Skip to content

Security Infrastructure Reference#

This article provides some details on components of the infrastructure and links to resources; see the security overview article for a higher-level explanation of the security principles.

Cloud security#

edu leverages the security capabilities and tools of the cloud providers it is built upon: AWS and Snowflake.

In AWS, all edu resources are created inside a VPC, which can be locked down with various network policies and rules. (This whitepaper gives more detail about AWS's security features.) Key ways in which edu leverages AWS's security features include:

In Snowflake, the security capabilities edu leverages include

Network security#

Network access to edu is secured by all the features provided by AWS, including secure network architecture (with firewalls and monitoring), secure access points and transmission protection, fault tolerant network design, and automated monitoring systems that mitigate DDoS and MITM attacks.

Data security#

Data in edu is secured both in transit and at rest.

In transit, encrypted channels are always used to move data:

  • HTTPS when moving data out of the Ed-Fi API
  • TLS when moving data into the data lake (AWS S3)
  • HTTPS when querying or moving data out of Snowflake (see Snowflake end-to-end encryption)

At rest, data stored in AWS S3 is encrypted using keys managed using AWS Key Management Service.

Access security#

If (as recommended) SSO is implemented, users must authenticate with your identity provider to access the data. IdPs may further require MFA for additional security. Access may also be limited by IP address.