Educational institutions and authorization: Protecting student information

Jim Barkdoll   ·   Monday, August 28th, 2023

Many educational institutions are encountering security challenges for the first time as they increasingly face breaches and other threats from bad actors.

No matter what type of institution, it is important to protect applications bearing student, parent and faculty information stored on the school’s systems.

The stakes around properly securing these applications are high as in some cases they  contain valuable information around minors and/or generally sensitive personal information related to health, financial wellness, etc.

It is critical to ensure that this information is only accessed by the right persons and in the right way.

This is where implementing an external authorization should be used within applications to reduce the risk.

Authentication alone isn’t enough to protect information

In many cases, applications used by schools at the primary, secondary or college level do not have proper access control measures in place. This can put students, parents/guardians and faculty at risk of their information being exposed to bad actors.

An example of this could be an application students use to talk with their friends and share schedules.

It seems like a simple way students can interact with their peers and learn who is in their class.

But what access control measures are in place to protect those students?

Too often, security is looked at too simplistically, focusing on ease of granting access which results in limited access control measures being in place.

However, there should be control measures in place to secure information.

Some of the access control policies that should be in place could include ensuring only people from the city the school is in can log on to the system, or that non-student users (faculty/parents) can only see the information that is relevant to their family.

In order to do this, there needs to be policies in place that reflect the access control models the schools want to use and the technology in place to enforce these policies.

This is where authorization comes into play, as it can enforce policies where authentication alone isn’t enough.

Simply entering a username and password into an application (authentication) to ensure a user is who they claim to be and using that authentication to provide unrestrained access within the application is a recipe for disaster and can lead to inappropriate access or breaches.

Authentication and authorization can work together to improve the security of the application.

This is because authorization ensures that once an authenticated user is in the system, only those actions that are allowed for that user are in fact being performed.

Therefore, reducing the amount of risk that a bad actor, as known as an unauthorized user, can view privileged or sensitive information.

Modern technology has outpaced legacy systems

When we look into the applications that educational institutions are using internally many of them are legacy systems that leverage role-based access control (RBAC).

This is an issue because RBAC puts limitations on what can be done and fails to ensure users only have access to what’s needed.

As roles are static, they can lead to status changes not being made fast enough and leave data open to unwanted exposure. It can also make it difficult to audit the application to see who has access to what and often leads to role explosion.

For example, a teacher that is changing the grades they teach may still have access to the last year’s class personal and family information.

In another case, a new teacher takes over, but they don’t have access to the previous year’s grade results to judge the students’ performance level.

Authorization uses the concept of least privilege where a person should only have access to the data, resources, and applications needed to complete their task.

Not only that, but attribute-based access control (ABAC) solutions make access control decisions in real-time at the point of access.

Some of the attributes ABAC can look at include:

• Role (administrator, student, parent)
• Location
• Device in use location, device in use, time of day, purpose of use, and data source – to enforce access to data inline with policies and regulations.

ABAC is an integral part of Zero Trust

ABAC is also an integral part of a Zero Trust strategy, which many organizations prioritize as they look to ensure their cybersecurity technologies and strategies can stand up to current threats while also adhering to government regulations.

Zero Trust ensures the appropriate level of access for the user depending on where and what they are doing in real-time along with the amount of risk the organization is comfortable with.

Protecting student information requires the right approach to data security

All stakeholders involved in education, from administrators to students and parents/guardians, must be aware of and ensure their institution has the right access control strategies in place to ensure critical personal information is properly safeguarded.

From the institution’s perspective, they should look into what applications they have, who has access to the information within these applications, and how this information is accessed.

Whereas it was once enough to know that institutional employees logging on from the office or school had the appropriate verification, a more advanced access strategy is now required and should include both authentication and authorization solutions.

From the parent’s or guardian’s perspective, they need to ask questions about the applications that contain their information to ensure it is secure.

If there aren’t the proper security measures in place, they should be raising these red flags to the school.

Some questions parents or guardians may want to ask include:

Who has access to my child’s information?

How do you determine access rights?

It is also important to teach kids what to look out for so they can protect themselves when signing up for different applications.