Within every market—whether it be government, business, healthcare or education—it’s crucial that identity and access management (IAM) solutions are designed and implemented with close adherence to the latest government, regulatory, and best practice security frameworks and laws, in order to help organizations meet their compliance goals and to ensure the integrity and security of their user data.
In the education market, specifically, there is a strong uptick in activity surrounding Student Data Privacy (SDP). The Electronic Frontier Foundation (EFF) is one of the strongest proponents of rights and liberties in all areas of consumer information technology. Most recently, they’ve released the results of a study, in which they analyzed areas of concern within SDP and initiated a call for action to better organizations’ efforts surrounding this key area.
To that end, we want to pinpoint some of the key questions and ideas that the EFF brought up in their study and provide some answers to those questions, with regard to our RapidIdentity solutions.
What data is required by staff or students, in order to use RapidIdentity within their educational organizations?
RapidIdentity doesn’t have a specific data requirement, beyond the need to synchronize and provide needed data to any connected systems or third party applications, as specified or required by an educational institution.
RapidIdentity is strictly the solution by which required data is transmitted, synchronized, or used to meet the requirements set forth by school or district IT staff. Data collected or used by RapidIdentity will not be disseminated to any other parties, beyond what the district has made the choice to share. The district or organization maintains the requirement to inform its users via written, posted, or other communicated policies about the usage of the system and any collected data.
Do students, staff, or parents have the ability to opt in or out of usage of RapidIdentity?
The choice of students, parents, or staff members to participate (or not) in the usage of RapidIdentity, or to have RapidIdentity synchronize their data with district-designated systems, is governed by the district. RapidIdentity allows complete control of what data is synchronized and what access is allowed via integrated applications, and the responsibility falls upon the district to ensure that users have the ability to opt in or out, as necessary. RapidIdentity solutions can be tailored to meet these needs, as provided to us by our customers.
Does RapidIdentity force students to use individual applications which have been configured within the end-user Portal?
Application usage is entirely at a district’s discretion. RapidIdentity is simply a point of control or visibility for single-sign-on to various organizational applications, and the choice to provide and/or mandate use of said applications is the responsibility of the district. Our solutions in no way require a user to use any provisioned applications, and a user’s access to, or within RapidIdentity, itself, may be governed at the district’s discretion.
What encryption is used within RapidIdentity solutions, in order to protect end-user data?
Data encryption can be performed at various levels—more specifically for RapidIdentity customer use cases, during transmission and in storage.
With regard to data transmission across the wire, RapidIdentity supports encryption via the protocols over which a given application or system is configured to communicate or accept data. This includes SSH / SCP, HTTPS, LDAPS, and other secure transmission protocols, as needed.
With regard to encrypted data storage or retrieval, RapidIdentity does not directly store critical information on the appliance, with the exception of custom-configurable audit logs and data (retention periods are configurable, as well as data to be retained). Regardless of storage location, whether “on-appliance” or within other customer data and file systems, RapidIdentity is capable of encrypting and/or decrypting data prior to writing and use, for sensitive storage needs.
How long does RapidIdentity retain data?
RapidIdentity doesn't retain audit, log, or any data that may contain PII for any specific length of time. Each solution provides configurable retention policies that can be defined by the district, such that THEY (the district) control what data retention is to occur (what specific data types or amounts), and for how long, based on their regulatory or other requirements and needs.
History, Auditing, or Tracking Usage
Does RapidIdentity make any attempt to track or audit specific usage trends or activities by end-users, whether for research or other purposes?
End-user activity auditing is configurable (to database, file, or other remote logging mechanism), as determined by the district.
In general, audited activities include events, such as “user launched an application from within the Portal”, “user logged into the Portal”, “user changed their password”, or “administrator / help desk changed user password” and timestamps specific to these events. This is to provide audit trails, both for security purposes and for cost analysis by the district, such as determining cost savings for elimination of certain help desk activities.
Retention of specific details of audited events is configurable, such that security data (passwords, challenge / response answers for self-service password changes, and PII information) are not retained within the audit data, unless the district has defined a specific need for such, at their discretion.
Access to audit data is strongly protected, via privileged role management and access controls, which may include one or more of the following: federation, multi-factor authentication methods, and time-, location-, role- or attribute-based Access Controls.
Beyond auditing of RapidIdentity-specific actions, no other history is maintained. RapidIdentity does not track browsing history or any application usage within applications, beyond the user having launched them from within Portal. This is solely to ensure there is record of access and that no abuse of access has occurred.
Additional Protections / Safeguards
Does RapidIdentity provide additional safeguards to prohibit improper data access or use of the system?
Beyond the aforementioned access controls (multi-factor authentication capability, time-, location-, role- or attribute-based Access Controls, etc), RapidIdentity also provides the ability to use Workflow in order to provide data access / permissions and administrative functionality to specific users on an as-needed basis.
Workflow allows temporary elevation of privileges for users to accomplish higher-security tasks. Workflows may require approvals from additional staff to ensure that these activities only occur with management approval. They may be revoked at any time or at configurable intervals to ensure access exceptions are not left unchecked. Additionally, workflow provides detailed audit trails, so that organizations have a clearer view of what user performed what activity and by whom that activity was approved.
We’ve addressed the most common questions that may arise when discussing the Electronic Frontier Foundation’s SDP report, as well as other student, parent, and staff considerations of data privacy. Should you have additional questions or wish to inquire about how RapidIdentity solutions can help you meet your data privacy needs, please contact us, and we will be happy to discuss your needs further.