identity and access management in education - common issues and how to mitigate them

identity and access management in educationCommon Issues And How To Mitigate Them

IDENTITY AND ACCESS MANAGEMENT IN EDUCATION

2© 2016 Tools4ever All Rights Reserved | www.tools4ever.com

table of contents

Why IT Solutions are Important- and Not Just in The Classroom 3Common IT Issues-What Challanges are Education Entities Facing 4

1. Managing The Busy Season 52. Working Outside The School Network 63. Overload of Calls To The Helpdesk 6

Are You Familiar With Identity And Access Management 7How Can IAM Solutons Help The Education Industry 8Single Sign On 10Password Reset 11What Are The Misconceptions Education Entities Have About IAM 12

IAM Is Too Expensive 12We Need To Focus On The Classroom 13Automation May Hamper Security 13

A Quick Look At Hour Several Schools Are Using IAM Solutions 14Password Solutions 15

What Does Future IAM Technology Look Like For The Education Market 16

www.tools4ever.com



why it solutions are important- and not just in the classroomThere are many new solutions and technology to assist in the classroom with the learning process. Everything from new age white boards to telepresence robots who stand in for teachers. What many districts and colleges don’t think about though, is the technology needed behind the scenes. Proper structure and guidelines must be in place for user account and password management in order for these classroom technologies to work properly, and for schools to get the most out of them.

For example, when new technologies are implemented for students to use, such as a new e-learning applications or devices like Chromebooks, the IT department needs to sort out and deal with challenges related to managing the accounts for these technologies. Until the user management challenges are resolved, the technology is left idle. If IT teams are resource challenged, and who isn’t these days, this type of setup can require weeks or even months to accomplish.

Security is a major benefit of Single Sign-On solutions, and it is the duty of an organization’s IT department to ensure the the security of the network, applications and access to the data. This is only one small example of the challenges being faced. Let’s dig further and take a look at a few more common issues that many educational entities are facing behind the scenes. Some of these may be all too familiar to you, but the good news is, there are solutions that can help.



common it issues - what it challenges areeducation entities are facing?

Managing the user account lifecycle is a serious challenge for most schools. These issues are stressful for not only system administrators, but also for end users.

Without automated systems for user account management in place, instead of focusing on technology in the classroom, system admins are focused on the pain-staking manual tasks re-lated to setting up the proper access rights for each student and staff member.

The following are three of the most common issues educational entities have on the backend related to user account and password management.



1. managing the busy seasonOne of the biggest issues in the education industry is handling the busy season, when school is about to begin for the semester or for the year. Employees are often running around trying to get everything in order for the new term. For IT admins, this time of year can pose huge difficulties as they work to manage accounts for current and past students and staff.

First, they must review and disable accounts for all of the students that are no longer at the school, having either graduated, moved, transferred, etc. Then, they need to create new accounts for incoming students in each system and application and issue them passwords. Since students often need accounts in several different systems such as Blackboard, an email account, Google Apps, etc. in order to do their work, this can be a very time consuming, manual process. If you work in the IT department in a school or college, you know how much of a headache this can be. Often there needs to be a full time employee on hand just to make these changes.

The education industry, by its very nature, is prone to frequent movement and changes to user accounts. Each semester or school year, there are changes to every student’s accounts as they move to different grades. There also may be changes throughout the year, as students leave the school or transfer in from other locations.

As we’ve already touched-on, this can be a real nuisance for system admins, but what about for the end user? It’s no picnic for them when things aren’t properly setup or when they have issues with account access. It’s very common for students to begin the semester and need to contact the helpdesk because their account wasn’t fully created for them with all of the access rights and applications they need.

Often times, since many of these changes are done manually, schools may have outdated or unorganized network environments with old records still in their systems even after students and/or staff have left the institution. Accounts are often never disabled in every system and application; rather left to clutter up a database. Additionally, thanks to today’s virtual environments and distance learning programs, many education institutions are often required to manage several different campuses, as well as online programs for students. If all of this work managing hundreds or thousands of user accounts for students and faculty /staff is done manually, it’s enough to wreak havoc on an IT department that’s already stretched thin on resources.



2. working outside of the school networkAnother common challenge faced by educational IT staffers is the need for students to be able to easily use cloud applications from devices outside of the school’s network. Students often need to be able to access applications and resources from remote locations since a majority of homework and projects are completed outside of school. Online education is also on the rise for higher education with students completing classes all around the country. One study found that “About 200,000 students are enrolled in about 200 publicly funded, independently managed online charter schools across 26 states.” Students need to ensure that they can securely and easily access everything they need for the classes they are taking.

