“In identity and access management, the biggest hurdle that we’ve had for years is passwords,” Chapman says. “From a K–12 perspective, moving quickly and immediately to a passwordless scenario will help enhance the experience for the users.”
Identity and Access Management Best Practices That K–12 Schools Can Follow
In corporations, smartphones are a common component of multifactor authentication, but young children may not have smartphones. Chapman says that IT leaders should expect to see more complex MFA from middle school onward, with the use of smartphone MFA becoming more of a fixture in high school. School districts can use other methods, such as an icon or a picture, to help students log in, Lackey says.
The challenge for K–12 environments is balancing unhindered access to school lessons with robust IAM. Lackey notes that the population of 24,000 students at Goose Creek CISD is too large for faculty and staff to help students recover forgotten passwords. The district strikes a balance by pushing out tablets for students, so they do not have to use MFA if they are on the school district’s Wi-Fi network, he says. “You don’t want to go in and put the restrictions on everything, but you also don’t want to leave everything wide open, so there’s definitely a balance there,” he explains.
DISCOVER: Schools must focus on people, processes and technology in cybersecurity.
However, when Goose Greek CISD students bring their tablets home, they must use multifactor authentication to get on the network, Lackey says. For MFA, Goose Creek uses Microsoft IAM, and faculty log on using USB keys.
Here are other best practices K–12 IT directors should consider when implementing IAM:
Deploying virtual local area networks: VLANs consist of groups of computers and servers that appear to be connected to a single network, but they are separate. VLANs bring cost savings because schools can implement security without paying for an additional tool, Lackey says.
Using time-of-day tracking: Monitoring when people log in is a useful form of IAM because administrators can gauge whether the access time fits within a user’s pattern, Lackey explains.
Layering artificial intelligence on top of IAM: IAM products that schools are already using will incorporate AI to make IAM more efficient, according to Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance.
“A lot of software and security product vendors are implementing AI within their systems to make decisions about anomalous logins,” Steinhauer explains. AI can help school IT administrators flag if a user is logging in from physically within the school building and then logging in from another country shortly after, for example.
Testing access permissions: Establish baselines of normal accessibility and perform regular auditing and monitoring, Steinhauer advises. In addition, he suggests checking the connections between a single sign-on service such as Okta and other providers to make sure the links are legitimate.
“You can manage that access directly in the single sign-on tool so that you’re making sure the access is what it’s supposed to be for that user,” Steinhauer says. “You just have different groups like you would with Active Directory in an environment. You can do the same thing through a single sign-on service.”
Using biometrics: If young students are unable to use smartphones to authenticate their accounts, they can use biometric technology such as face ID and fingerprints, Steinhauer advises.
Leveraging near-field communication: Student and faculty IDs can incorporate near-field communication to allow them to tap into a laptop. Most students have IDs, Steinhauer says.
Advancing Cybersecurity Education in Schools
Educating teachers, staff and students will be critical for implementing effective IAM. When users understand the reasons behind the security measures, as well as the threats they face, they are more likely to follow them, Steinhauer says. This education involves training videos that teach K–12 users how to keep themselves safe online.
“I think giving people the why is a good way to motivate them to continue to do things right and not try to go around the guardrails that are in place,” Steinhauer says.
UP NEXT: The National Cybersecurity Alliance’s executive director tackles phishing.