MSP SIG - May 19, 2022

Attendees

First NameLast NameOrganization
SeanCaseyEd-Fi Alliance
StephenFuquaEd-Fi Alliance
Jean-FrancoisGuertinEdGraph
JasonHoekstraEd-Fi Alliance
JeremyPerkinsInstructure
MarkTenHoorEducation Analytics
PatrickYohoLandingZone

Support

Nancy Wilson, Ann Su - Ed-Fi Governance Support

Meeting recording Link

The meeting is scheduled on 2022-05-19  12:00pm - 1:15pm CT via WebEx

Agenda/Notes        

  • This SIG meeting will convene to discuss deployment at scale with a focus on learning from everyone’s experience and recommendations - what is needed to help support your operations and questions such as important security at scale and key patterns and how Ed-Fi security operations can best support partner operations? We’d like to dig into the details for enhancing value of customer solutions from Ed-Fi implementations while insuring information assurance and security as necessary within those deployments - where the patterns, techniques and best practices can be shared from generalities of lessons learned.

    Items discussed from the call from its agenda:

    • Contribute code or approaches: 
    • Ed-Fi & Security Overview Today
      • Security is an implicit "must-have" in all the work we do collectively to serve K-12 information.  Ed-Fi interconnects with multiple systems of record with sensitive information contained within; those who we represent expect full information assurance and best practices from both the technology and practice aspects of our work.
      • Ed-Fi Tech Team manages annual security reviews and contracts with Praetorian, a well-known IT risk assessment and security services firm.
      • ODS/API (Platform) is primarily reviewed as part of this effort (and as core to our data interoperability work).  Admin App, as it has responsibilities for key/secret management and other system functions, is also part of our annual reviews.
      • These reports have been internal-focused to date.  From our engagements with Praetorian, we have not yet experienced high or significant findings as a result from their security audits.  Generally it has been reported by Praetorian that Ed-Fi ODS/API and Admin App are within the top 25% quartile of their clients for good code and security practices, which is received as a positive signal for today's investments in code quality, maintainability and internal practices towards security concerns.
      • 2019 report overview - guidance about Active Directory, in default configuration (i.e. "out-of-the-box"), is likely to present security risks within the environment.  Given this, as well as other community reported issues, this lead the Tech Team to migrate off of Active Directory and to the ASP.NET Identity based solutions today.  (ASP.NET Identity is also being used to extend SSO for Tools using OIDC on the 2022 roadmap.)
      • In the future, if major findings are reported from a Praetorian finding, assume that Ed-Fi would a.) work closely with Praetorian to understand full risk and resolution of the discovery in full cycle and b.) have timely communication to those that may be affected by such findings.
      • From discussion, there are opportunities for Ed-Fi to widen communications to community members who's operations overlap in these areas.
    • MSP Operations w/ Ed-Fi Tech
      • Deployment chains & keeping up to date
        • Generally the MSP community strives to keep up-to-date with Ed-Fi technology releases as much as possible.  Many factors can exist around decisions to choose particular versions of products within the Ed-Fi Tech Suite, including implementation-site data standard requirements, existing systems and so on.
        • MSPs generally either built the ODS/API from source code or pull from Azure Assets as a basis of code deployment.
      • Used to be on TeamCity, now starting to move into QA testing and automation into GITHUB actions.
        • Would need to check with software engineers but timelines are great when they run but when time elapses those recommendations may have changed in that time.
        • What would be an ideal release strategy?
          • Notifying - email would be more formal
          • Release cycle and hotfixing – need time to test it to be ready to use for following year especially with changes requiring database change
          • There may be more lifts - may be differences between platform and tools release cycles
          • We can continue to support trying to get it into your work faster - hot fix or whole channel redeployed?
            • Rebuild approach is better. Would want the same sort of dependency module import for the Ed-Fi code base with updates pushed out for us to auto the packages or dependencies.
        • Automation tools for security
          • One test op recommended tool used by some is https://snyk.io/ to auto identify issues (mostly open source version does dependencies) 
          • https://hub.docker.com/u/edfialliance
            • For us, an automated build or pipeline is GitHub Actions
          • Used to zip packages ++ and that build is final destination but docker possibility adds other components into that.  
          • How Google Test Software by James Whitmer - change in strategy for a lot of people but the change in structure has been recommended. 
        • Future request - configuration providers - want some other way than JSON provider
          • Ed-Fi has had experience with Azure app and Key Vault - how to work in a way usable for multiple cloud providers?
            • Some are using Kubernetes environment variables and using Dev Secrets (including Manager Integrations) because unless you populate in Docker config file gets baked in image. 
            • Some are using Google Secret Manager to store config values
        • Tickets to follow up on feature requests: