K-12 schools can make the grade with identity and access management

School districts across the country are looking for ways to stretch their meager funding. An identity and access management system can help the IT budget go the distance by reducing the man-hours needed to create and manage student and teacher accounts and through precision purchasing of only the materials needed for online learning.

My hometown public school district is starting to talk to a neighboring district about a possible merger. The concern is that state funding could get reduced (again), making it hard for small independent districts to survive, much less thrive. At a time when the pressure is on to improve students’ performance in public schools, most districts are dealing with increasingly tighter budgets.

I’d venture to say there’s not a school district in the country that believes it has enough money to do everything it needs to provide a high quality education. It’s especially difficult for districts to justify budget for support staff such as IT professionals who are not in the classroom. However, these are the very people who are desperately needed to manage current computing resources while also bringing in new technologies to stay ahead of the curve.

For many public schools, the wave of the future includes e-learning and applications in the cloud—things like Google Apps for Education, Discovery Education, Edmodo, and learning management systems. Some states even mandate the use of online applications. Whether mandated or adopted by choice, the use of online applications presents another challenge for already overworked IT staff. Now they must create and support thousands or even tens of thousands of staff and student  user accounts for those new applications and partition resources such as private document folders. It’s a daunting task unless the district uses automation to support the process.

Chesterfield County Public Schools (CCPS) outside of Richmond, Virginia is one district that has the automation process figured out. The district recently implemented an identity and access management system that streamlines the process of creating and maintaining accounts for more than 58,000 students and approximately 7,500 teachers and other staff members.

Dr. Adam Seldow, Ed.D., is the Executive Director of Technology for CCPS. “We knew that if we were to use a range of websites for teaching and learning that we needed to make it so our students and teachers could click on one icon and get right into the site,” says Seldow. “We wanted to automatically provision everything and make it as simple as one click to get into these learning activities.” And with this latter statement, Seldow defined the district’s goal for account lifecycle management.

For CCPS, reaching that ultimate goal means starting from a disparate computing environment. Two separate systems are the authoritative sources for data on teachers and students; for teachers it is the county’s HR system, and for students it is a district wide Student Information System. The challenge was to work through these two source databases to build a robust and cohesive account lifecycle management system that would put teachers and students into their online classes with ease.

CCPS uses technology from Identity Automation (www.identityautomation.com) to automatically extract identity data from the two authoritative source databases and consolidate it in Active Directory. Starting with the teacher accounts, Identity Automation used its Data Synchronization System (DSS) and Access Request Management System (ARMS) to automate the synchronization of data between the HR system and the AD system and to perform the setup and management of accounts. AD becomes the authoritative identity source for all target IT systems. Now when something changes in the HR system – such as a teacher transferring schools – an automated workflow propagates the necessary changes to AD and other systems beyond that.

The same tools and techniques were used to bring the student data into Active Directory from the Student Information System. This was a bigger task, not only because of the huge volume of students, but because the data is much more dynamic. For example, students change their class schedules much more often than teachers do, and this impacts group assignment within Active Directory and account permissions within applications.

CCPS now defines all of its groups with dynamic criteria instead of manually having to move people in and out of the groups as they did before. On a scheduled basis, the ARMS tool keeps refreshing the groups’ memberships based on those dynamic criteria. This enables granular capabilities. For example, a teacher can communicate homework assignments to students in a specific class using the Edmodo application, knowing that her notes can be viewed only by students in that particular class.

Identity Automation’s technology works with the application programming interfaces (APIs) of numerous applications to further extend the district’s identity and account management capabilities to numerous applications in the cloud. Using Google Apps for Education as an example, Seldow explains the value of being able to do that:

“We are able to take the class information from our Student Information System, including the student groupings of the class – for example, Section 3 of Algebra I in a particular high school – and pass it through using Google’s APIs, sync that list up in Google and make it so that it is dynamically maintained. As students come into the class or leave the class, that list is automatically maintained and up-to-date. That’s extremely important because just about everything we do, from the daily interactions between teachers and students as well as purchasing of content for specific classes or schools, is done through these groupings and the schedule.”

CCPS uses Google Apps for Education a lot, and Seldow says the importance of being able to use dynamic groups to manage accounts can’t be overstated. When a student account is created in the Student Information System, an account is created in Google, too, to ensure the account has the right naming convention and the right placements. Then later on as the student changes grades or schools, all of that gets automated with each change. If a staff member is terminated or a student de-registers, then the system automatically de-provisions their account. The district has automated the complete lifecycle management of the accounts.

Identity Automation also developed a single sign-on capability via ARMs. Teachers and students use an application access module that’s basically a customized portal into all of the applications at their disposal. They log into this web-based dashboard – from home, school or anywhere – and they see all their own applications and user profile.

When a person selects an application by clicking an icon, ARMS takes care of passing that individual’s authentication credentials to the chosen application. The person doesn’t have to remember multiple URLs, usernames or passwords—just the one username and password for the ARMS dashboard. And if a student forgets his password, he can reset it himself without help from a teacher or IT support. Teachers have unique privileges on the dashboard. They can see their students’ accounts and reset passwords as needed. Everyone can access their files that are on the network through this same interface.

“This system has given us the ability to operate at a level of efficiency that wasn’t otherwise possible,” says Seldow. The most important benefit is that teachers can now be up and running with all the necessary account access the instant they are hired. The financial benefits are important as well. The savings come from reducing the man-hours to manually provision and de-provision accounts and maintain Active Directory. What’s more, the precision of being able to purchase materials and software licenses just for specific groups generates savings. And the ease-of-use of single sign-on is a benefit for everyone.

Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive.  Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.  

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2014 IDG Communications, Inc.