API’s Everywhere! CETPA 2018

API security breaches: Facebook restricts its Open API NEWS RIP Google Plus: Shutdown announced after API bug exposes 500,000 users' details API security API security breaches: Facebook restricts its Open API April 7, 2018 Salesforce.com generates 50% of its revenues through APIs. Expedia.com generates 90%. eBay generates 60%. ! Source: The Strategic Value of APIs, HBR, Jan. 2015!

Background “Stuff” Ten years ago enterprises built monolithic enterprise software applications with few interfaces to secure. Now, however, developers break applications down into separate services and publish key functionality of their applications to the cloud as Web APIs (application program interfaces) usually this includes sensitive data. APIs have redefined the way the education vertical delivers value to customers by creating “doorways” that allow a multitude of applications access to data and provide a specialized user interface for every occasion.

Opportunities/Risks APIs allow developers to create many architecture for sharing functionality and data between applications. API Security is often mentioned as a critical concern by users and often left out of development and operational discussions. CIOs needs to understand the risks and take the proper precautions when introducing mechanism that can grab, change, and potentially destroy data from anywhere in the world. A new approach is needed to integrate security and privacy as fully part of the API lifecycle!

Building Access Standardize? BIZ PROCESSES DATA ENCRYPTED PAYLOAD / PRIVACY CALLS AUTHENTICATION (SSO, ETC.) SECURE SOCKET FOR EXCHANGE Standardize?

API Options Easy Case Real World Case “Many APIs” “Single API” App 1 REST API Real World Case “Many APIs” Middleware

SDPC Value Add 1 Districts Integrators Integrators Vetting & Contracting Framework Vetting & Contracting Framework Districts Integrators Integrators The SDPC Project work has helped streamlined the vetting and contract aspects of connections but not the connections themselves. Marketplace Products

APIs Are Not The Web Securing APIs using the same methods / technology that we used to secure the conventional, browser-centric web is not always the same. While it is true that APIs share many of the same threats that plague the web, they are fundamentally different and have an entirely unique risk profile that you need to manage.

API “Issues” Allows for targeted hacking – and less focus on security by providers Has given rise to API security programs Made “swiss cheese” out of some firewall set ups Locales must “bend” to vendor specifics API’s The locale must change processes, sometimes without any clear new value. The locale often must do DBA work or even programming to connect their data to the expected API. The locale usually winds with some slick apps, that have stale data due to a lack of timely synchronization between back office systems.

Standardizing API’s Organizations need to consider in their journey to make their APIs easy to maintain, adopt and consumed. Most organizations don’t invest enough time in standardizing the way APIs are designed, partly because they don’t realize the value of doing so Can provide great developer experience leading to more powerful and useful API connections Can save time and money on implementation – and change! Dictates and allows for planned upgrades for both developers and customers Can provide consistent access through a single authentication. Can bolster privacy through a consistent view of data.

Why Use Openly Developed Technical Standards? Access to all data Scalability dependent upon funding cycles Easier comparison and quality Allows for best of breed solutions Enables clearer migration paths Easy discovery, access and use of learning resources and tools Integrated instruction, assessment and reporting

How We Got Here…

Target: Successful Student Learning Progression Administrative and Operational Analytics, Dashboards, Portals External Entity School / School System Curriculum, Instruction and Assessment Student Enrolls Identity Data Needs Challenges IT choices in schools adding overheads and risk – privacy, data integrity Minimise effort to integrate with multiple systems > data hubs Key to successful integration – careful selection of management of identifiers > local & national use Student Roster Accountability Timeliness Identity Strategies Ability to Manage Risks via Privacy and Security “Simple to Enterprise” Data Integration and Scalability Record Exchange Policy and Technology Underpins the Work

SIF Over 20 Years…. And Counting

Around Since 1997! SIF Specifications: SIF 3 Infrastructure Permits simple direct access to data. Empowers efficient batched process. Scales to real time events when needed. SIF 2 Data Model Use case based data objects create clear separation of roles. Remove ambiguity when talking about securing fields of data.

