Updated 30 Jun 2022
In many ways, EdTech SaaS companies are no different from any other SaaS companies, at least as far as securing them goes. So, in this article, we’ll start by discussing the general problem of securing a SaaS. Then, we’ll point out what, in particular, needs to be secured in an EdTech SaaS solution.
A SaaS, by definition, is in the cloud, and software in the cloud has two types of vulnerabilities: cloud and application.
Cloud vulnerabilities are those associated with the cloud infrastructure. This includes hardware, software, networking, and facilities. Some of these vulnerabilities can be found in the Cloud Security Alliance’s (CSA) Top Threats to Cloud Computing.
Because of the Shared Responsibility Model, for the most part, cloud vulnerabilities are the responsibility of the cloud service provider (CSP). And the CSPs have been doing a good job in this area. According to the CSA, “many traditional cloud security issues that fall on cloud service providers (CSPs), such as denial of service, shared technology vulnerabilities, CSP data loss and system vulnerabilities, are no longer perceived as a significant business risk of cloud adoption.”
The Shared Responsibility Model also dictates that the other type of vulnerability, application vulnerability, which includes infrastructure configuration and customer data, is your responsibility. These are the vulnerabilities you need to address to secure your SaaS.
A good place to find a comprehensive list of the most important application vulnerabilities is the OWASP Top 10. From OWASP, “Companies should adopt this document and start the process of ensuring that their web applications minimize these risks.”
So, how do you secure your SaaS application against these vulnerabilities?
A good starting point for securing your SaaS application is threat modeling. Modern threat modeling does more than just model application threats. It is a practice that helps you identify critical assets, typically data. This is important because not all data is equally critical when it comes to the damage it can do to your organization if compromised. Moreover, it is the alignment between these critical assets and the identified vulnerabilities that helps you prioritize your security, and in turn, your security budget.
Once you’ve identified the most important vulnerabilities to address, you can then move on to best practices for securing these vulnerabilities. Search the internet and you will find all kinds of best practices lists for cloud applications. Here is a short list of the best of the best.
EdTech vulnerabilities boil down to data vulnerabilities, and in the field of education, there are a lot of different types of data. As mentioned in a previous article, Regulations You Must Know About for Your EdTech SaaS, there is academic data, personal data, health data, family data, and third-party data.
Some or all of these different categories of data potentially have compliance regulations associated with them, which means there may be a fine for violations. These are the data you use in your threat model to identify the key vulnerabilities which need to be addressed first in your EdTech SaaS. Refer to the article above for a list of key regulations that apply to EdTech solutions.
When it comes to securing your EdTech SaaS, the starting point should be the privacy of student data. That should be followed quickly with content filtering to ensure accessible content is age-appropriate.
With that as context, there are a few best practices to follow. First, don’t store any data you don’t have to. Just because you may need some data to make a decision, that doesn’t mean that data needs to be stored forever. If it doesn’t need to be stored for future use, do not capture it in the first place.
Our newsletter (you’ll love it):