Along with needing access, managing passwords for students in order to enable access can be a challenge. The current education environment requires students to use mobile devices to access their applications such as Blackboard, their email, etc., using devices such as iPads, Laptops, Chromebooks, cell phones, etc. Students need an easy way to access the cloud applications needed, however, with different applications requiring different complex credentials, it can be very difficult for users to remember them for each of their applications. Forgotten credentials and the need for manual password resets can cause even more stress on an IT department.

http://www.edweek.org/ew/issues/technology-in-education/

Issues like those discussed thus far can inevitably cause an overload of calls to the helpdesk or the school’s IT department. We all know that schools frequently have small IT departments with a multitude of responsibilities and systems to manage, including the help desk. These departments are required to handle all of the IT issues in the school including all of the new technology being introduced in the classroom with very limited resources.

Frequent calls, such as those that come into the helpdesk for password resets, are not very difficult for the staff to resolve but they take up time that they could be using on other projects. Especially in the beginning of the school year or semester, there are many calls to resolve password issues since users forget them after a long break. These backlog the helpdesk and stop the end user from doing anything that they need to be working on.

Other issues arise when students and teachers are working after hours or on different projects. In a K-12 situation, students go home around 3PM and work on their homework for the night. In a higher education environment, students might be doing the same, but also might be taking classes as late as 9PM at night. What happens then if they need any type of technical help? Helpdesks at schools usually available until 5PM. Without any type of automated solutions to help manage IT accounts, this means that the end user would then have to wait until the next day.

One of the most common calls to the helpdesk is for password resets. If the end user is locked out of their account, and it is after hours of the helpdesk, then they cannot complete the work that they need to until the helpdesk reopens. This makes for unhappy students and teachers, but what can be done about it?

3. overload of calls to the helpdesk

http://www.edweek.org/ew/issues/technology



Although you may not be familiar with Identity and Access Management (IAM), you should be. The Identity and Access Management market has grown significantly and the number of implementations steadily increasing over the years. According to a recent study completed by Research and Markets, the Identity and Access management market is expected to grow from $9.16 billion in 2014 to $18.30 billion in 2019. This is because these solutions are extremely helpful with resolving many of the issues we’ve previously discussed. Let’s first take a look at exactly what IAM is.

IAM refers to the technology for managing user identities and their access privileges for various systems and platforms. Many components make up an IAM system and these help with various

are you familiar with identity and access management?

This is the management of creating accounts, making changes

when necessary, and disabling accounts once the end user is no longer working at

or attending the school.

This component is used to monitor what is taking place in the IT infrastructure, and

making the appropriate changes. Some schools may want to monitor who has

access to what and may need to adhere to certain rules and regulations.

This is the management of access rights. Within a school there are many different types and levels of access that employees and students may require, and they each

need to have access to the correct systems and applications.

This component is the management of the user’s credentials for accessing the

applications they need. It also encompasses certain solutions used to make the login procedure both more

convenient and secure for the end users.

User Account Provisioning

Compliance Management

Role Based Access Control/ Access

Management

Password/ Authen-tication

Management



how can iam solutions help the education industry?

now that you have a basic understanding of what iam is, let’s talk about how exactly it can help with the many issues that

educational entities face.

automated user account management

The first issue is account management and how to easily manage user accounts, without needing a full time employee to spend hours on creating and editing student accounts before each semester or school year. An automated account management module allows for “hands off” account management.

Educational entities use many different Student Information Systems, such as Campus Management, Skyward, Power School, etc. An automated account management solution allows these SIS systems to be linked to all other applications and systems that the school uses. These can be Active Directory, Library Systems, Electronic Learning Environments or a wide variety of other systems or applications.

When an admin enters the student’s information into the SIS, all connected systems will automatically be updated. As an example, when a new student is beginning at the school, their information is entered into Skyward, an AD account, Gmail account, eSchool account and a share drive are created for them.

http://www.tools4ever.com/software/iam-identity-and-access-management-software/



This ensures that on the first day of classes the student has all the correct access and resources that they need. It also allows the school to ensure that all accounts were created properly with the exact access needed, without manually creating all of these accounts.

