Security in Digital Exams
For universities, colleges and other educational institutions, exams are just about the most high-stakes activities of them all. Ensuring that the students’ exams and their information are handled with a high measure of security is a vital task.
That is why exam software for universities – like WISEflow – requires trustworthy system security at all times and especially throughout the exam process.
Authentication and Observation of Students’ Actions
To ensure that every step of the exam process is observable, all user and system actions are logged continuously and chronologically. This establishes an audit-trail of these actions, allowing for in-depth investigations of any suspicious activity.
Students’ access to WISEflow can be guided through the institution’s authentication system (e.g. WAYF, eduGAIN etc.), meaning that the users logging in are authenticated against the institutions already validated student information. This minimises any possibility of misuse and identity fraud since the unique user-ID given by the authentication method ensures that only users affiliated with the institution can log in to the institution’s licence.
Lockdown Browsers: Open-Source or Trusted Partner?
One of the considerations we had when developing WISEflow was whether we should use an open-source option for our lockdown browser or a professionally developed tool. We chose the latter, stressing the fact that by applying this solution we had a partner to hold accountable regarding the security of the lockdown browser. This solution has proved well-chosen over the past year, as open-source lockdown browsers has proved vulnerable to tech-savvy students.
By copying the source code and changing it, they can launch their homemade browsers during exams which look identical to the open-source browser but stripped of all security measures. This enables the students to use every source of information they want, rendering the open-source browser ineffective as a safeguard during closed book exams.
Securing Exams Against External Threats: DDOS
One of the core problems of preventing attacks such as DDoS on web-based systems like the WISEflow exam software is differentiating between sudden heavy usage from real, legitimate users and an ill-intended botnet.
As a security measure against unauthorised access – and in particular DDoS attacks – WISEflow is built on a highly scalable architecture, with thorough use of caching of both files and database objects. This inhibits malicious attacks and lessens their severity while demanding a far more complex attack structure to have any effect on the core system. And since all pages displayed before the actual login are static, a large strain on these sites from swarms or botnets does not affect the database. As a result, WISEflow is very difficult to put out of service.
Development of the WISEflow Platform
Safety, operations, and maintenance of WISEflow’s servers and network setup are currently managed by Amazon Web Services (Ireland) while also overseen and maintained by UNIwise’s own dedicated DevOps team in Denmark. Deployment of patches, upgrades, and updates are, by this extension, separated from development.
The development of WISEflow is maintained in an agile environment of continuous integration, an approach that ensures fast adaptation and minimal response times, should errors or bugs occur. The main focus is assuring the quality and continuously testing the development stages of WISEflow.
All updates to WISEflow are carried out during low usage periods (weekends, nights, holidays etc.) to minimise interference with students’ use of the exam software. Often, updates are carried out without any downtime at all. Every update is also subject to systemised regression in dedicated test- and staging environments. The codebase is version-controlled, meaning that a rollback to an earlier version will always be possible.
Standards of Security in WISEflow
UNIwise, the providers of the WISEflow exam software, and all of its subcontractors are dedicated to provide security in digital exams. Therefore, we all work within all applicable security standards: the ISO27000 family, ISAE 3000 and privacy data laws. Our partners’ hosting centres are among many certifications, ISO27001 certified and ISAE 3402 IT revised.
We are equally vigilant regarding the protection of data. The physical protection of technical equipment and stored data is of the highest standard and are secured against trespassing as well as power/networking outages and natural disasters. The physical setup is based on a three-centre operation that gives full redundancy and no single point of failure. Multi-tiered backup ensures that the risk of loss of data is at an absolute minimum.