First Draft - Security Requirements for Campus Student API
Background & Business Value
Goals
- Provide access to student data to the campus community for application development outside of SIS&T in a secure and standardized way.
Background and strategic fit
So far developers on campus have been getting student data by running Gaucho Blue extracts several times a quarter, and importing the data into their systems. Alternatively some of them have gained access to student data thru SIS&T's operational data store, where firewall rules have been put in place to allow external departments to access our ODS server. Still, some people on campus have developed applications, where the student data is fed thru copy/paste methods very infrequently.
All these cases make our data insecure as it requires that it is saved in these external systems. The information is not timely refreshed, it requires a lot of manual intervention, and it leads to many different interpretations.
SIS&, as the custodian of the Student Information System data, is responsible to provide it to campus partners in a secure and standardized way to meet their business needs.
The campus API management tool (Apigee) implementation project provides a platform for accomplishing our goals of proving access to the student data in a secure and standard way.
Assumptions
- Campus developers will want to transition their applications to utilize the new student and curriculum APIs.
- Apigee contract will be extended by the CIO office going forward.
Out of Scope
Requirements
ID# | Title | User Story | Priority | Notes | Status |
---|---|---|---|---|---|
1 | Authenticate the end-user | As a data provider identify the user accessing my data | Must have |
| To Do |
2 | Authenticate the application | Allow an application to access API(s) |
| ||
3 | Authorize the end-user | As a data provider limit the scope of data to which the end-user has access As an end-user access the data that they are allowed to access |
| ||
4 | Ability to limit data elements returned for an application | Per application limit the data elements that we allow access to | Must have |
| |
5 | All API requests should be encrypted | Use https for all API calls |
| ||
6 | All services should be reasonably secured from unintended access | As a service provider services should not be accessed from unknown entities on the internet. |
| ||
7 | PL4 level data in APIs might require encryption | PL4 - SSN, financial and medical data |
|
User interaction, design & Architecture
Examples and References
Questions
Below is a list of questions to be addressed as a result of this requirements document:
Question | Outcome | Decision Date |
---|---|---|