Skip to content

Design and Security Practices

Design

The frontend service is the only internet facing applications. The backend API is responsible for executing all tasks. The backend service is not accessible by any hosts outside datashutl private AWS subnet. The backend is the only service that will decrypt Veracross secrets for tasks during execution. For security purposes, the Veracross Client Secret will not be returned to the client browser once set. However, users may update the client secret through account preferences.

datashutl-diagram.png

Amazon AWS

Amazon AWS is fully leveraged with a focus on keeping data encrypted at all times including while in transit and at rest.

AWS products leveraged include:

  • EC2 (with encrypted volumes)
  • IAM Users and Policies (with minimum required policies)
  • DynamoDB
  • KMS encryption keys
  • Secrets Manager
  • S3 encrypted storage
  • Route53
  • CloudFront and Web Application Firewall (WAF)
  • Simple Email Service (SES)
  • CloudWatch audit tracking

User Accounts

All user accounts are hosted by Okta auth0. Your account password is not accessible by datashutl. Password resets, multi-factor authentication, account verification, and login sessions are all controlled through auth0.

Users will be forced to change passwords after a maximum of 90 days.

Data Retention

Only data needed by the module/shutl is retained. This includes data in log files. Schools can choose for how long data is retained in datashutl. Once data exceeds the retention period, it is permanently deleted from datashutl. Recovery of the data is not possible once it has been deleted.

Audit Log

Detailed audit logs are kept to track actions by the system and the users. This helps to keep an audit trail for all data, knowing where it has been created, viewed, and deleted.

Security Scorecard

Regular scans of datashutl will be performed by the third party SecurityScorecard. Lastest results can be located on the Security Scorecard site. All efforts to maintain an "A" rating with Security Scorecard will be made.

Prowler Open Source

Prowler will be used to monitor AWS for security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness, and remediations.