Decorative Image

Key Points

  • Cyberattacks on schools are increasing, but open standards help limit exposure by controlling what data is shared and how it’s stored.
  • Open standards, including LTI, Edu-API, and OneRoster, are built on 1EdTech’s Security Framework to provide secure and consistent data exchanges across educational systems.
  • By adopting these standards, institutions can protect sensitive information.

Cyberattacks on schools and universities are rising at an alarming rate. According to the US Department of Education, “school districts across the country are experiencing an average of five cyber incidents per week,” and a report from Comparitech found ransomware attacks against schools, colleges and universities rose 23% year over year in the first half of 2025.

There is no perfect solution to protecting your data, but there are open standards that can help mitigate the risks and reduce the amount of data hackers have access to if they breach your system.

1EdTech develops interoperability standards that make it easier for educators and students to access the tools they need, but they also make that access safer. 

The standards are built on 1EdTech’s Security Framework, which applies industry best practices and security standards to learning and education technologies, and is regularly reviewed to ensure it stays up to date with the latest protections. These standards help limit what data is shared between tools and how it is stored, reducing the amount of data any potential hacker could access. 

Secure by Design: OAuth 2.0, OIDC, JWTs and LTI 

When educational systems exchange information, the stakes are high. Student data includes personally identifiable information (PII) and course records that must be protected at every step.

  • OAuth 2.0 provides an authorization framework for granting secure, delegated access without sharing passwords. Instead, systems issue time-limited access tokens, reducing exposure. Similar to hotel door keys - the door knows the user has the rights to access,  but does not know their name or identity.
  • OpenID Connect (OIDC) is a secure, modern authentication protocol that builds on OAuth 2.0 to provide an identity layer so applications can share information about the user. OIDC supports Single Sign-on Use Cases, allowing known users to access multiple applications with one trusted login while simplifying the experience and improving security.
  • JSON Web Tokens (JWTs) are like compact, digital ID badges. They carry verifiable claims (such as a user’s identity or role) without requiring server-side session storage. That means the learner’s information is stored in the JWT during each session, so the application can get the information from the token instead of transferring it from the server multiple times, and the server doesn’t need to keep track of the user. JWTs are a common thread across secure communications, from OIDC and LTI exchanges to digital credentials and OpenBadges.
  • Learning Tools Interoperability (LTI) is built on OAuth 2.0 and OIDC, and utilizes JWTs. LTI securely passes not only identity but also educational context (e.g., which course or resource a learner is trying to access). LTI provides secure channels for exchanging sensitive data like grades and rosters.

Together, these standards create a trusted handshake between systems, enabling scalable, cross-platform authentication and authorization. For institutions, this means consistent protection across all integrated apps and platforms.

LTI: Protecting Student and Teacher Data in the Classroom

The Learning Tools Interoperability® (LTI®) standard is a perfect example of how 1EdTech prioritizes security in education technology. LTI enables seamless and secure connections between an institution’s learning environment and external tools. Security built into the standard allows for: 

  • Student, educator and administrative access to various tools granted without sharing passwords or needing to sign into each tool separately. Instead, systems issue time-limited access tokens, reducing exposure.
  • Access is tied to institutional and course-level permissions.
  • Data exchange happens in a standardized, controlled manner, reducing risks from one-off, ad hoc integrations. Only the data needed is exchanged to minimize data exposure.

By using LTI, institutions can be confident that the only data flowing between their LMS and third-party apps is what is needed for teachers and students to enjoy the benefit of one secure login and reliable access to learning resources.

Edu-API and OneRoster: Securing the Flow of Administrative Data

Beyond the classroom, Edu-API and OneRoster support secure data exchange across critical administrative systems like Customer Relationship Management (CRM), financial aid, and student information systems. By standardizing and securing these connections, the standards: 

  • Provide greater visibility into how data is moving, and can identify anomalies quickly if a breach is attempted.
  • Administrators have control over what data is shared on a case-by-case basis, minimizing data sharing and reducing the risk of exposing PII unnecessarily.

By controlling what data is exchanged or saved and when, the standards help to ensure that if one system is targeted, data isn’t left vulnerable across the entire ecosystem.

The Bottom Line

This is the real value of interoperability: it’s not just about convenience. It’s about resilience against cyberattacks. Institutions can evaluate and isolate risks, protect critical data, and restore learning with minimal disruption.

By adopting 1EdTech standards like LTI and Edu-API, and by building on proven frameworks like OAuth 2.0, OIDC and JWTs, institutions can:

  • Protect sensitive student and staff data.
  • Gain visibility and control over data movement.
  • Reduce risk of exposure by minimizing the data shared to only what is necessary.

About the Author

Jacques Menasche serves as a technical program manager for 1EdTech Consortium, where he coordinates several collaborative groups, including the security council. He leverages his extensive knowledge of education technology and interoperability and his ability to deftly articulate complex ideas and technologies to all levels of understanding. Jacques has more than 12 years of experience in the education technology industry, where he helped lead the charge for interoperability and seamless integrations.

Categories
Data Privacy
K-12 / Primary & Secondary
Postsecondary Education
Privacy & Security
Technology Providers
Published on 2025-09-11

PUBLISHED ON 2025-09-11

Author

user 196488
Jacques Menasche
Technical Program Manager
1EdTech
Read All Blog Entries ⏎