Jan 30 2024

Eye on Zero Trust: How to Implement Identity and Access Management in K–12 Schools

By tackling IAM practices such as multifactor authentication, biometrics and passwordless access, K–12 schools can follow zero-trust principles.

Developed in 2009 by former Forrester Research analyst John Kindervag, the zero-trust security model revolves around the motto “never trust, always verify.” It is an evolving methodology in cybersecurity that governs user access to data and networks.

“Zero trust really comes down to: Are you who you say you are, and are you where you are supposed to be?” says Gary Lackey, director of cybersecurity at Goose Creek Consolidated Independent School District in Baytown, Texas.

In an industry where many end users are minors, K–12 CTOs and IT directors rarely refer to zero trust. Schools lack full zero-trust strategies because of budget limitations and a misunderstanding of what the methodology means, according to Lackey.

“Many people may not want to rock the boat, but I think a lot of it comes down to either not having the funds or not having the personnel to really manage these solutions and configure them the way they should be,” he says.

Even if a school system isn’t fully implementing zero trust, they can turn to tangential strategies such as identity and access management, which consists of access policies to connect apps, devices and data, as well as verification of user identity. IAM solutions include Cisco Duo and Microsoft Entra ID (formerly Azure Active Directory). Schools frequently use IAM practices such as single sign-on and multifactor authentication.

Click the banner to access zero-trust guidance and resources for K–12 organizations.

Zero trust is a key strategy behind IAM, explains Jerry Chapman, leader of the Beyond Best Practices group at the Identity Defined Security Alliance and a member of the organization’s Customer Advisory Board.

“You’re explicitly defining who has access to that door and who can get through that door in the concrete wall,” Chapman says. “That effectively is how you would join identity and access management to zero trust, which is an overarching cybersecurity conversation.”

Student Identity Verification in Schools Goes Beyond Passwords

Although passwords are still a part of access management, they are not ideal, Lackey says. IAM allows K–12 environments to adopt alternatives to passwords, which can be difficult for young students to remember, he adds.

“You really don’t need a password if you satisfy all the requirements of incident, identity and access management,” Lackey says. “If you have a password, that means it can be stolen, and someone else can use it. But if there are other aspects of it, they can’t replicate that as easily.”

In fact, stolen credentials cause 86 percent of breaches, according to the Verizon 2023 Data Breach Investigations Report.

Jerry Chapman
Moving quickly and immediately to a passwordless scenario will help enhance the experience for the users.”

Jerry Chapman Beyond Best Practices Group Leader, Identity Defined Security Alliance

“In identity and access management, the biggest hurdle that we’ve had for years is passwords,” Chapman says. “From a K–12 perspective, moving quickly and immediately to a passwordless scenario will help enhance the experience for the users.”

Identity and Access Management Best Practices That K–12 Schools Can Follow

In corporations, smartphones are a common component of multifactor authentication, but young children may not have smartphones. Chapman says that IT leaders should expect to see more complex MFA from middle school onward, with the use of smartphone MFA becoming more of a fixture in high school. School districts can use other methods, such as an icon or a picture, to help students log in, Lackey says.

The challenge for K–12 environments is balancing unhindered access to school lessons with robust IAM. Lackey notes that the population of 24,000 students at Goose Creek CISD is too large for faculty and staff to help students recover forgotten passwords. The district strikes a balance by pushing out tablets for students, so they do not have to use MFA if they are on the school district’s Wi-Fi network, he says. “You don’t want to go in and put the restrictions on everything, but you also don’t want to leave everything wide open, so there’s definitely a balance there,” he explains.

DISCOVER: Schools must focus on people, processes and technology in cybersecurity.

However, when Goose Greek CISD students bring their tablets home, they must use multifactor authentication to get on the network, Lackey says. For MFA, Goose Creek uses Microsoft IAM, and faculty log on using USB keys.

Here are other best practices K–12 IT directors should consider when implementing IAM:

Deploying virtual local area networks: VLANs consist of groups of computers and servers that appear to be connected to a single network, but they are separate. VLANs bring cost savings because schools can implement security without paying for an additional tool, Lackey says.

Using time-of-day tracking: Monitoring when people log in is a useful form of IAM because administrators can gauge whether the access time fits within a user’s pattern, Lackey explains.

Layering artificial intelligence on top of IAM: IAM products that schools are already using will incorporate AI to make IAM more efficient, according to Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance.

“A lot of software and security product vendors are implementing AI within their systems to make decisions about anomalous logins,” Steinhauer explains. AI can help school IT administrators flag if a user is logging in from physically within the school building and then logging in from another country shortly after, for example.

Testing access permissions: Establish baselines of normal accessibility and perform regular auditing and monitoring, Steinhauer advises. In addition, he suggests checking the connections between a single sign-on service such as Okta and other providers to make sure the links are legitimate.

“You can manage that access directly in the single sign-on tool so that you’re making sure the access is what it’s supposed to be for that user,” Steinhauer says. “You just have different groups like you would with Active Directory in an environment. You can do the same thing through a single sign-on service.”

Using biometrics: If young students are unable to use smartphones to authenticate their accounts, they can use biometric technology such as face ID and fingerprints, Steinhauer advises.

Leveraging near-field communication: Student and faculty IDs can incorporate near-field communication to allow them to tap into a laptop. Most students have IDs, Steinhauer says.

Advancing Cybersecurity Education in Schools

Educating teachers, staff and students will be critical for implementing effective IAM. When users understand the reasons behind the security measures, as well as the threats they face, they are more likely to follow them, Steinhauer says. This education involves training videos that teach K–12 users how to keep themselves safe online.

“I think giving people the why is a good way to motivate them to continue to do things right and not try to go around the guardrails that are in place,” Steinhauer says.

UP NEXT: The National Cybersecurity Alliance’s executive director tackles phishing.

kali9 / getty images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.