xAPIsecThe xAPI Information Security Protocol

About this Big Challenge Talk

xAPIsec: The xAPI Information Security Protocol

As xAPI matures and finds usage throughout the commercial and public sectors, it is important to see that the tools which provide, collect, and analyze xAPI data conform to best practices in information security. The xAPIsec initiative commenced in 2015 with the purpose of developing a community-built document to define those best practices — ultimately with the purpose of establishing a series of security certifications for xAPI technologies. In this talk, Yet Analytics’ co-founder Margaret Roth will dive deep into the initiative and provide actionable ways for xAPI Camp participants to become involved.

http://connectionsforum.com/autodesk-san-francisco-february-2016/

“This Memorandum requires that all publicly accessible Federal websites and web services only provide service through a secure connection.”

June 8, 2015 Federal Chief Information OfficerExecutive Office of the President

https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf

“The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS).”

June 8, 2015 Federal Chief Information OfficerExecutive Office of the President

https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf

“It provides guidance to agencies for making the transition to HTTPS and a deadline by which agencies must be in compliance.”

June 8, 2015 Federal Chief Information OfficerExecutive Office of the President

https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf

“Newly developed websites and services at all Federal agency domains or subdomains must adhere to this policy upon launch.”

June 8, 2015 Federal Chief Information OfficerExecutive Office of the President

https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf

“Agencies must make all existing websites and services accessible through a secure connection (HTTPS-only, with HSTS) by December 31, 2016.”

June 8, 2015 Federal Chief Information OfficerExecutive Office of the President

https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf

“To monitor agency compliance, a public dashboard has been established at https://pulse.cio.gov.”

June 8, 2015 Federal Chief Information OfficerExecutive Office of the President

https://pulse.cio.gov/ - updated January 23, 2016

The Experience API (xAPI) is a technical specification for implementing a Restful architecture consisting of a Learning Record Store (LRS) and 4 specific web-service Application Program Interface (APIs).

ADL is part of a government agency.

xAPI will serve needs of other government agencies.

xAPI should hold itself to the aforementioned Memorandum.

xAPIsec is a proposal for an industry-led xAPI information security standard.

The need was vetted with ADL and it was announced at ADL’s xAPI Bootcamp on July 15, 2015.

Presented by Shelly Blake-PlockYet CEO

https://www.youtube.com/watch?v=CQTbl8IRAeo&feature=youtu.be

First Tier: Initial Suggestions

Best practices for secure xAPI usage with regards to transport-level security, i.e. the security of the external interface of an LRS:

● Strong signing algorithm SHA-256● Strong key exchange (Elliptic-Curve Diffie-

Hellman)● HSTS with long duration - including

subdomains - and preload directive

These mitigate or prevent:● Message interception● Man-in-the-middle (MITM) attacks● Message/statement alteration between AP

and LRS

www.xapisec.org

1

Second Tier: What to Consider

● Infosec standards for Activity Providers considered in isolation from LRS

● Internals and information architecture

● Secure network hierarchy for SaaS

● Data persistence mechanism reliability

www.xapisec.org

2

Third Tier: What to Consider

● Full-stack● Best practices for intrusion

detection systems● Alarm response times● Auditing● Response to zero-day

vulnerabilities● CVE response time standards

www.xapisec.org

3

Language regarding security is included in version 1.0.3 of the xAPI Spec:

“The xAPI Community remains dedicated to determining security best practices. The effort has begun at xAPIsec. Participation is highly encouraged.”

https://github.com/adlnet/xAPI-Spec/blob/1.0.3/xAPI.md#security

xAPIsec application to LRS and data analytics services.

Comparison of employee activity and performance data in xAPI format.

A view from Yet Core - https://yetcore.io

xAPIsec application to non-xAPI-native Web Service integrations.

Activity and performance including frequency and engagement data of developer work habits drawn directly through Yet’s xAPI translation bridges to GitHub and Pivotal Tracker.

A view from Yet Core - https://yetcore.io

xAPIsec application to Connected and Immersive IoT Environments.

Employee experience data collected in a multi-device, multi-modal connected environment.

A view from Yet Core - https://yetcore.io

In practice, these security exercises should matter to both Cloud and on-prem deployments and should therefore complement the security standards of hardware and infrastructure in high-security settings.

Yet is applying these measures to enterprise on-prem xAPI deployments.

Yet Analytics has aligned with the IBM LinuxONE system to deliver a secure and scalable full-stack xAPI deployment.

●Massive scalability●Zero-breach security●Zero observed memory

errors in last 5 years●99.999% uptime●Baked-into-silicon

cryptography

“How do I get involved?”

Contribute to the xAPIsec proposal on GitHub and discuss via Gitter.

For updates, visit xAPIsec.org.

This is an industry-led, community-driven effort.

https://github.com/xapisec/xapisec

Yet Analytics’ Margaret Roth and ADL’s Craig Wiggins will be presenting on the “Data of Experience” at SXSW in March.

http://schedule.sxsw.com/2016/events/event_PP57120

Draft summary of community response will be published in March 2016 during SXSW Interactive.

http://schedule.sxsw.com/2016/events/event_PP57120

Vendor? Researcher? Security expert? User? Get involved:

xAPIsec.org

Margaret RothCMO, SVP of Performance Technologies, Yet Analyticsmargaret@yetanalytics.com @teachingdaisy

xAPI Camp, AutodeskFebruary 11, 2016

yetanalytics.com