want to sacrifice instructional time to troubleshoot login issues.
However, school districts have suffered 1,180 publicly disclosed cybersecurity incidents since 2016 according to the K-12 Cybersecurity Resource Center. These have included denial of service attacks that interrupt learning, data leaks that result in identity theft, and ransomware attacks with extortion demands reaching seven figures. When my employer surveyed 100 K-12 technology leaders earlier in 2021, 92% said they had suffered a cyberattack.
To successfully balance productivity and security, K-12 districts need a strategy for access management: the practice of serving valid users while denying access to invalid users. These five pillars of access management work together to help your district achieve that balance.
- Identity Management: instant access to digital resources
In many districts, IT departments manually provision accounts, meaning someone assigns digital resources, one user and one service at a time. The process is therefore time-consuming and prone to mistakes. Because deprovisioning is also manual, forgotten “ghost” accounts can become vulnerabilities. Instead, districts should use identity management for automatic account provisioning. Essentially, once a student or staff member is enrolled to a district, the identity management solution automatically provisions their account based on predetermined rules. This immediate, “zero-day access” is productive and secure. And if a student were to move or if a staff member were to quit, the identity management solution can automatically deprovision the account.
- Digital Stewardship: cybersecurity awareness and fundamental skills
Students and staff who learn to be good stewards of their credentials can help protect their learning environment. That starts with passwords. An analysis of 15,212,645,925 publicly leaked passwords found that “123456” is the most popular one. K-12 users must learn how to create strong (i.e., complicated) passwords that aren’t reused on other sites. Ideally, they will use one such password to access all their resources (more on that in the next section). The second most important stewardship skill is how to recognize phishing attacks and vet links for telltale signs, like an unfamiliar domain. “Stay Safe from Phishing and Scams,” part of Google’s Digital Citizenship Course, is a great three-minute primer. Good stewardship, though important, can always use backup.
- Single Sign-On: one login for every resource
Single Sign-On (SSO) is an authentication method that provides access to multiple resources through one web portal. Rather than having multiple usernames and passwords for email, virtual classrooms, and educational content, students and staff use one digital identity to access everything. SSO aids productivity by eliminating repetitive logins and improves security by reducing the total number of credentials that can be compromised. That said, SSO is only as strong as the password safeguarding each username, which leads to the next point.
- Multi-Factor Authentication: verification with multiple, independent credentials
Multi-factor authentication (MFA) is an access management technique that requires two forms of verification – usually, a password and a code sent either by email or SMS. MFA acknowledges that one password, even if it’s strong, can be cracked or leaked. MFA can confuse young students though, especially if it requires complicated passwords and authentication codes. A great MFA solution for elementary schools is to combine pictograph and QR code authentication. With pictograph authentication, each student makes a password composed of three images (often taken from a selection of 36). The login page presents random sets of these images, and the student clicks or taps one image from each set until they choose all three in their password. With QR code badge authentication, the student holds up a unique badge to their device’s built-in camera to verify their identity.
- Credential Monitoring: automated scanning for compromised credentials
If you enter a personal email address into Haveibeenpwned.com, you can see whether any of your usernames, passwords, and personal information have been “pwned,” meaning they are compromised and publicly available. The problem is that in a district with 50,000 students, a manual check like that cannot scale. If someone is pwned, the school has a limited window to block access before bad actors take advantage of that vulnerability. A solution for K-12 districts is to use credential monitoring technology. It’s like Haveibeenpawned.com but automatically monitors every set of credentials in the district. It can alert users promptly and give them a link to reset their credentials.
Redundancy is the Key
Access management works best with redundancies. If an administrator in finance is pwned, for instance, credential monitoring and multi-factor authentication can prevent that breach from becoming a costly incident. Backup layers allow access to be quick and productive without jeopardizing security. The integrity of the digital learning environment should never rest on one pillar.
Ready or not, K-12 school districts will be targets of cybercrime for the foreseeable future. However, with the right access management strategy in place, students and staff can focus on what matters most: learning.