Effective Lifecycle Management: The Stages of Keeping Data Safer
Automated role-based access control may be particularly helpful for schools with a small IT staff that find it challenging to provide access manually.
If IT staff members know that a user has a certain attribute, such as a job change from assistant principal to principal, they can bake in automation to give access to a specific bundle of permissions. That can save a lot of time, and IT doesn’t have to worry about it on a day-to-day basis. That’s the advantage of having a well-oiled user lifecycle management process.
However, school technology teams should pay attention to which additional applications employees will use in a new position, as well as any they’ll no longer need.
You often will give somebody more rights as they go up the chain, but you also have to think about removing access. We only want to give people access to what they need to do their job, and nothing more.
REVIEW: Okta grants access to necessary apps for authorized users anywhere.
Strengthening User Lifecycle Management Helps Thwart Threats
If a bad actor tries to exploit system weaknesses, such as a lack of multifactor authentication, then an active account for a user who’s no longer working at the school could provide a point of entry.
Employee departures can pose a similar risk. For example, when someone gives two weeks’ notice, a school official can designate that in the system, initiating a chain of actions that includes disabling the employee’s account on a certain date.
IT can use that as a trigger to kick off that automation. Whatever identity system they are using to manage access will disable every access capability the person has. It may also send an email to the respective parties that says “This has been done” or “Here’s a look at people who have been terminated,” and authorized parties can verify if the information is correct.
DIVE DEEPER: How to offboard K–12 IT staff members.
Well-defined, swift user lifecycle management practices can be critical if an employee decides to leave suddenly or is let go without much warning — and isn’t happy about it.
There have been cases where people have been fired and their companies didn’t immediately terminate the account, allowing these employees to go back into their accounts when they got home to grab or remove data.
They might then place unauthorized data on the internet or jump on the school’s messaging tool to bad-mouth people. IT needs to make sure the process is set so that after an employee’s last day working with the school, he or she can no longer access school accounts.
Generally, K–12 schools can benefit from thoroughly examining the steps in their user lifecycle management process to determine where problems may exist — such as a specific team not being told when a staff member exits — and then devising another plan, if needed.
The biggest gap when it comes to identity management is communication. That’s why tabletop exercises are very important. They allow IT to go through a test run on a process, from start to finish, to make sure it works. If it doesn’t, they should refine it and test it again.
