How Effective User Lifecycle Management Keeps K–12 Data Safer

What Is User Lifecycle Management?

In schools, user lifecycle management, also known as identity lifecycle management, essentially consists of three steps: provisioning, maintaining and deprovisioning user accounts for staff, administrators and students.

IT often begins the user lifecycle management process by adding a new employee or a new student to a school’s identity governance application, such as Okta or Microsoft Entra.

The application then provides scripts that will help create the account in the system. This includes creating an email address and adding all necessary permissions. The goal is to make the process seamless by creating those new accounts from day one.

Technology teams should also consider how authentication impacts physical security.

Often, different systems don't talk to each other, leading to hiccups for users. For example, if I didn't tell the person who issues badges that a new account is active, then that new user couldn’t even get into the school building. Having your identity management system chat with connected applications, including badge issuance, makes life so much easier.

RELATED: Why K–12 schools must modernize their IAM programs.

What are the Stages of User Lifecycle Management?

In schools, the user lifecycle is a key process. A user can be school staff, administrators or students. User lifecycle management is the process of onboarding and enrolling new users or transferring and terminating user accounts. Onboarding consists of user creation, which includes access provisioning, device management and often physical access. Transfers include data management aspects, such as adding or removing access to a user related to a job change within the school.  Finally, termination involves offboarding or de-provisioning, in which IT disables access to user accounts in a timely fashion.

How Automated Identity Management Provides Access to Resources

After granting a new user identity and access privileges, schools will need to maintain and possibly adjust the associated user information on an ongoing basis.

Manually handling each user’s access changes can introduce human error. However, automated identity management solutions that allow schools to predefine access-related rules and workflows can help prevent such issues. Automation can also ensure the latest security measures are in place via patches and other updates.

Automated role-based access control may be particularly helpful for schools with a small IT staff that find it challenging to provide access manually.

If IT staff members know that a user has a certain attribute, such as a job change from assistant principal to principal, they can bake in automation to give access to a specific bundle of permissions. That can save a lot of time, and IT doesn’t have to worry about it on a day-to-day basis. That's the advantage of having a well-oiled user lifecycle management process.

However, school technology teams should pay attention to which additional applications employees will use in a new position, as well as any they’ll no longer need.

You often will give somebody more rights as they go up the chain, but you also have to think about removing access. We only want to give people access to what they need to do their job, and nothing more.

REVIEW: Okta grants access to necessary apps for authorized users anywhere.

Strengthening User Lifecycle Management Helps Thwart Threats

If a bad actor tries to exploit system weaknesses, such as a lack of multifactor authentication, then an active account for a user who’s no longer working at the school could provide a point of entry.

Employee departures can pose a similar risk. For example, when someone gives two weeks’ notice, a school official can designate that in the system, initiating a chain of actions that includes disabling the employee’s account on a certain date.

IT can use that as a trigger to kick off that automation. Whatever identity system they are using to manage access will disable every access capability the person has. It may also send an email to the respective parties that says “This has been done” or “Here’s a look at people who have been terminated,” and authorized parties can verify if the information is correct.

DIVE DEEPER: How to offboard K–12 IT staff members.

Well-defined, swift user lifecycle management practices can be critical if an employee decides to leave suddenly or is let go without much warning — and isn’t happy about it.

There have been cases where people have been fired and their companies didn’t immediately terminate the account, allowing these employees to go back into their accounts when they got home to grab or remove data.

They might then place unauthorized data on the internet or jump on the school’s messaging tool to bad-mouth people. IT needs to make sure the process is set so that after an employee’s last day working with the school, he or she can no longer access school accounts.

Generally, K–12 schools can benefit from thoroughly examining the steps in their user lifecycle management process to determine where problems may exist — such as a specific team not being told when a staff member exits — and then devising another plan, if needed.

The biggest gap when it comes to identity management is communication. That's why tabletop exercises are very important. They allow IT to go through a test run on a process, from start to finish, to make sure it works. If it doesn't, they should refine it and test it again.