Network security

Identity Scramble

Automated technology systems are working to keep personal information of district employees and students out of the wrong hands.

• By Charlene O’Hanlon
• 03/01/10

Picture this: You’re a school administrator who has access to the personal files of every student and faculty member in your school district. You have a fairly common name that is shared by another employee in the district. Now imagine your surprise when you discover that the employee with the same name has access to all of your e-mail, as well as your human resources files and districtwide management systems. The IT department didn’t take into consideration when setting up the two accounts that both of you have identical names, and now all of that sensitive data has been compromised, opening you and your district up to a messy lawsuit.

As far-fetched as it may seem, that scenario is not unusual in a number of environments, from school systems to corporate enterprises. More often than many care to admit, unauthorized access to e-mail occurs either innocently or nefariously, laying bare all kinds of information that could threaten the security and privacy of a student or employee.

According to the Identity Theft Resource Center (idtheftcenter.org), a nonprofit organization dedicated to the understanding and prevention of identity theft, 2009 saw a total of 76 education-sector security breaches nationwide, exposing more than 670,000 student and employee records, including names, addresses, and social security numbers. Of those 76 breaches, 20 affected K-12 school districts. The incidents ranged from stolen data to lost hard drives containing sensitive information, and, in one baffling case, an open box full of personnel paperwork sitting outside an elementary school in Texas. (The box had been left open and papers were blown around by the wind, making it impossible to know what data had actually been exposed.)

An identity management system won’t be able to catch papers blowing in the wind, but it can catch potential mistakes that could put you and your district at risk. An identity manager controls access to the resources in an IT system by placing restrictions on established identities. For example, a principal needs access to more administrative operations than a teacher; an identity management system regulates that access, setting higher restrictions for teachers than principals.

Denver Public Schools (DPS) knows the advantages of an identity management system firsthand. The district, which has 75,000 students and 15,000 employees, has been managing all of its e-mail—about 20,000 accounts—internally for the past two years, says Steve Bussey, the district’s systems administrator. With so many employees, confusion was bound to occur.

“When we first got started, our biggest issue was identifying people,” Bussey says, explaining that not having access to the human resources server created a divide between e-mail accounts and personnel information. “We couldn’t rectify one with the other. And we have multiple people with the same name.”

Problems went further than some employees getting the wrong e-mail, Bussey says. “Identity management really came into play when we implemented employee self-service and online paychecks. We realized it was an issue when one person called and said his data online was wrong. It turned out he was looking at someone else’s data.”

In light of the potential for more mishaps, DPS decided to lock down access to e-mail and online human resources and employee benefits systems with Microsoft’s (microsoft.com) Forefront Identity Manager. Forefront assigns each user a digital identity based on information that goes beyond the user’s name, such as an IP address and personal data. “That helps us make sure the right person gets the right account,” Bussey says.

The installation of the system was simple, according to Bussey, since the technology was complementary to the Microsoft Exchange Servers that were already in place. Implementing Forefront was just a matter of porting it into the servers.

At Escambia County School District in Pensacola, FL, the decision to move to an identity management solution was likewise prompted by a desire to get control over an overwhelming volume of data.

“We had been using Novell (novell.com) products—file servers and Groupwise [Novell’s e-mail system]—for about three years, and we were manually maintaining our user lists,” says Tom Ingram, coordinator of technology services for the district, which includes 54 schools numbering about 40,000 students. “The majority of our time was spent on maintaining those lists. We finally decided that, since we had the information necessary in our human resources system and student information system to automate the process, we would take advantage of that.”

Unlike Denver Public Schools, however, security breaches didn’t factor into Escambia’s decision-making. In addition to its desire to simplify processes, the district saw an opportunity to reduce its workforce.

“One of the main driving factors for us was an employee who was retiring,” Ingram says. “He had managed employee accounts as his primary responsibility. We realized that if we implemented an identity manager we could save the salary that we’d otherwise spend replacing that person.”

The district added Novell’s Identity Manager component to its network—a simple addition, since Escambia was running Novell tools almost exclusively—and almost immediately got a handle on guaranteeing the right information was going to the right person.

“We have about 4,500 e-mail accounts and about 45,000 network accounts,” Ingram says. “Maintaining all of them used to comprise a lot of support requests—setting up accounts, deleting, moving directories, password management—but Identity Manager now handles a lot of that. It was a lot more time-consuming before than it is now.”

Plus, the district is able to secure its data at all levels, from the individual e-mail accounts to the human resources systems and the servers on which they reside.

“After we started using Identity Manager with a network login and Groupwise, we started authenticating servers,” Ingram says. Such a process enables stricter security at the server level, where most outside-the-firewall breaches occur. “Using Identity Manager has enabled us to take functions that are job-specific and, as much as possible, roll them into automated processes,” Ingram adds, which removes the threat of both accidental and intentional actions that could imperil security. “We can tighten things up a lot more.”

Bussey says identity management has beefed up network security in his district as well. “We still have some users who always get e-mails that are addressed to the wrong person, but these days that occurs from the sender’s side,” he says. “We have to contact those people individually because that’s not something the identity management system would pick up on.”

Both Bussey and Ingram realize identity management won’t eliminate all of their data security threats, especially as their networks expand and new technologies come along. They also recognize that, while identity management has automated some of the processes that could introduce threats, any network is only as secure as the actions of its users.

“We still have situations where teachers will give out their passwords, despite the fact that we’ve told them that is punishable under our rules,” Bussey says. “However, it has been less prevalent since self-service came into play and people realized that now others could see their salary, social security numbers, and other private data.”

Ingram says an identity manager makes a big job easier, though threats remain. “We have a much better handle on the data, but you’ve always got to be careful.”

This article originally appeared in the March 2010 issue of THE Journal.