The TL;DR
Canvas was hit by a cyberattack that threatens to compromise user data from all of its customers, including, according to Instructure, Canvas' parent company, "names, email addresses, student ID numbers, and messages among Canvas users". Some Populi customers host their courses with Canvas instead of using Populi's built-in LMS. This integration shares very little data with Canvas: student names, primary email address, login name, and selected course enrollments. That's it. No SSNs, birthdates, phone numbers, addresses, passwords, documents, or any other academic or financial history. None of this crucial information is affected by the Canvas data breach.
Since some of our customers have been contacting Populi with their concerns, we thought we'd lay out the more technical details of the integration and any security precautions you might consider taking.
FAQ
1. What authentication method does the integration use?
Populi talks to Canvas via their API using LMS Tokens created in Canvas. A Canvas administrator at your school creates a token and then copies and pastes it into the Canvas integration settings in Populi. The token is tied to the Canvas user who created it as an extension of their own permissions.
2. Where are credentials/tokens stored? What is the rotation policy? Can we force a rotation?
The tokens are stored in Populi. We don't enforce them to be rotated. If you wish to rotate your token, have a Canvas administrator user at your school create a fresh token and copy it into Populi settings. Then you can delete the old token, effectively revoking it. At the time of writing this, Canvas is not forcing users to rotate their tokens. Populi doesn't have access to rotate the token for you.
3. Is the connection initiated from Populi to Canvas, Canvas to Populi, or bidirectional?
All connections with Canvas are initiated by Populi. They don't try to talk to us. We talk to them to send over updated enrollment information and then we explicitly ask for certain course grades to be passed back. This process happens nightly or hourly, depending on how you have the Populi to Canvas integration configured.
4. What Canvas permission scopes/role does the integration operate under on the Canvas side?
The Populi integration uses Canvas's "SIS Import" API to send over student data and pull grades. The SIS Import feature is not available on free tier Canvas accounts. Only a Canvas administrator can create a token with permissions to access this API and that token will have all the same permissions as the user that created it.
5. Is data transmitted via API calls, CSV file transfer, SFTP, or another method?
Populi sends student enrollment data to Canvas by batching it into a ZIP file containing several CSV files and sends this to Canvas's SIS Import API. It then gets put in a processing queue by Canvas and the updates are processed usually a minute or so later. Course grades are pulled back out of Canvas to Populi using their standard API. Both of these operations are done using their public web API, not SFTP. If you wish to see exactly what we send to Canvas, you can view this on the Populi integration log, which keeps copies of each batch for up to seven days.
6. Is data encrypted in transit (TLS version) and at rest?
Yes, all communication with Canvas's API is done over encrypted (HTTPS) channels.
7. What is the sync frequency, and is it push, pull, or scheduled?
Populi pushes enrollment data (students names, emails, and what courses they are currently enrolled in) to Canvas. We then pull selected course current/final grades back out of Canvas into Populi. This happens either nightly or hourly, depending on how you have configured the frequency. This operation can also be triggered manually in the Canvas integration settings in Populi.
8. If we needed to immediately sever the integration, what is the recommended procedure on the Populi side?
If you wish to disable the Populi-Canvas integration, have a Populi Account Administrator user go to Account > Account Settings > Integrations. Find the Canvas LMS Sync, click , and select Disable.
9. Are there audit logs available showing what data was sent/received and when?
Populi keeps logs of all our API chatter with Canvas for the past year. This can be found under Account > Reporting > Integration Log. If debugging is enabled, then more detailed logs for the past seven days are included.
10. In the event Canvas credentials are compromised, what Populi data could theoretically be accessed or modified through the integration?
Canvas doesn't have any credentials to talk to Populi. Canvas only knows what Populi has explicitly told them about your students. This includes student names, primary email address, and login name, and selected course enrollments. That's it. No SSNs, birthdates, phone numbers, addresses, passwords, documents, or any other academic or financial history. Canvas also knows your students grades for courses hosted on their side and it may know their mobile phone number if that was collected on their side. Note that teachers and teaching assistant names and emails are included in this as well.
11. What if I use Single-Sign-On (SSO) with Canvas?
If you have SSO configured such Populi is the Idenity Provider, then students log into Canvas using their Populi username and password, they are bounced over to Populi's login page when accessing Canvas. In that case, their internal Canvas password is not being used and is likely useless even if compromised. But that's a question for Instructure customer support at this point. If you have Canvas configured as the Identity Provider for Populi, then things could be more complicated—but we checked, and none of you are doing this (don't start now!).
0 Comments