Disabling accounts is also something that can be automated. When students are no longer at the school, someone needs to manually disable the account in each system and application. With an automated account management solution, an admin can easily disable the account in the source system and all connected systems and applications will automatically be disabled.

These processes allow the school to have a standard for how accounts are both named and managed. An account is automatically created based on, for example, the first initial of the first name and then student or employees last name. This ensures that all accounts are named properly and in the same format.

In terms of management, there can be a standard set up for what happens when a student graduates. For example, the school can have it set up so that the account is put into an alumni mode and certain access is revoked. This automatically takes place without an admin needing to manually move these accounts each year.



What about the password issues which students and staff are encountering? There are simple solutions to these issues which IAM solutions can assist with. For students who are working outside of the school’s network on mobile devices, which is the norm today, a web or cloud SSO portal solution can be a huge benefit. End users can simply login to a portal where all of their systems and applications that they have access to are located. They then only need to enter a single set of credentials to authenticate themselves, and thereafter can easily click on the icon for the application they want to use. This allows them to easily access all of the applications that they need from whenever and whenever they are working.

single sign on

Two factor authentication can also be added to SSO to ensure additional security. For example, teachers handle a lot of sensitive information, so they wouldn’t want someone to be able to easily access their applications and view or change student grades. Two factor authentication could be added so that a teacher might be required to enter a password as well as a PIN sent to them via SMS for extra security. Two-factor authentication can be added to all accounts or just a particular group of users for enhanced security.

a web or cloud Single Sign-On portal solution

a web or cloud Single Sign-On portal solution



password reset

Another solution that can be easily implemented and used to manage password issues is a self-service password reset solution. Since students and employees are often working outside of the hours of the helpdesk, a self-service password reset solution allows them to easily and securely reset their password themselves at any time without contacting the helpdesk. The user simply provides the correct answer to challenge questions, which they previously answered, and can then reset their password. This not only makes the end users life easier, it also drastically reduces the amount of calls which the help desk receives.

Overall, IAM solutions allow system admins to easily manage user accounts and passwords, as well as provide end users with self-service methods to handle password resets. If a school decides they want to implement a new application or technology for students to use in the classroom, it can easily be implemented and managed. They simply need to have their automated account management solution connected with this technology and can then automate and easily manage the accounts without needing to manually manage them.

http://www.tools4ever.com/software/self-service-reset-password-management/



what are the misconceptions education entities have about iam solutions?

while iam solutions can easily solve many of the issues education institutions may have, teams are often very cautious about

implementing them because of many misconceptions.

IAM is too expensiveThe first misconception is that these solutions are too expensive for schools, especially those on a smaller budget. While, yes, large enterprise IAM solutions can be costly, there are solutions to work with all different size budgets. This is one of the many reasons why the IAM market has grown so large in the past couple of years. Prices have come down and many vendors allow organizations to implement a solution in different phases, or even allow them to pick and choose the modules that they want to implement. This has allowed schools and colleges of all sizes to be able to affordably implement IAM solutions.

For example, to solve the issue of account management, a school may only want or need to implement an automated user provisioning module. They may not need additional modules or may wait to implement them in the future. This will cut down the cost for the solution, and allow them to customize what they need for their school.

We need to focus on the classroomAnother huge misconception is that this type of software is not needed and that the school should focus their time and money on technology in the classroom. While yes, newer technologies in the classroom are extremely vital, they need to have a proper framework behind the scenes. For example, some schools are now using Google Apps for Education. In order for this to work properly all students need to be enrolled correctly with the proper access rights and credentials. If someone needs to manually create all these new accounts for this new application, there will most likely be many errors that will need to be corrected. Each time a new technology, application, or systems is implemented at the school it will add additional work for the IT department to manage.

If the school decides to implement Google Apps for students, and the IAM system has a connector, the accounts can be automatically created for all end users in a particular group. This allows the school to easily manage and roll out any type of solution for their students and employees, without needing to have employees around to manually manage the solution.



automation may hamper security Finally, another common misconception is that the password management solutions in IAM software are not secure. In fact, it’s just the opposite. When it comes to SSO solu-tions, if you think about how many sets of credentials students and employees need to remember at your school, chances are that they are writing them down somewhere. With a single set of credentials end users, no longer need to do this. The only need to remember one set of credentials, decreasing the chance that they will write them down and increas-ing security.If security is a big priority though, additional measures can be added to password solu-tions such as Two Factor Authentication, mentioned earlier. There are many options when it comes to requiring end users to use an additional method to authenticate themselves. One of them is the use of biometrics such as a fingerprint or facial recognition. This en-sures that the user is who they claim to be.



