Oct 04 2017
Security

Cloud-Based Services Ease User Onboarding and Offboarding

Learn about services to automate and expedite user management that also address IT operational and security challenges.
Karen Scarfone
by

Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She provides cybersecurity publication consulting services to organizations and was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST).

When a new school year begins, IT teams issue laptops and tablets to thousands of students, teachers, vendor partners and others, along with numerous applications, user IDs and passwords.

Throughout the school year, people come and go; devices are lost, stolen or stop working; and passwords are forgotten. Then, at the end of the school year, laptops and tablets must be deprovisioned and account privileges revoked for the summer. All of these events require district and school tech staff to jump into action.

The greatest hurdle for any K–12 IT staff is the sheer amount of work they do, especially at the beginning and the end of a school year. It’s important to handle all issues quickly to ensure everyone can access the data and applications they need, when they need them.

Outside of operational demands, there are multiple security requirements, from safeguarding student records and personal information to protecting students’ and teachers’ work files.

SIGN UP: Get more news from the EdTech newsletter in your inbox every two weeks!

Cloud Brings Speed to the Enrollment Process

Cloud-based services can help automate and expedite a great deal of this work, by addressing the operational and security challenges inherent in onboarding and offboarding users. These include Identity as a Service (IDaaS) and cloud-based enterprise identity and access management (IAM) services.

What follows is an overview of three popular offerings and the ways that IT teams can make the most of them.

Single Sign-On Simplifies Passwords

Automated, centralized management for user accounts, identification and authentication services provide single sign-on access to apps, websites and other resources.

SSO tools require users to authenticate only once, after which the service automatically provides all necessary usernames, passwords and other credentials behind the scenes — greatly simplifying things for users. It also removes a management burden: The IT staff no longer must help everyone remember, recover and reset passwords.

An SSO capability enables stronger security because it automatically sets a unique complex password for each app and website, and then rotates passwords frequently. That makes it more difficult for an unauthorized person to gain access illicitly.

SSO services also can make use of multifactor authentication systems quickly and at little expense. Although multifactor authentication may not be necessary for all users, it makes sense to consider it for SSO administrators and any users with access to highly sensitive data, such as academic records or personnel files.

Control Access with Authorization Services

Centralized identification, authentication capabilities and authorization services come with robust, granular authorization features. Authorization policies (which make up a large part of access control) restrict the devices, apps, websites, folders and other resources that users can access, along with the forms of permitted access.

Districts should look for a strong service that offers a single entry point for controlling access to nearly all apps, no matter where an application is hosted. This makes provisioning a snap and gives IT teams the ability to immediately revoke user access to resources whenever needed.

Synchronized Directory Services Keep Records Straight

IDaaS and cloud-based enterprise IAM services usually offer synchronization with existing enterprise directory services such as Active Directory and the Lightweight Directory Access Protocol (LDAP).

Synchronization can be quite beneficial: Suppose basic information on each student — such as first name, last name and grade — is already maintained in Active Directory. IDaaS and cloud-based enterprise IAM services can automatically fetch that information and use it to create usernames, synchronize passwords, and determine and set group memberships, resource authorizations and more. When directory information is revised, changes automatically sync to the IDaaS or IAM service so authorizations and other security characteristics remain current.

Directory service synchronization can also be established in the opposite direction, from the IDaaS or IAM service to the directory service. This provides much more flexibility in identity, authentication and authorization management.

For example, a school district could add an IDaaS or IAM service to complement an existing Active Directory implementation. Initially, Active Directory would be the primary source of user information. But, over time, the IT team could make Active Directory the secondary source, and use its IDaaS or IAM interface to manage updates to user information and policies.

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now