In today’s electronic learning environment, access to appropriate systems and data are of the utmost importance to students, and the faculty and staff. Having the incorrect access to the school’s internal systems could mean a teacher is unable to access an online learning system or a student is not able to submit coursework projects to an online folder.
Equally important, though, for the security of the system is ensuring that individual access rights are updated and removed when appropriate for all users of the system.
The educational market certainly faces unique challenges in this arena. A typical k-12 system will provide individual access account to students once they reach 4th grade, meaning the turnover approaches 15% per year. Students transferring from one district to another, or to another school within the district, add to the daily challenges of accurate account management.
One recent example that shows how important it is for educational entities to purge their internal systems follows: A Pennsylvania school district was recently was preparing for a migration from an in-house Exchange email system to Google Apps. While Google does not charge schools for student accounts, the goal of the school was to go into the new system with data that was a clean as possible. During the migration it was discovered that graduating students had not been removed from Active Directory for the last 3 school years. This meant about 6,000 records needed to be purged from AD. The school also made a decision to leave email accounts active for matriculated students but remove them from the Active Directory.
Granting Access Rights: Determining who gets access to What and WhenThe first step in the process is to determine a baseline of necessary access rights needed and currently allowed by type of user. Numerous products are commercially available to allow a thorough scan of the network and applications to retrieve information on access rights. This information can then be compiled against user profiles -- department, location, titles, majors -- to establish a foundation of who needs to access what and when according to permissions granted currently in your system.
Once this initial review is completed, you are ready to create the “ideal” access for each type of user in the organization. This is a process that typically can be loaded into a Role Based Access Control matrix to insure that new users are created appropriately. Inevitably, though, some of the users will need access that differs from the norm so a procedure must be in place to allow end users to request access and managers to sign off on the enhanced rights. Again, numerous systems are available in the marketplace to allow this process to be handled electronically while providing a complete audit trail.
Equally as important as granting rights is insuring access rights are revoked when appropriate. With alarming regularity, faculty or staff members are transferred between departments and permissions to groups and applications become cumulative. While it may be necessary to allow a transferred user access to everything their previous role required during a transition period, it is imperative that a time limit be set for review and decommissioning of those rights be accomplished.
As free, cloud-based email systems have begun to proliferate in the educational space, one of the most important audit tasks facing educational institutions is to insure accounts are appropriately disabled and or deleted. Many of the cloud-based programs, like Google and Live@EDU, allow schools to maintain an “alumni” folder or domain separate from active accounts. By moving users to these folders when appropriate, the users can be deleted from the network, and all inherent access rights deleted as well, but their email accounts can remain active.
Conducting the Audit Cycle The next step in the process is to perform an initial audit. You can be assured that new students and employees are being given correct access rights, but what about users that have been in the system for years. There is a good chance that several students and staff will have access to numerous departments or roles with access to more than one area.
By comparing their user type information and the access rights they currently have against the “ideal,” it is usually quite easy to determine the delta. At this stage in the process, every discrepancy must be accounted for. The user should be able to explain why he or she has access to systems outside the norm and the decision must be made to determine if the user may keep access to a system or if access rights should be removed. In most cases, as you’ll find several times during your first audit, that users often have access rights to areas they shouldn’t necessarily have because they served in previous roles and their rights were never terminated from previous access points.
As an ongoing process, regular audits are a necessity for any environment. In the very least, on a semester or quarter basis, managers and system owners should be asked to review access privileges and attest that the current rights meet established internal requirements. The ease of automated systems on the market can also allow for “on demand” audits. This allows the immediate creation of reports detailing accounts that are out of compliance. Some organizations also set up trigger events to allow a senior manager or IT person to review specific actions. For example, any time a user requests or is added to a certain application or group, a manual review of the reasons surrounding the request must be completed before permission can be granted.
An automated user provisioning application can also take data from a Human Resource application and/or a Student Information System to insure that students who graduate, do not return to the institution or are either moved to an alumni folder or removed entirely. This is a type of audit that can be performed on a daily basis without need for manual processing. The results of the daily process can easily be transmitted via email to the appropriate parties for review.
The fact that internal audits are conducted should be public knowledge, and no one should be “caught unaware” of the process. If users know their actions in the systems are being monitored, they are more likely to control their own behavior when accessing the sensitive information that they view as part of their employment.
SummaryTo insure access to applications and sensitive data is open enough to allow providers to perform their jobs and restrictive enough to avoid legal complications, it is important to set controls when users join the organization and regularly review any changes to their profiles. These two factors will allow for easy compliance reporting at audit time.
There are numerous vendors offering commercially available solutions for every aspect of a provisioning and audit solution. Some are complicated, expensive propositions that can take months or years to become fully operational. Others offer inexpensive, quick to implement, point solutions that can attend to specific areas of concern that need to be addressed immediately.
For more information on Tools4ever solutions for education, please visit our
website.