Don’t be complacent about data security
vice president of higher ed strategy and research, Canvas by Instructure
More personal data about students and their learning activities is stored online; here’s how to protect it
Have you ever been awoken by a loud noise in the middle of the night? Your body shifts from resting to alert in an instant. What just happened? Am I safe? Is the house secure? Did I lock the doors? At some point, you either get out of bed to investigate, or assure yourself it was nothing, and you go back to sleep.
We go through a similar shift from sleepy ignorance to total awareness each time a company reports a data breach that has put our personal information at risk. Except in these incidents, we have far less control over what happens next—and far less visibility into both the causes of the breach and the subsequent fixes and safeguards that the company implements to prevent such an event from happening again.
Data security is a major concern for education, even though, much like consumers, we may take it for granted unless there is a problem. But the stakes grow higher every year. As education continues to adopt new technologies to support teaching and learning, more personal data on students and their learning activities is stored online.
Ed tech companies have a clear and direct responsibility to protect that data, and educational institutions are obligated to thoroughly vet a vendor’s security policies and practices prior to adoption. Privacy policies and end-user license agreements are helpful, but limited, as they merely represent how a company intends to use data. Industry-standard certifications like SOC-II are better as they provide some insight into how a company secures information through internal processes and safeguards. But how can you know if the software itself is vulnerable to external threats?
Trust, but verify
Perhaps we take the vendor’s word for it. Hopefully we can look at its track record for responding to major vulnerabilities that made the news in years past. But how do you know that the company’s fix worked? And how can you tell if there are other vulnerabilities in its code waiting to be exploited?
By making the software source code freely available for anyone, open-source software provides a level of transparency that traditional software providers don’t. Historically, open-source advocates have emphasized the freedom to install, run, and adapt the software. But open-source software also has an advantage in that anyone, at any time, can inspect and evaluate the underlying code.
4 reasons why open-source code is the smart choice
Recently, the University of Minnesota conducted a high-level security assessment of two open-source learning management systems (LMS), the software used by students and instructors every day for a variety of teaching and learning activities, including grading.
The report suggests four main takeaways:
1. An open-source LMS has an advantage for educational institutions in that the source code can be evaluated and tested for vulnerabilities at any time.
2. LMS providers must demonstrate a clear and deliberate security strategy that includes regular, internal evaluations and processes to safeguard data, such as SOC 2.
3. LMS providers should be able to deploy software updates automatically for all users when a problem is detected.
4. An LMS should be subject to regular, independent security evaluations that result in detailed public reports of findings. Making such reports open to the public not only provides transparency around discoveries, but it can also confirm that any vulnerabilities have been fixed.
These recommendations reflect our own beliefs and practices at Instructure around the security of educational technology. Open-source code provides necessary transparency and empowers people to conduct their own evaluations. Cloud architecture empowers us to apply patches live, without taking the service down, so that we can remediate unexpected vulnerabilities ASAP.
Internal policies and practices are critical, but not enough—Instructure engages in open, annual security audits of our Canvas LMS by independent security experts. And we make the reports of these audits publicly available on our website, so that even if you can’t dig into the Canvas source code yourself, you can still understand its level of security.