The charter of this group is to document accepted standards for Data Sharing, Authentication, and Authorization for developers providing applications for sharing the University of Illinois data. These standards are based on current recommended practices from developers across campus. This document will continue to evolve as these standards change with time. Additional security, privacy as well as other considerations will also need to be taken into consideration in addition to these standards.

Data Sharing

Data Sharing encompasses passing information between unrelated computer systems. These standards should ensure secure, consistent, and well-documented processes that enable more optimized and reusable applications across the campus.

Transmit data over a secure connection

  • Access to the data requires authentication and authorization as laid out in later sections of this document.
  • Use industry standard end-to-end encryption for transmission of data.

Use consistent and documented formats for shared data

  • Document the format of the data and the process for accessing it in an accessible location and format and available to current and future users of the service.
  • Any changes to data formats should be contained in a new version of the service and access to established formats should be enabled for a defined period of time.

Document a data sharing agreement for the service

  • Define internal policies and processes.
  • Document Data source(s) and validation.
  • Document data ownership.
  • Document data usage rights.
    • When is or isn’t it permissible to re-share the data.
    • Any geographic restrictions on the release of the data.
  • Define allowed and recommended frequency of requests based on the capacity of the service provider as well as the frequency of changes to the source data provided by the service.
  • Document a way to contact the service provider with questions about data.
  • Maintain test/development environments to allow consumers to pilot integrating the service with their systems.

Log usage of the service

  • Log and monitor usage of the service.
  • Store logs somewhere NOT on your hosting server.
  • Periodically audit and analyze logs to summarize trends of usage and understand common actions.
  • Utilize log storage/analysis tools to better manage logs.  (ex.: Splunk, Cloudwatch, Zabbix/Graylog).
  • Retain logs for a period long enough to span common high activity times.
    • Minimum of 3 months for applications with a public interface.
    • Minimum of 6 months for any application dealing with high-risk data.

Define versions for the service

  • Allows for new versions to be released without breaking backward compatibility.
  • Enables limited releases of new functionality on a limited basis

Authentication

Authentication provides for identification of the application or user accessing the data sharing service.

Password management and checking should be handled by the campus authority

  • Whenever possible, campus identity authorities, from the IAM team, should be the source of authentication.
  • This provides consistency in identity as well as centralization of identity management.
  • Recommended methods for authentication are API Keys and OAuth or campus approved third-party authenticators (like Azure EntraID or AWS Cognito).

API Keys should be well managed

Secure access to the service

  • Approaches include blocking IP addresses, restricting access to keys, and throttling traffic based on time.
  • Define what constitutes as abuse and would break the terms of use.
  • If any intrusions are detected you must contact campus security at security@illinois.edu or at this website
  • Specific limits should be based on performance expectations and available resources (network bandwidth, computational resources, storage, etc.).

Authorization

Authorization allows for limiting the functionality and data available to the user based on granted permissions.

Access should be granted at the lowest level possible

  • To avoid oversharing, access should be granted with the lowest amount of data possible.
  • Roles and permissions should be created to enable granting permissions only as needed.

Restricted data must be handled correctly

  • “Public” data should require an API key to monitor abuse.
  • Hide FERPA suppressed data where appropriate based on intended use and user access. Campus security and IAM teams are available to assist with these policies.
  • Ensure data shared matches the proper classification level of the requester. See campus Data Classification guide.
  • Compliance with privacy regulations (GDPR, HIPAA, PIPL, etc.) as defined in the campus privacy policy.

Authorization levels and membership should be reviewed periodically

  • Review permissions at least yearly to avoid stale permissions.
  • Expired accounts will be disabled by campus identity management.
  • Additional standards may be found in DAT02 from Campus Security.
  • Permission granting decisions should be made by those familiar with the business functionality being protected.

Insufficient permission should be communicated effectively

  • Include the reason access was denied.
  • Provide a contact route to request the needed permission.
  • Choose an API transfer standard to implement and be consistent in using the same method.
  • The preferred API transfer status is REST.
  • The preferred method to indicate query results is the use HTTP status codes as outlined here https://www.merge.dev/blog/api-response-codes

Compiled by the Data Sharing Standards Workgroup. 5/1/2025