IT Security in schools


Have been considering IT security within schools recently and in particular password security.   Schools have a number of different systems each requiring users to have login credentials in order to access them.    This includes the schools Management Information System (MIS), computer login or Active Directory credentials, Parents evening booking systems and a multitude of other possible systems.

The ideal setup has always been to have an integrated environment  meaning that login credentials were synchronized across different services.   This would mean that users only have a single password which they need to remember, which would therefore allow for users to be encouraged to use a more complex and secure password.   A systems Admin could even set policy to require a certain level of password complexity.      I am no longer as convinced as to the merits of this approach.

As we look to make use of more systems within schools we engage more companies as the providers of the services we need.    Each new service increases our digital footprint in terms of the risk to which we are exposed.   We may have a reasonably high level of confidence as to Microsoft or Googles security, however can we say we have the same level of confidence with regards the provider of our SMS system, room booking system and school app?      Just consider the number of services impacted upon by Heartbleed.    If we have lesser confidence in the security of these service providers,  we are accepting they are of a higher risk yet we are entrusting them with the synchronized user credentials for all services.    Should these services become compromised then Microsofts, Googles and all other services, no matter how good their security is, are also compromised as the hackers have the appropriate login credentials.    An integrated environment is therefore not as secure as we believe.

I do not have an answer for the above issue however the approach I am currently examining is the use of password managers such as LastPass and 1Password.   They allow the user to have a single master password however this then manages a whole set of passwords which are different for each service being used.    Should a less secure service become compromised this would not impact on other services.   There is still the risk of the master password becoming compromised however you would hope that the service providers providing password managers are significantly more focused and capable on security than the provider of a schools library or similar systems.  This leaves the users selection of their password and it I think that’s an important point to finish on.

Ultimately the weakest link in the security chain is that of the users themselves.    The above may help in addressing security however the most important issue in IT security is and continues to be educating users to be aware and vigilant plus and to select passwords which are suitably secure.







Author: garyhenderson2014

Gary Henderson is currently the Director of IT in an Independent school in the UK. Prior to this he worked as the Head of Learning Technologies working with public and private schools across the Middle East. This includes leading the planning and development of IT within a number of new schools opening in the UAE. As a trained teacher with over 15 years working in education his experience includes UK state secondary schools, further education and higher education, as well as experience of various international schools teaching various curricula. This has led him to present at a number of educational conferences in the UK and Middle East.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: