The challenges of 2020 have reshaped the way we learn. Schools were forced to implement remote learning quickly. Corporate environments were required to maintain regulatory compliance while remote working. Student information systems (SIS) and learning management systems (LMS) were put to the test. Along the way, APIs have been behind the scenes powering the integration of a variety of systems to empower educators to track the progress of remote students.
As ed-tech prepares for the next stages of API-enabled integration, technical challenges will emerge that will require proper API management solutions. This article outlines the recent trends in ed-tech and e-learning, the challenges related to APIs as part of e-learning interoperability, and how API management can help to address these challenges.
Empowering educators and students with APIs
Schools and corporations have been leveraging Learning Management Systems (LMS) for some time. LMS is often the centre of training for students and the workforce. In recent times, students have benefited from LMS systems that enable remote learning opportunities. Organisations in regulatory-heavy industries such as health care, manufacturing or banking find that having an LMS is essential for tracking workforce compliance. Missing a needed certification or safety training course may become very costly.
Until recently, most LMS solutions limited access to data through built-in reporting structures. Data analytics have required combining reports manually to surface poor-performing students or non-compliant employees. Over time, APIs offered by LMS solutions have allowed data to be obtained and integrated with external systems and produce reports for students and staff. These reports and metrics are also used to drive push notifications to devices, reducing the time required to address problems with non-compliance.
The shift to a user-centric approach to education has also driven the shift to APIs in ed-tech. Students, teachers and the workforce wish to be more empowered to create their own personalised learning experiences. Videos found on learning sites may be combined with articles and self-authored materials to create unique learning experiences. All of these technologies leverage APIs behind-the-scenes, even if the users are not aware of this fact.
The three layers of the e-learning technical stack
Ed-tech now recognises that there are three distinct layers to the e-learning technical stack:
- Student Information System (SIS) – stores student information and course data for decision-making and reporting purposes at all levels, much like an ERP system tailored for education
- Learning Management System (LMS) – delivers training programmes and courses to individuals, classrooms and the workforce
- Learning Object Repository (LOR) – acts as a digital repository of content and other assets that may be combined to create new educational opportunities
While these three layers previously existed inside a single LMS solution, the complexity of security, privacy and content management has led to the separation of these responsibilities. It has also led to the creation of standards for data model sharing between these layers and across a variety of e-learning solutions. These data model standards are now becoming part of a larger, API-based standards initiative to drive opportunities for greater interoperability between on-site and cloud-based solutions.
The growing need for APIs in ed-tech
Project Unicorn states that “an average school district accesses 548 ed-tech applications monthly.” This insight explains the increased need for integration and interoperability across schools, districts and corporations. Until recently, much of the interoperability has been focused on sharing data models. However, the power of web-based APIs to connect internal and external systems at different levels is proving that the needs for interoperability go beyond data model standards.
Some organisations have experimented with the introduction of their own APIs to support integration with LMSes and student information systems. These experiments are often limited to a specific school district or for specific corporate environments. As data sharing extends beyond internal needs, complications arise around data sharing and many-to-many integration scenarios including concerns for privacy and student protection.
Established and emerging ed-tech interoperability standards
The need for open APIs in ed-tech to support e-learning is becoming more apparent. The healthcare industry has benefited from the FHIR standard to allow interoperability between providers, vendors and patients. Open banking standards such as PSD2 enable consumers to access data from their financial institution and control data sharing with loan originators in a common way. Likewise, ed-tech has started to see an emergence of data models and API standards that support interoperability.
The Ed-Fi Data Standard is the set of rules for the data collection and management for sharing across multiple systems. The Learning Tools Interoperability Standard (LTI) is a common standard that covers the integration of digital applications, content, tools and educational apps into learning management systems for K-12 schools.
The Schools Interoperability Framework (SIF) is an open data-sharing specification for academic institutions and the workforce. This specification is being used primarily in the United States, Canada, the UK, Australia and New Zealand; however, it is increasingly being implemented in India, and elsewhere. While SIF 2.x offered consistent data model specifications, the latest SIF 3 release includes details on using REST-based APIs for protocol interoperability.
Initiatives are emerging to unify these standards into a cohesive solution. A4l’s Unity Specification combines the SIF 2.x specification for data models, the SIF 3 infrastructure, REST API standards, and privacy support to ensure proper GDPR and SDPC compliance.
