Access Risk Management In Education

Educational institutions around the country are increasingly dependent on information systems that play an important role in their day-to-day business operations.

Regardless of whether the organization is a K-12 public school district, a community college, or major university, identity and access management is critical for educators of all sizes for three reasons:

• In an era of tight budgets, a major goal of many institutions is to reduce the time, effort and expense required to create, manage, and remove access rights for various categories of users (students, faculty, administrative staff, parents, suppliers and business partners). Achieving this goal is particularly difficult given the highly seasonable nature of the school year, which creates pressure to create or terminate a large number of user accounts in a very short period of time at the beginning and end of the school year.
• Many educational systems contain confidential information, including personally identifiable information (name, date of birth, SSN), health information, or financial data. Ensuring the security of sensitive data, protecting it against unauthorized access and preventing the risk of a data breach is essential, since a breach could have devastating consequences for individuals as well as the institution.
• The Family Educational Rights and Privacy Act (FERPA) includes a mandate that organizations protect the privacy of personally identifiable information contained in a student’s educational record. FERPA requires universities and researchers to restrict access to education records to those with a legitimate educational interest in viewing the records. If an institution does not employ physical (i.e. a locked cabinet) or technological (i.e. a password) means to block access, the burden is on the school to show that access to protected information is effectively restricted.

Finally, the National Education Technology Plan 2010, calls for educational institutions of all types in the US to, “Revise practices, policies, and regulations to ensure privacy and information protection..." A strong and effective identity and access management solution is an essential element of any strategy to achieve the goal of protecting sensitive, personal information from unauthorized access.

Courion in Education

Given the significant potential impact of an access breach, educational institutions need a solution that enables them to comply with these requirements and improve the security of critical cyber assets by ensuring that only the right people have the right access to the right resources and are doing the right thing with that access.  They need Courion’s Access Risk Management Suite solution. The Access Risk Management Suite enables them to:

• Control access to critical information assets, such as applications and databases
• Verify the proper use of that access
• Safeguard sensitive data from unauthorized access
• Demonstrate compliance with key elements of government mandates and relevant regulations

Some of the Access Risk Management Suite features that educational organizations rely on include:

Manage Employee Access Rights: Educational organizations must cope with massive seasonal changes in faculty, staff, contractors, and students, particularly at the beginning and end of the school year. They must be able to provide these new users with access to the systems they require to be productive on Day One, and automatically remove their access when they leave the organization. They use Courion’s RoleCourier® solution to manage the role definition process, which ensures that users within a particular role (faculty, staff, student, alumni, parent, etc.) have only the access rights they require, and no more. AccountCourier® automates the process of account creation and termination, using either pre-defined roles, or whatever access request and authorization process your organization uses. Integration with a system of record (such as an HR system or student enrollment system), enables automated "lights-out" user account provisioning. PasswordCourier® enables self-service password management, improving convenience for end-users while, at the same time, significantly reducing the load on your IT department help desk.

These solutions ensure that users have the appropriate access rights, reduce the potential for security violations, and significantly reduce the time, effort and cost of managing user access rights.

Identify Unknown Accounts: In many attacks, a hacker may attempt to compromise or create an account for their own purposes. Courion’s IdentityMap process locates user accounts on internal systems and associates those accounts with a known individual identified in a designated system of record. The initial IdentityMap scan can identify and resolve zombie accounts, which are accounts associated with someone who is no longer with the organization. Subsequent IdentityMap scans may reveal previously unknown accounts, which may indicate an attack. Courion can then alert the appropriate personnel to take remedial action.

Access Certification: Courion ComplianceCourier™ is used by line-of-business managers, compliance officers, security personnel, or IT administrators to review access rights of users they supervise and certify that access complies with policy. When a user’s access rights are out of compliance with security policy or relevant regulations, ComplianceCourier provides a range of options to block or restrict unauthorized access. Audit tracking capabilities also make compliance reporting and analysis faster, easier and cheaper.

Protect Sensitive Data: Courion’s Sensitive Data Manager module works in conjunction with industry-leading data loss prevention (DLP) technologies to verify that access is not being misused to cover up illegal or unethical activities. According to the Verizon Business 2009 Data Breach Investigations Report, 67 percent of breached records were in locations that the organization wasn’t aware of. Integration with DLP technologies enables your organization to find sensitive student data, identify who has access to that data, determine how they obtained that access, and correct access that is inconsistent with the individual’s business role.

Identify Suspicious Activity: Courion’s User Activity Manager module leverages leading security incident and event management (SIEM) technologies to perform deep analysis of user activity. Integration with SIEM technologies enables you to identify patterns of suspicious behavior – after-hours access, large data downloads, access from a previously unknown account, etc. – captured in system log files, and combine that data with information concerning the user engaged in that behavior, such as name, title, department, manager, location, etc. You can then determine if the individual’s behavior is consistent with the needs of the business, and take the appropriate steps to terminate access to key applications if it is not.

Secure Passwords: Courion’s PasswordCourier® reduces potential access vulnerabilities by enforcing strong password policies, while its secure self-service password reset capability also dramatically reduces costs associated with help desk calls.

Benefits

Courion solutions provide organizations in the education sector with the following benefits:

Improve productivity: create accounts for new employees, faculty, students, parents, and others, quickly and easily, giving them immediate access to mission-critical business applications, while ensuring they have the minimum access to sensitive data required for their jobs.

Enhance security: dynamically adjust access rights as users change roles, such as when a student graduates and becomes an alumnus. Courion’s transparent synchronization technology allows users to use the same username/password combination for all systems, reducing the potential that they will be tempted to write down their password

Eliminate zombie accounts: automatically suspend or discontinue access when users leave the organization.

Reduce costs: enable users to securely reset a forgotten or expired password directly from their PC, using a web browser, or via a telephone, without having to call the help desk, which delivers significant savings in reduced help desk costs. Courion's provisioning solution enables substantial reductions in busy IT staff overhead dedicated to managing the account creation, management and termination process.

Demonstrate compliance: quickly and easily attest that employees have access rights that are consistent with organization policy and relevant regulations.