a quick look at how several schools are using iam solutionsNow that you know all about Identity and Access Management solutions

and how they can solve many of the common IT challenges schools have, we’ll take a look at some examples of different issues some of your

peers have had and how they’ve used IAM to resolve them.Fitchburg University was experiencing a very common account management issue that many schools have: they had 44,000 records in Active Directory, which in no way reflected their actual environment due to stale accounts that were no longer required. After several attempts to delete users based on inactivity and inadvertently deleting hundreds of active users, they realized they needed help. “We weren’t able to integrate Active Directory information and the student record system to accurately report information” said Sherry Horeanopoulos, Information Security Officer. At the beginning of the semester, online students frequently called saying they were starting classes, but did not have an account created for them.

With an automated account management solution in place, Fitchburg’s system is now set up to create an account for a student who is registered, paid, and confirmed. With a variety of departments and people inputting information on the back end, never before had consistent conditions to automate account creation existed.

The solution was configured to query Banner to look for new students, changes to existing records and records that exist in AD but not in the database. When a new record is present, the AD account is created along with a home directory, initial password, and group memberships and located in the appropriate OU. When a record is eliminated from Banner, the AD account is automatically disabled and moved to a separate OU. After 18 months of being disabled, the accounts are purged from Active Directory. In the case of an account create or a delete, an email is sent to an appropriate party.

Fitchburg also encountered problems when hundreds of students graduated every year and there was no accurate way to determine who should be deleted from AD. With an automated account management solution, if a terminated or graduated flag is set in the SIS application, the account is disabled, according to pre-defined rules. If something has changed since the last synchronization, the Active Directory account may be re-provisioned or specific attributes updated. Fitchburg can



Founded in 1902, Harrison College provides contemporary, career-focused degrees that address the educational needs of today’s adult learner. With nearly 30 degree programs in five schools of study (Business, Criminal justice, Health Sciences, Information Technology, and Veterinary Technology), Harrison has seen over 75,000 students graduate from across 13 campuses and online academic environment. Because Harrison College is spread out among 13 campuses and offers an online program they serve students from any given time between 7:00 AM and 10:00 PM. But since most support staff members only work until 5:00 PM, it was important that they implement a solution with around the clock support.

password solutions

By implementing a self-service password reset solution, Harrison College has placed the ownership of password resets into the hands of the student. Student simply click on the “Forgot My Password” link, correctly answer the security questions which they previously provided answers to, and are then prompted to securely reset their password. This has not only allowed password resets to happen after hours, but has also greatly reduced calls coming in during standard work hours.



The future of the IAM market looks promising and continues to grow. This is in part because organizations of all sizes in every industry are realizing the benefits that IAM provides their employees and end users. Another major reason is because pricing has come down and vendors allow organizations to implement their solutions in a customizable, modular approach that allows them to pick and choose to implement only the modules their organization needs. The future of IAM solutions will no doubt, change as more advanced technology comes to light. As technology in the classroom advances to become more accessible for students, so will IAM solutions required to manage these technologies. Security of student and staff information will also continue to be of great importance. There is a constant need to stay ahead of security threats and ensure that educational networks are safe. Future methods for managing user accounts and access could include more advanced uses of biometrics to authenticate a user or other advanced methods such as facial recognition – which, though available, is not yet readily used in schools. As security needs evolve, these technologies may be implemented on mobile school devices.

what does future iam technology look like for the education market?

Overall, IAM solutions can be very beneficial to educational institutions and with their

affordability now aligning better with limited school funds. Their use will continue to grow, just as the technology itself will continue to

grow and evolve to meet the changing needs of students, teachers, employees, and system

admins.

TOOLS4EVER NEW YORK300 Merrick Road, Suite 310Lynbrook, New York 11563USA

T +1 866 482 4414 F +1 516 825 3018

Information [email protected] [email protected] [email protected]

TOOLS4EVER WASHINGTON11515 Canyon Road EPuyallup, Washington 98373USA

T +1 888 770 4242 F +1 253 435 4966

Information [email protected] [email protected] [email protected]

mailto:[email protected]






identity and access management in education - common issues and how to mitigate them

Documents