Challenges of APIs in e-learning
While standards help with interoperability, there are still technical hurdles to overcome. These include managing student privacy and PII data, complex authorisation requirements and security audits.
- Student Privacy and Personally Identifiable Information (PII)
Within a corporate environment, managing privacy and personally identifiable information (PII) is the responsibility of the organisation. All members of the workforce typically have the same or similar concerns when it comes to protecting the privacy of their employees and contractors.
Unlike the workforce, the privacy of students is of an increased concern. Students that are classified minors must be protected further. Legal measures in the US like the Family Educational Rights and Privacy Act (FERPA), plus the Children’s Online Privacy Protection Act (COPPA), impact how students’ personal information is accessed. These measures ensure that a student can safely learn online without fear of personal details being shared beyond those with authorised access.
Student privacy concerns present a much higher technical challenge than traditional SaaS-based solutions. Student data may be shared between the teacher and parents/guardians. The same student data may also need to be accessed from home by the student or an authorised party. School district staff may need to produce reports to identify trends across all schools in the district. However, the data may only be used within reports if the data is anonymised. These requirements also create more complex authorisation requirements.
- Complex authorisation requirements
Additionally, not all students should be able to access all learning modules, as they may be beyond their grade level or inappropriate for their age. Fine-grained control is required to protect students from improperly accessing these resources. These strict authorisation requirements often disqualify many technical platforms from the ed-tech sector.
Ed-tech vendors and school districts building their own APIs must keep these needs in mind when designing their API-based solutions. Off-the-shelf commercial or open-source software may appear to address the immediate need, but fall short when it comes to the complex authorisation requirements for students. Not only must student privacy be protected, but the students themselves must be authorised to use only specific applications.
These authorisation requirements extend beyond a single device within the school building, often to mobile devices owned by the student. The OAuth 2.0 framework is a useful solution to allow students and their parents/guardians to receive fine-grained access control for apps and data across their many devices.
- Security audits
The security and privacy provisions required for students necessitate proper auditing capabilities. Students, faculty and staff may use a variety of SaaS-based and internal software solutions. These solutions power both classroom experiences and administrative business processes. Audits help to identify what information was accessed, when and by whom. These audits also extend to the applications used and the links clicked across devices.
How API management platforms are enabling the e-learning industry
API management platforms ensure effective management of internal APIs, easy integration with 3rd party systems and enforcement of data privacy policies for all stakeholders. Proper API management also offers analytics into API usage, helping the API provider better understand and support the API capabilities used across all three layers mentioned in the earlier section.
The use of an API management layer (APIM) helps to enforce security restrictions to prevent unauthorised access. Using the OAuth 2.0 framework alongside a comprehensive API security strategy, students, faculty and staff are able to securely access their data and even provide limited access to third-party vendors (known as three-legged authorisation).
- Role-based access control (RBAC)
RBAC is a method of restricting access based on the roles of individual users within an organisation allowing users to have access rights only to the information they need and prevents them from accessing information they don’t. Coupled with custom plugins that extend and enhance data entitlement checks, before they reach the API server, an API management platform helps to deliver data from APIs quickly and safely.
- Data obfuscation
Data obfuscation is a data security technique that copies and scrambles sensitive data, often via encryption, as a means of concealment. While the API management platform may not be solely responsible for this, it is a critical component in ensuring data encryption during when being routed through the platform.
An API management platform provides comprehensive logging across all requests between all devices and integrations. It enables centralised governance and protection combined with an effective logging strategy to ensure a safe and secure environment for students. API activity can be segmented by geographical location and API keys for better understanding of the data lifecycle.
Tyk is a leading cloud-native API and service management platform complete with an intuitive dashboard and a simple developer portal, both powered by an open source API gateway. In addition to the capabilities mentioned above, Tyk also provides:
- Support for Open Policy Agent (OPA) which enables the creation of custom permissions for different user roles
- Multi-data centre bridge(MDCB) which enables creation of multiple local API gateways in accordance with data sovereignty requirements, managed through a central control plane.
- Tyk Pump is an open source analytics purger that acts as an observability layer and moves the data generated by Tyk nodes to any back-end internally to the dashboard or to 3rd party analytics, monitoring and BI tools.
With API adoption picking up in the e-learning industry making it easy to access information in a simple yet powerful way, the right tools like an API gateway coupled with a dynamic API programme could further drive growth and innovation in the industry.