The Five Layers of Edthena Security
This post originally appeared on Education Week. It’s authored by Edthena CTO David Weldon.
I spend a lot of my time thinking about security. In fact, “Will this be secure?” and “Will this scale?” are the first two questions I ask myself when contemplating any new feature. Adam’s first question is often “How soon can we ship this?”, but that’s understandable.
Preventing evildoers from getting their hands on your data comes in many forms: how we restrict access to our servers, how we interact with service providers, and how we transmit content to users.
Our users demand a place where their video and data are not only stored safely but also protected from unintended access. It’s the opposite of popular video sharing sites like YouTube, and we’d even go so far as to argue YouTube is not a good place for sharing classroom videos.
We believe we’ve built Edthena into the secured sharing platform that our users need. It’s one thing to say it’s secure, but it’s another to explain it publicly.
I firmly believe that a secure system is one which can be explained in great detail and yet remains impervious to attack. In this post I will explain the five steps we take to ensure only the right people are accessing our users’ content inside Edthena.
We go out of our way to make Edthena a social platform, and you can feel confident you are interacting with only the people you know and trust.
The only way to activate an Edthena account is via an email invitation generated by our platform. This ensures that each account is associated with a unique email not shared by anyone else in our system. This approach of using email invitations to verify identity is considered a best practice for other scenarios like online contract-signing services.
In the Edthena platform, we also require every user to upload a profile photo during registration. From then on, your smiling face will appear in each one of your comments and groups.
We believe in strong passwords, but not in ridiculous rules. The Internet is replete with forms requiring a minimum of six characters with at least one number and one symbol.
Even with those restrictions, people still do a terrible job. I’ll bet I could unlock about a third of the web by trying every permutation of “P4ssw0rd!”.
It turns out that a simple collection of unrelated words like “correct horse battery staple” is incredibly hard to crack (and it’s pretty easy to remember). We use a sophisticated library which looks for things like keyboard patterns, industry terms, and known passwords to help ensure a sufficiently strong phrase.
Access Controlled Groups
By default, every video in the system can only be seen by the uploader. The only way to let others view your content is by sharing it to a group.
Group membership is controlled by the group admin. That person is clearly identified to the members of the group and is responsible for approving requests to join the group. Because you can always see exactly who is a member of your group, you can feel safe knowing that only a trusted set of users have access.
Unlike other platforms with complex privacy and sharing policies (I’m looking at you Facebook), Edthena has extremely simple choices of either unshared or shared to a group. This keeps things easy to learn for our users and increases confidence that only the intended audience will have access once shared.
Every time you watch a video in Edthena, your browser is making a request to our content delivery network using a single-use URL. Not only is the URL generated on the fly, but the only way to initiate the process is to be signed in as a user of our system and access the video conversation inside one of your groups.
This is my favorite security feature. Even if a malicious person who was a known individual with access to your group could somehow figure out the address to one of your videos, the link is set to expire automatically to prevent further download of the content.
Many sites, including us, can say that we utilize 128-bit, “military-grade” encryption to ensure that information is protected against unauthorized access. But we take things one step further.
Unlike some sites which may mix secure and insecure content, our servers make sure that all data – the comments, the pictures, and the video – are transmitted over a secure connection. This removes the possibility of someone listening in on your Internet connection and seeing any of your Edthena data.
That’s it for the overview, but if you would like to know more detail about any of the above please reach out to us by email.