As part of our ongoing commitment to advancing the protection of student data, we are talking with leading vendors and educational organizations to learn more about the ways they are using and safeguarding student data. As part of this series, Chris Moffatt, Director of Technology for Ed-Fi Alliance, shares the technical approach he takes with the help of the community to building a secure foundation for Ed-Fi technology.
Those of us in the education data world know one thing for sure – safeguarding education data is complex, multi-faceted, and rapidly changing. Every day, our state education agency and school district colleagues protect and manage data across three critical fronts: privacy (what rights and responsibilities do students, parents, and educators have to make information public or keep it private), confidentiality (who should know what information about whom, in what circumstance, and for what purpose), and security (how to keep information safe from risk of attack, disclosure, and malicious use).
Throughout this blog series, we’ve highlighted real world insights from leading education agencies and vendors as they continually refine their approaches to safeguarding data – not just the technical components, but also the policies, procedures and processes that govern those who access or manage the data. Here are three key approaches to building data security into every step of systems that use Ed-Fi technology.
Security by Design
Security has been a cornerstone principle of Ed-Fi technology from the very beginning. We drew on well-known tenets for secure software design to establish a technical foundation that delivers:
- Protection from disclosure (confidentiality) through extensive encryption
- Protection from alteration (integrity) by use of hashing
- Protection from destruction (availability) by architecting the Ed-Fi ODS/API and Dashboards for fault tolerance.
We also took a layered approach to authenticating users and authorizing access based on the user’s role. This ensures that data is protected at every step along the pipeline, from collection to classroom use. And by building with trusted industry approaches, we’ve made it much simpler for an agency or their vendor to maintain and keep pace with improvements.
Thorough, Freely Available Documentation
In an area as inherently technical as data security, details matter. That’s why we’ve taken extra steps to provide thorough, practical documentation of security concepts and configuration options – all of which is made available for free.
These detailed guides give Ed-Fi adopters the tools they need to implement secure systems within their own environment. Some of the specific security references include developer’s guides to security concepts and configurations, and deployment guidance for the Ed-Fi Operational Data Store and API, dashboard authentication and authorization, and security sections of the REST API design and implementation guidelines. (These are intended to provide detailed information to a deeply technical audience, so they aren’t exactly light reading. You’ve been warned!)
Field Tested, Community Enhanced
Just as the recent release of Ed-Fi Operational Data Store depended on community contributions and input, so does our continued work on security. The Arizona and Tennessee Departments of Education performed extensive penetration testing on their Ed-Fi Powered platforms. Their findings have helped us establish best practices for deploying and configuring Ed-Fi technology. Implementations underway in Wisconsin, Michigan, and Shelby County Public Schools will further enhance our real-world knowledge on how best to implement and maintain secure systems.
We echo what others in this series have said – the work of safeguarding student data is never done. But we hope this blog has given you a look under the hood at how the Ed-Fi Alliance, in partnership with its community of agencies and vendors, is moving from principles to practice. Watch for additional security-related resources from the Alliance tech team as our community continues to grow!