In K-12 school districts, the move to the cloud was well underway—even before COVID-19 changed the way schools operate this year. CoSN’s State of EdTech Leadership Survey, released back in January 2020, found that 91% of district respondents have been using a cloud-based learning management system (LMS) like Google Classroom, or at least planned to in the near future.

Then, COVID-19 arrived and the transition to the cloud happened rapidly. Districts have increased their reliance on cloud computing, with apps such as Google Meet, Microsoft Teams, and Zoom to enable remote learning for students and staff. The work to secure these cloud environments will be an ongoing project for IT teams.

Cloud technology is fairly new to school districts, but the steps that need to be taken to secure it are relatively similar to how an online account or physical device is secured. It seems like remote learning is here to stay. This blog series will focus on three steps you can take that will improve your district’s cloud security posture.

Requiring Strong Passwords

A password is the first line of defense for your district’s school networks and managed devices. The same goes for your district’s cloud environment.

There’s a common saying in cybersecurity that “the best password is one you can’t remember.” Getting into the habit of using a strong password for critical district information and systems, and also helping teachers develop the habit for their own classes, will help keep your district protected.

What constitutes a strong password, exactly? Well, here’s the quick rundown of what one looks like.

  1. Length of at least 16 characters
  2. Contains a mix of upper- and lower-case letters
  3. Contains numbers and symbols
  4. Has no ties to personally identifiable information (PII)

Implementing a strong password that isn’t easy for users to remember is a great first step in protecting your cloud environment and all the applications connected to it.  You can even take this management a step further by prompting password resets every semester. There are some great password manager platforms out there as well that can make the task of managing your school district’s passwords, and any resets, much easier for you and your team.  An alternative to a strong password that isn’t easy to for users to remember is using a passphrase with all the qualifications above, but simpler to remember if you lack access to a password management application.

If a password does fall into the wrong hands (and chances are that one will at some point), there is another security measure you can enable that helps you make sure someone is who they actually claim to be.

Enable Multi-Factor Authentication

Multi-factor authentication (MFA) is another critical step in ensuring your district accounts, data, and apps stay protected and secure. If a password at your school district is compromised, the unauthorized person who obtained the password will have to prove that they are the person to whom the account belongs, which is difficult to accomplish.

MFA is a security measure that is widely used by enterprise companies and individual people as another security step to keep their accounts and data protected. There are different types of authentication that are commonly used, including SMS and email token authentication. There are also app-based authentication tokens—such as those from Google and Microsoft.

For business and personal use, it’s easier to enable MFA because most users are over the age of 18 and likely have a device capable of performing the authentication. For you—the K-12 IT admin—phishing attacks against your district have likely made enabling MFA an attractive security measure. However, there is more you need to consider since you’re working with students of all ages and demographics, where accessibility may be difficult.

  1. Will MFA be used in the entire school district? Or used only for the most sensitive school district systems?
  2. What grade level do you start enforcing MFA for students, if at all?
  3. How will digital equity among students impact the effectiveness and inclusiveness of MFA?
  4. Are teachers allowed to use cell phones while at school? Would they want to enable MFA on their device?
  5. What are the costs associated with purchasing keys or other MFA hardware?

There are also state regulations to keep in mind when it comes to enabling MFA at your school district. For example, the state of Texas has SB 820, which states that each Texas school district must adopt a cybersecurity policy to secure district cyberinfrastructure, determine cybersecurity risk, and implement mitigation planning.

At ManagedMethods, we recently discussed the topic of multi-factor authentication with a few district IT leaders during a virtual K-12 cybersecurity and student safety leadership series event, which you can watch to see different approaches being taken during implementation. MFA isn’t an end-all-be-all to cybersecurity, however. Cybercriminals are smart, so you still need to keep an eye on suspicious activity taking place inside your cloud environment.