Have been considering IT security within schools recently and in particular password security. Schools have a number of different systems each requiring users to have login credentials in order to access them. This includes the schools Management Information System (MIS), computer login or Active Directory credentials, Parents evening booking systems and a multitude of other possible systems.
The ideal setup has always been to have an integrated environment meaning that login credentials were synchronized across different services. This would mean that users only have a single password which they need to remember, which would therefore allow for users to be encouraged to use a more complex and secure password. A systems Admin could even set policy to require a certain level of password complexity. I am no longer as convinced as to the merits of this approach.
As we look to make use of more systems within schools we engage more companies as the providers of the services we need. Each new service increases our digital footprint in terms of the risk to which we are exposed. We may have a reasonably high level of confidence as to Microsoft or Googles security, however can we say we have the same level of confidence with regards the provider of our SMS system, room booking system and school app? Just consider the number of services impacted upon by Heartbleed. If we have lesser confidence in the security of these service providers, we are accepting they are of a higher risk yet we are entrusting them with the synchronized user credentials for all services. Should these services become compromised then Microsofts, Googles and all other services, no matter how good their security is, are also compromised as the hackers have the appropriate login credentials. An integrated environment is therefore not as secure as we believe.
I do not have an answer for the above issue however the approach I am currently examining is the use of password managers such as LastPass and 1Password. They allow the user to have a single master password however this then manages a whole set of passwords which are different for each service being used. Should a less secure service become compromised this would not impact on other services. There is still the risk of the master password becoming compromised however you would hope that the service providers providing password managers are significantly more focused and capable on security than the provider of a schools library or similar systems. This leaves the users selection of their password and it I think that’s an important point to finish on.
Ultimately the weakest link in the security chain is that of the users themselves. The above may help in addressing security however the most important issue in IT security is and continues to be educating users to be aware and vigilant plus and to select passwords which are suitably secure.