How Effective User Lifecycle Management Keeps K–12 Data Safer

What Is User Lifecycle Management?

In schools, user lifecycle management (also known as identity lifecycle management) essentially consists of three steps: provisioning, maintaining and deprovisioning user accounts for staff, administrators and students.

IT often begins the user lifecycle management process by adding a new employee or a new student to a school’s identity governance application, such as Okta or Microsoft Entra.

The application then provides scripts that can help establish an account in the system. This includes creating an email address and adding all necessary permissions. The goal is to make the process seamless by standing up those new accounts from day one.

Technology teams should also consider how authentication impacts physical security.

Often, different systems may not 'talk' to each other, leading to hiccups for users. For example, if I don't tell the person who issues badges that a new account is active, then that new user wont't be able to get into the school building. Having your identity management system chat with connected applications, including badge issuance, makes life so much easier.

RELATED: Why K–12 schools must modernize their IAM programs.

What are the Stages of User Lifecycle Management?

In schools, the user lifecycle is a key process. A user can be school staff, administrators or students. User lifecycle management is the process of onboarding and enrolling new users and transferring or terminating user accounts. Onboarding consists of user creation, which includes access provisioning, device management and, often, physical access. Transfers include data management aspects, such as adding or removing access to a user related to a job change within the school.  Finally, termination involves offboarding or de-provisioning, which disables a user's access to accounts in a timely fashion.

Why Automate Identity Management?

After granting a new user identity and access privileges, schools will need to maintain and possibly adjust the associated user information as that person's role and status changes.

Manually handling each user’s access changes can introduce error. However, automated identity management solutions that allow schools to predefine access-related rules and workflows can help prevent such issues. Automation can also ensure the latest security measures are in place via patches and other updates.

Automated role-based access control may be particularly helpful for schools with a small IT staff that find it challenging to provide access manually.

If IT staff members know that a user has a certain attribute, such as a job change from assistant principal to principal, they can bake in automation to give access to a specific bundle of permissions. That could save a lot of time, and IT doesn’t have to worry about it on a daily basis. That's the advantage of having a well-oiled user lifecycle management process.

However, school technology teams should pay attention to which additional applications employees will use in a new position, as well as any they’ll no longer need.

Often, users are given more rights as they move up the chain, but it’s sometimes necessary to remove access too. People should have access only to what they need to do their job and nothing more.

REVIEW: Okta grants access to necessary apps for authorized users anywhere.

How Does User Lifecycle Management Affect Cybersecurity?

If a bad actor tries to exploit system weaknesses, such as a lack of multifactor authentication, then an active account for a user who’s no longer working at the school could provide a point of entry.

Employee departures can pose a similar risk. For example, when someone gives two weeks’ notice, a school official can designate that in the system, initiating a chain of actions that includes disabling the employee’s account on a certain date.

IT can use that as a trigger to kick off that automation. Whatever identity system they are using to manage access will disable every access capability the person has. It may also send an email to the respective parties that says “This has been done” or “Here’s a look at people who have been terminated,” and authorized parties can verify if the information is correct.

DIVE DEEPER: How to offboard K–12 IT staff members.

Well-defined, swift user lifecycle management practices are critical if an employee decides to leave suddenly or is let go without much warning — and isn’t happy about it.

There have been cases where people were fired and their companies didn’t immediately terminate their access, allowing these employees to go back into their accounts when they got home to grab or remove data.

They might then place unauthorized data on the internet or jump on the school’s messaging tool to bad-mouth people. IT needs to make sure the process is set so that after an employee’s last day working with the school, he or she can no longer access school accounts.

Generally, K–12 schools can benefit from thoroughly examining the steps in their user lifecycle management process to determine where problems may exist — such as a specific team not being told when a staff member exits — and then adjusting the plan as needed.

The biggest gap when it comes to identity management is communication. That's why tabletop exercises are very important. They allow IT staff members to go through a test run on a process, from start to finish, to make sure it works. If it doesn't, they should refine it and test it again.