Identity and Access Governance Over K-12 Online Educational Services
The Coronavirus Pandemic shifted nearly every in-person interaction to a digital one, including K-12 education. School districts rapidly shifted their learning models, embracing online classes and leveraging their Google Classroom deployments as a way to continue educating their population. However, the rapid shift towards this digital model requires reviewing student, teacher, and administrative access controls to ensure districts and schools maintain student privacy.
What are Online Educational Services that schools need to secure?
The US Department of Education created the Privacy Technical Assistance Center (PTAC) to provide educators and administrators with information to help them navigate the data security, privacy, and confidentiality issues associated with online learning models. Although last updated in February 2014, their “Requirements and Best Practices” document acts as a starting point for districts and schools that need to protect student privacy during the digital classroom migration.
Most districts and schools already incorporate some form of Online Educational Services, which PTAC defines as
“computer software, mobile applications, and web-based tools provided by a third-party to a school or district that students and/or their parents access via the Internet and user as part of a school activity.”
Each software, application, and tool collects a different type of data. For example, applications that require a login and password collect more private data than those which do not require a login. As districts and schools adopt online models as a response to the Coronavirus Pandemic and social distancing requirements, understanding what applications collect, store, and transmit sensitive student information becomes an imperative to protect children’s information and meet compliance requirements.
What information needs to be protected according to the Family Educational Rights and Privacy Act (FERPA)?
Problematically, not every Online Educational Service collects the same information nor do they store the same information. Even PTAC can respond to the FERPA concern as “it depends.” Understanding the types of data that fall under FERPA acts as the first step to securing the information. At the least, schools and districts need to consider the following types of information.
Because online systems that require a login ID and password connect that information to a user, the name and contact information provided fall under FERPA. Districts and schools need to protect administrative access to this information to meet compliance requirements.
In the educational context, metadata incorporates information that provides knowledge about the student’s learning but isn’t entered by the student. Some examples include:
- When a student logged into an application
- How long it took a student to complete a task
- How many times the student took an assessment
Districts and schools use this information as part of their assessment reports, but the provider may collect this metadata as research for future development. Without appropriate de-identification processes by the provider, this information is PII under FERPA.
The PTAC Guidance references FERPA’s “school official exception” as potentially applicable to information disclosure. However, it specifically notes:
The framework under which the school or district uses the service must satisfy the “direct control” requirement by restricting the provider from using the PII for unauthorized purposes. While FERPA regulations do not require a written agreement for use in disclosures under the school official exception, in practice, schools and districts wishing to outsource services will usually be able to establish direct control through a contract signed by both the school or district and the provider.
In other words, districts and schools need to ensure that their data access policies limit service provider access to only the information necessary and nothing more. Too much access by a service provider, such as through an API or service account, compromises FERPA compliance.
What are the best practices for protecting student privacy while using online educational services?
PTAC released a 2015 guidance titled “Identity Authentication Best Practices” that outlines the best ways to authenticate access. As part of the guidance, PTAC notes:
While the Department does not mandate any specific requirements regarding reasonable methods, some best practice suggestions include
- conducting privacy risk assessments to determine potential threats to the data;
- selecting authentication levels based on the risk to the data (the higher the risk, the more stringent the authentication);
- developing a process to securely manage any secret authenticating information, or “authenticators” (e.g., passwords), throughout their creation, use, and disposal; • enforcing policies to reduce the possibility of authenticator misuse (e.g., encrypting stored passwords, locking out accounts with suspicious activity, etc.); and
- managing user identities through creation, provisioning, use, and disposal (with periodic account recertification to confirm that a user account has been properly authorized and is still required by the user).
The first and last bullet points become increasingly difficult as districts and schools need to move towards digital models and controlling access to information. The document recommends NIST 800-63 as a source of best practices.
As schools embrace digital educational services, some best practices to consider include:
- Limiting service provider access to student data according to the principle of least privilege
- Limiting student, staff, and administrative access according to the principle of least privilege
- Setting timebound service account access to systems, networks, and software
- Managing API access to student information
- Creating appropriate Identity Lifecycle Management controls across the district or school to prevent excess access to information, including student access controls
Considerations for Limiting Access
When limiting access to, within, and across resources, districts and schools should consider the following:
- Where is PII located?
- Who needs access to PII?
- How do they obtain access to PII?
- Why do they need access to PII?
Each of these considerations needs to be incorporated into the risk assessment and data access controls established. Once the district or school analyzes where it stores PII, then it can move on to limiting access to those resources based on a “need to know.”
Considerations for Setting Timebound Service Account and API Access
Many districts and schools leverage Google Classroom for their digital learning strategies. To ensure appropriate access to and within these services, they need to limit service account and API access to these deployments. Google Cloud’s Security and Identity reference guide suggests REST Resource Identity and Access Management (IAM) policies, organizational role creations and updating capabilities, permissions controls, service account controls, and service account keys.
However, as part of securing access to and within Online Educational Services, organizations also need to consider:
- How often these resources need to access the ecosystem
- Whether someone within the district or school has responsibility for monitoring the access
Managing service accounts’ and APIs’ access is burdensome for IT departments with limited resources. However, the need to grow Online Educational Services may drive these concerns to the forefront.
Considerations for Identity Lifecycle Management
Whether managing access by humans, service accounts, or APIs, districts and schools need to consider how they manage the identity lifecycle for all users. Setting policies for joiner/mover/leaver users, including ones for those individuals monitoring services account and API access, act as a primary way to protect student PII.
As part of this process, districts and schools should consider:
- Whether the district or school can create a succession policy for monitoring the access
- Who can modify/update/delete the accounts and APIs
- What privileged access to the online resource the service accounts and APIs are invoking
Continuously monitoring access requires ensuring that no identity maintains excess access and that IT departments appropriately terminate access in a timely manner to mitigate risks arising from orphaned accounts and excess access.
Saviynt’s Suite of Solutions for Managing K-12 Identity Governance and Administration
Managing distance learning while meeting FERPA compliance requirements poses an onerous challenge for most school districts and private schools. Online Educational Services connect across a variety of cloud locations and user devices which leaves them open to credential theft as well as internal privilege misuse risks.
Saviynt’s suite of solutions include Identity Governance and Administration (IGA), Data Access Governance (DAG), Application Access Governance (AAG), Cloud Privileged Access Management (Cloud PAM), and the Identity Risk Exchange. Leveraging our intelligent peer- and usage-based analytics, districts and schools can surface high-risk access to ensure purposeful decision-making over exceptions. Saviynt’s DAG capabilities enable districts and schools to identify, risk-rate, and categorize PII so that they can assign ownership and succession policies for data access that enforces the principle of least privilege.
Meanwhile, our automated certifications process enables organizations to assign ownership and succession policies for governing service account and API access to cloud resources. Our Identity Risk Exchange natively connects with mission-critical security information and event management (SIEM), user and entity behavior analytics (UEBA), and Governance Risk and Compliance (GRC) platforms for holistic visibility into risk signals that indicate potential threats to data security and privacy.
Protecting student data as part of distance learning both ensures continued educational access and student digital futures.