Online Identity Management
The increasing incorporation of digital materials and resources into school and district portals and repositories has given rise in recent years to a new focus on the issue of identity management in K12 education. The need for multiple usernames, passwords and separate logins for each user can be a nightmare for staff, inhibit the use of software programs that benefit student achievement, and overwhelm increasingly smaller district IT departments, say technology administrators in reports such as the Consortium for School Networking’s “Single Sign-On, Multiple Benefits: A Primer on K-12 Federated Identity and Access Management,” published in May 2011.
Identity management authenticates the identity of district users in all roles and presets their access to appropriate resources. For instance, a teacher may have access to an online grade book and the teacher’s edition of a textbook, a student may have access to the student edition of the textbook, the school psychologist may have access to student health records, and the human resources department may have access to each employee’s pay stubs and other personal information. In the absence of a single identity management program, access to materials remains in the hands of disparate users scattered throughout the district, each of whom may have multiple usernames and passwords depending on the materials they use in the course of their day. Costs for implementing an identity and access management (IAM) system are directly relational to the number of users it serves, says Deborah Karcher, CIO of Miami-Dade County Public Schools. For a district of Miami-Dade’s size, with upwards of 500,000 users, upfront investment costs can be roughly $3 million dollars, she says.
Though technically different functions, identity management and access management are increasingly paired in solutions, as they’re greatly interdependent. “Identity management dictates which resources you have access to, and access management is the key to the door,” says Karcher.
A primary benefit to identity management solutions, which are supported through a range of software tools offered in part by Oracle, Microsoft, IBM, Computer Associates and Amazon.com, is that it decreases the risk of security breaches. “After a few accounts, people tend to start using sticky notes on their computers to remember passwords,” says Sammie Carter, systems architect for the North Carolina Education Cloud (NCEdCloud), a pioneering statewide initiative funded by Race to the Top that includes an identity and access management plan for schools. “With an identity management solution, which allows districts to aggregate all data about users into a single “gateway” sign-in service, users only need to remember one username and password,” he adds.
Still a fairly recent topic in the K12 education space, IAM is more familiar in the higher education world, where instructors and researchers need to collaborate across different campuses, states and countries, says Carter. But recognition that the kinds of efficiencies being realized in the higher education world can also benefit K12 is driving the trend downward. Following North Carolina’s lead, statewide IAM initiatives currently in different stages of implementation in Alaska, Colorado, Florida and Nevada attest to the growing interest in IAM in K12 environments.
Many school districts across the nation, especially the larger ones serving hundreds of thousands or even millions of users, are finding that IAM is coming to the rescue during times of shrinking budgets and staff layoffs by instituting significant financial, instructional and security efficiencies across a broad range of areas.
Financial and Time Savings
Although not one of the nation’s larger districts, North Carolina’s rural Rockingham County School District, with 13,500 students, is notable as one of two pilot sites for the precedent-setting NCEdCloud program. Since the fall of 2010, Rockingham has already seen major cost savings in the area of IT support, says Lee Cummings, director of technology services. Prior to IAM, the district’s 24 service providers used to ship software to Cummings, who would have to install and maintain it all on the district server. Now, the district is on its way to creating a one-to-one mobile learning environment, which will include a mixture of district-issued and personal technology devices, and software is hosted by providers in the cloud, freeing up Rockingham servers and the time of IT personnel. With only eight support staff to oversee nearly 6,000 computing devices, IAM will be crucial. “We’ll be going from 6,000 to 10,000 computing devices overnight soon,” says Cummings.
Consortium buying, and a learning object repository—an online “container” for storing lessons, assessments and other materials from multiple sources—are other elements of the NCEdCloud program that will provide Cummings and other state technology directors with better deals on software and access to a broad shared bank of free resources.
Another aspect of the NCEdCloud initiative that makes the state an IAM frontrunner, say both Cummings and Carter, is the North Carolina Federal Trust (NCFT) program, launched in 2009, that connects K20 online education resources, expanding access for both K12 districts and higher education institutions. This broader network, or “federation” of districts, colleges and universities, will allow high school students to take college classes online, make college library resources available to K12 users, provide homebound students with access to the full resources of participating institutions, and more. Because the state maintains a single, central database of users from all its education institutions, rather than the separate district-level databases that other states have, North Carolina is the only state with the infrastructure to move forward with a federated initiative.
In 2007, the Los Angeles Unified School District (LAUSD) began implementing an IAM system based on its own self-service model. “Thirty-five thousand teachers take attendance online every morning,” says Shahryar Khazei, the district’s deputy CIO. “If we didn’t have a self-service way for them to access a lost password—through answering a security question, for instance—we’d be dealing with a huge volume of calls.”
At one time, 70 percent of the service calls to the help desk were about lost passwords, Khazei says. Since implementing this self-service IAM model, the district has been able to reduce its help desk staff by 30 to 40 percent, which has been crucial in the current climate of budget cuts. “Our primary job is to make life easier for teachers,” says Khazei.
Single sign-on access management, which requires users to remember just one password and allows them to log in just once a day, is quickly becoming the aimed-for standard for access management, according to several technology directors.
