Intellischool uses industry-standard (or stronger) security technologies to protect data in our systems at every stage of its lifecycle.
When implementing new systems, particularly those that handle personal or sensitive information, customers often ask us to summarise some of our security practices. This article aims to provide a high-level view of how we ensure the security of our customer's data.
When we're retrieving data
Intellischool typically uses three primary methods of retrieving data - via Application Programming Interfaces (APIs), database integrations, or file uploads.
Application Programming Interfaces (APIs)
Most of our integrations use vendor APIs to retrieve data from systems. In any case that Intellischool interacts with an API, we do so via a TLS-encrypted connection directly to the integrator's API that uses a minimum of TLS v1.2 with a strong cipher suite.
Our systems will reject API connections using unencrypted communications, or that use legacy cipher suites. Where a vendor supports it, our systems will use a forward-secrecy cipher suite that supports authenticated encryption (AEAD).
To ensure that your data is only ever available to authorised parties, Intellischool never uses third-party API aggregation services.
Database integrations
In cases where a vendor does not provide an API, or insufficient breadth of data is available through an API, Intellischool often integrates directly with back-end SQL databases. This type of integration is usually only available to customers with on-premises implementations of the tool that is being integrated with, or if the vendor provides a secure means of accessing their database for cloud-hosted implementations.
Database integrations require our clients to host the Intellischool CLI somewhere on their own infrastructure. Some Intellischool partners - such as SIMON and Schoolbox - include the CLI with their products, so you don't need to install it. However, if you're using a different tool, your Engagement Manager will guide you through the installation process.
It is up to clients to ensure that the CLI is installed somewhere appropriately secured. Intellischool will not take responsibility for insecure CLI implementations.
The CLI connects directly to the source system database via an encrypted connection provided that the vendor supports it. Wherever possible, we also recommend using an SSH tunnel to add an additional encryption layer. Encrypted connections via an SSH tunnel are a requirement for cloud-hosted database integrations.
If an encrypted connection to a database is not possible due to vendor limitations, Intellischool will only connect to the data source if it can do so via a secure network pathway (i.e. direct connection on the same LAN/VLAN, and never via the Internet).
Once connected to the source database, the CLI streams data directly to Intellischool's cloud systems via a TLS v1.3 connection. In cases where temporary storage of data is required, the CLI will keep a short-term copy of data locally (where the CLI is installed) - which is why the CLI must be installed in a secure place.
File uploads
Where an API integration or a database integration is not possible, Intellischool supports file uploads.
File uploads can only be completed by an authorised user via the Intellischool app, which is always secured using an encrypted connection with a strong cipher suite.
While data is being processed and stored
Once data has been transmitted to Intellischool, it is processed in the same region in which it is stored. Processing and data storage occurs using a customer-specific, hardware-based encryption key managed by Intellischool. So even though we use cloud providers like AWS, Azure, and Google, your data is never visible to these companies as they do not have a copy of your customer-specific encryption key.
Accessing data through our app, or through an integration partner
When accessing data through our app, we require end-user browsers to use a minimum-supported cipher suite, but will steer end-user browsers to a strong cipher suite (if supported). Assuming a user has logged in successfully, data will only ever be transmitted back to their browser using an encrypted connection.
When an integration partner embeds Intellischool products into their interface, our app is sandboxed inside an iframe. Even though the user is accessing our product through the partner app, their browser connects directly to Intellischool systems (not via the partner app). This allows Intellischool to enforce the same minimum connection requirements as when a user logs into our app directly.
Cipher suites
A cipher suite is a set of algorithms that help secure a network connection. In all cases, Intellischool uses Transport Layer Security (TLS) versions 1.2 or 1.3 as a first preference during data transmission.
Where a remote service or client device does not support TLS v1.2 or 1.3, Intellischool systems will reject connection attempts if the supported cipher suites do not meet our minimum standards.
Strong cipher suites
The following cipher suites are considered to be "strong" by industry leader Cloudflare. These are the suites that Intellischool requires in cases where a strong cipher suite is required:
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
Minimum-strength cipher suites
In situations where broader compatibility is required, Intellischool will support the following minimum-strength suites in addition to the strong cipher suites listed above:
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
🤔 Need further support?
We're ready to help anytime. Reach out at help@intellischool.co.