Securing Nonhuman Identities in K–12 Schools

In K–12 environments, an NHI might be used by a system that updates student information across different platforms or a script that automates teacher account provisioning. 

Another example: shadow AI that teachers and students use on school infrastructure. These tools may use AI agents and “introduce new machine identities that IT is not aware of,” says Sitaram Iyer, CyberArk’s area vice president of emerging technologies and global architects. 

AI agents are a more technologically advanced category of NHIs. These “increasingly autonomous systems” operate more independently, a CyberArk blog explains. 

The Security Risks of Nonhuman Identities

NHIs have deep access to critical systems and sensitive data, which can leave schools vulnerable to cyberattacks. Additionally, as essential pieces of a school’s digital system, NHIs can be taken for granted or overlooked. This — along with the sheer number of NHIs that are constantly shifting in the wake of staff turnover and student matriculation — makes them a common security risk, Iyer explains. 

“Once compromised, these identities can be used to move laterally across an environment without raising the typical security alerts associated with human activity,” he says. “This creates a perfect storm of risk, as they are a high-value target that is often under-prioritized in post-breach investments.”

While securing NHIs is a core part of identity and access management (IAM), schools should be aware that traditional IAM best practices tend to be “insufficient for securing machine identities,” says Iyer. 

While human users rely on passwords, biometrics and multifactor authentication, NHIs use different automated methods, such as cryptographic keys and digital certificates, which can require specialized security solutions. 

RELATED: Secure artificial intelligence tools within your K–12 digital environment.

Ways To Reduce NHI Security Risks in Schools

Small steps — such as tracking accounts, limiting access and rotating passwords — can go a long way in keeping schools secure, says Ryan Gifford, a senior research analyst at Cloud Security Alliance.

“The risks associated with nonhuman identities are exactly the same as those with human ones; the key difference is familiarity,” says Quint Van Deman, senior principal in the Office of the CISO at Amazon Web Services (AWS). To manage this risk, IT leaders need to devote time and training to ensuring school staff know how to securely work with NHIs.

Most users today are aware that they shouldn’t give out their login credentials, but it might not be as obvious that an API key or an access key — which are used by nonhuman identities — are also types of login credentials. This unfamiliarity can lead to poor cybersecurity practices and exploited vulnerabilities.

The same holds true for permissions. As a security best practice, human users should only be granted the permissions necessary to get their jobs done. “The same approach needs to be taken with nonhuman identities, iterating toward least privilege through regular reviews and access analysis automation,” Deman says.

The tools and processes used to assess human identity risks in schools should also apply to nonhuman identities. Ideally, schools should also provide blueprints and training for staff who deal with nonhuman identities to minimize risk.

Conduct an NHI Risk Assessment and Manage User Permissions

Schools can start assessing risk by taking inventory of every nonhuman account, says Gifford. This includes service accounts, device logins and application integrations, as well as what systems they access.

Then, IT professionals should review who owns these accounts, what privileges they have and whether they follow least privilege. The biggest red flags are unused, shared or never-rotated nonhuman accounts. Every audit should ensure the identities on the school’s network are appropriate and up to date.

Iyer recommends these best practices for K–12 schools securing NHIs:

• Implement the principle of least privilege. Grant each machine and human identity only the permissions necessary to perform its specific task. Access should be role-based and tied to a specific function.
• Automate credential management. Use a secrets management system to protect sensitive credentials such as API keys and certificates. Automate the rotation of these credentials to prevent them from becoming stale and exploitable. Avoid hard-coding credentials directly into applications.
• Manage the full lifecycle. Establish policies for the entire lifecycle of a machine identity, from automated provisioning to secure decommissioning. This is essential to prevent orphaned accounts, which are an easy target for attackers. Without the processes to expire, rotate and audit these identities, schools can run into the challenge of identity sprawl.
• Monitor continuously. Monitor the behavior of machine identities to detect unusual activity or potential threats.
• Ensure data privacy and compliance. AI agents interact with personally identifiable information, educational records and other sensitive K–12 data. Machine identities need governance that ensures agents don’t send data to external large language models.

For critical systems, implementing just-in-time access can also be an effective way to grant permissions for a specific task and limited time period. This ensures access is automatically revoked afterward.

UP NEXT: Managed security services reduce complexity to ensure robust cyber protection.