SIF Implementation Specification 2.4 158 Objects & 3300+ Elements … and most recently, the SIF Implementation Specification 2.5 introduced important extensions to the model in the area of Teaching and Learning functionality, including: Extending Assessment to incorporate the individual measures associated with a particular assessment item; providing a more flexible way to include established as well as new types of measures. Providing a more robust structure for Assessment psychometric measures that allow for a wide range of both innovative Measurements and different Test designs. Generalizing Student Participation to encompass multiple Programs.

xPress API Line Is a new line of modern, open, standard APIs for education Provides schools/developers a way to simply and securely exchange data among apps – locally, cloud or mobile. Developed from real-world use cases focusing on practical, easy to implement solutions. Uses contemporary technologies like REST and OAuth, enabling direct communication among systems (the “broker” is optional) Built on SIF 3x Infrastructure and Data Model RESTful with both JSON and XML Support No M.O.M. (I.e. ZIS) required Represents commonly used CEDS data in a straightforward manner.

xPress Line - Roster Make it easy for consumers to get most commonly used data  ROSTER, DEMOGRAPHIC, CONTACT Guiding principle: Simplify and Flatten Utilize SIF 3 element naming conventions to provide provide a logical link to the full enterprise model Providers maintain a single set of refIds Minimize reliance on XML-specific features (ease transition to JSON)

SIF NA 3.2 “roster” objects = 16 Objects student staff contactPerson school lea section course address schoolCalendar schoolCalendar-Item term contactPerson-Association staffPerson-Assignment staffSection-Association studentSchool-Association studentSection-Association SIF NA 3.2 “roster” objects = 16 Objects

SIF NA 3.2 “roster” objects = 16 Objects student staff contactPerson school lea section course address schoolCalendar schoolCalendar-Item term contactPerson-Association staffPerson-Assignment staffSection-Association studentSchool-Association studentSection-Association SIF NA 3.2 “roster” objects = 16 Objects

SIF xPress Roster API = 7 Objects xStudent xStaff xContact xSchool xLea xCalendar xRoster Simple object model using logical names based on SIF 3 entity model SIF xPress Roster API = 7 Objects

xPress Line - SRE Wrapper object to contains all needed SRE “pieces” Student Record Exchange Wrapper object to contains all needed SRE “pieces” Student Demographic Record Identifies the student Student Academic Record Identifies the schools or institutions student attended Student Special Education Record Provides special education placement and participation data Student Record Content Container object for non-SIF data

Puget Sound SRE – Across Standards! 7 school districts around Seattle, WA 153,000 students 16,000 transfers per year Universal translator Hub & Spoke model Real-time Dedicated to open standards

IEP Eligibility

IEP Program

xPress Line – Grade Pass-Back

End Game? Start with some basics: Push suppliers to utilized established and openly developed standardized APIs. Develop API security policies — including authentication and authorization of API users, traffic management and content threat detection Evaluate an API management gateway technologies Evaluate existing platform vendors to determine how they can contribute Remove or tokenize sensitive data in API URL path Maintaining an inventory of your APIs, starting with externally exposed APIs – Student Data Privacy SDPC App?

SDPC Value Add 2: Connected Privacy Districts Vetting & Contracting Framework “Secure/Quick Connections” Privacy Standards Certification Integrators Integrators The next project of the SDPC – Connect – is going to enable those connections to take place in a standardized manner streamlining the work of schools, integrators and marketplace providers. Added here are the multiple integrator to integrator interactions districts sometimes use. Marketplace Products

Student Data Privacy Consortium A4L Web www.A4L.org Student Data Privacy Consortium https://privacy.A4L.org Larry L Fruth II, Ph.D. lfruth@A4L.org 202-607-1178 Assessment Areas for Consideration