Karcher says achieving such transparency for users requires some complicated dealings “under the hood,” however. One issue the district faces is the lack of interoperability between Microsoft’s offerings and the district’s other resources. Since Microsoft only supports single sign-on across its own products, Karcher and her team have to maintain several software tools that facilitate communication between Microsoft’s products and those from other vendors, which she says is all worth it in order to provide users with a seamless experience.
Chris Squatritto, director of technical resources for Nevada’s Clark County School District, is not as convinced as others that single sign-on is the best answer. His district, which is poised to begin a pilot IAM program this month, offers its own centralized sign-on system that requires a two-factor authentication, such as a fingerprint and the answer to a security question. Squatritto calls single sign-on “an older way of thinking.” For example, someone can hack into a computer and be able to access a bank account and health records after figuring out one password. “The simpler it is, the less secure it is,” he says.
IAM programs’ simplification of online access to resources for teachers can lead to maximizing their use for student instruction, says Sandeep Chellani, executive director of product development for the New York City Public Schools. “If you had to go into your iPhone and sign in with a username and password each time you used an app, that would be a hassle and you would tend to use fewer ones,” he says.
Although it’s not possible to draw a definitive connection between increased student achievement and IAM implementation in New York City, Chellani points to the district’s iLearn program, which provides online curricula to schools through 14 different resources. Before IAM, it was more difficult to use, dealing with each individual provider, logging in separately and dealing with forgotten passwords. Now that those resources are easier to access online through a single gateway, they’re much more likely to be used.
Keeping Track of Students, Teachers
In large school districts with high student mobility rates, monitoring students and tracking them from one school to the next can be an overwhelming task without the aid of an IAM program. Districts such as LAUSD, Miami-Dade and Clark County, which all have high poverty and mobility rates, say it is especially important for English-language learners, special -education students and others with special needs to have accurate records from their first day in class so they don’t lose instructional time in taking redundant placement tests or waiting for administrators to track down personal information.
LAUSD has a high rate of transiency due in part to a large number of migrant agricultural workers. Moreover, 70 to 80 different languages are represented in its student body. Khazei says managing students’ identification is more complicated than managing teacher identification, because children’s Social Security numbers are not available. “We take pride in closely monitoring and maintaining accurate student records, which requires collecting a deeper level of information, such as both parents’ names, previous school enrollments, and so forth to identify and assign each with a unique ID number,” Khazei says. The same is true for Miami-Dade, Karcher reports, where the student mobility rate is between 30 and 40 percent.
Besides monitoring students, part of the impetus for Clark County’s IAM program was to keep up with the high rate of new teacher hires, which were between 2,000 and 3,000 a year between 1990 and 2007 when the district was undergoing peak growth. Although its hiring process is still manual, the district looks forward to automating new employee systems as part of its upcoming IAM implementation, says Jhone Ebert, the district’s chief technology officer.
Working With Vendors
Because IAM in the K12 environment is still in its infancy, technology directors are finding that vendors are often uninformed or not qualified to meet their needs. NCEdCloud’s Sammie Carter, for instance, says that “only a handful” of vendors were qualified to provide solutions on a scale adequate to meet the needs of the 3 million users NCEdCloud expects to first sign on with its IAM NCEdCloud initiative in the 2012-2013 school year. Cummings in Rockingham says that, of several vendors he spoke with, only one understood IAM.
Chellani says New York City was the first district to write interoperability standards into requests for proposals (RFPs) back in 2010, and technology leaders in other districts say they also now require that vendor offerings be interoperable with other companies’ products in order to support IAM.
Trust plays a significant role in a vendor’s agreement to support a district’s IAM program. Karcher says some vendors are concerned that districts may abuse access to their software under a single sign-on policy, so the vendors make clear that it’s up to districts to ensure compliance. In Miami-Dade, a central portal houses all district content, but vendors must trust that administrators will restrict user access to only the content they have permission to use. “For instance, charter schools have access to our portal,” says Karcher, “but unless they buy rights to the digital textbook we’ve purchased for public school use, they won’t be allowed access to that content.”
Possibilities for Innovation
Beyond the cost and time savings, increased resource access, and the ability to monitor and track students and teachers moving among different schools within the district, the potential of IAM to facilitate collaboration and real innovation will only begin to be fully-realized as more states implement Federated Identity and Access Management, according to the K-12 Federated Identity and Access Management Task Force. The task force—which includes groups such as the higher education security organization inCommon Federation, higher education technology advocacy organization EDUCAUSE, and the Internet2 K-20 Initiative—says that federated management and the single sign-on that facilitates it, can move beyond intrastate resource sharing to include institutions and organizations across the nation and the globe, promoting collaboration through group calendars, wiki documents and other social networking tools.
As with local IAM programs, cooperation and trust are central to this federated system as multiple institutions must agree to share authentication policies, manage access through enforcing permissions, and maintain security for all resources to which they’ve been entrusted. In the meantime, keeping a close eye on frontrunners such as North Carolina will benefit other states and districts that will likely follow a similar path in the near future.