Web - Home grown applications by schools for their own use

We have been asked 'If a school wants to use ESS Web APIs for an inhouse development how should they go about it?'

Part #1 - Play

• Web - SIMS web-based integration | ESS Portal (sims-partners.com) 
  • Look at Getting started
  • Use Postman to see how easy it is to get some data
  • Use the free sandbox to formulate some ideas.
  • Just costs some time...

Part#2 - Reality check

• Can we build the application
  • Is the required data available on the SIMS web APIs?
  • Who owns the IP
    • Developers
    • School
    • Agree up front! 
  • How will we secure it
    • Single Sign On
    • Home grown solution
    • Would this pass review / pen test?
  • How many concurrent users?
  • Where will we store the data?
    • Who pays for storage and processing?
    • Is data retrieval fast enough to cope?
    • Is it secure 
    • Would this pass review / pen test?
• How is the work funded?
  • Gratis development work does not usually equal a free solution!
  • How will ongoing tasks be funded?
  • ESS costs will also apply - See Partnering with SIMS | ESS SIMS (ess-sims.co.uk)

Can we run the application safely?

• Can we update the solution if needed?
• How will our solution access the data?
  • Is that secure,
  • Could any bad actor repurpose our data access?
  • Would this pass review / pen test?
• What if the person with the idea / skill leaves the school?
  • Can we be certain that they can no longer access school data?
  • Who else can take over?
• How do we control access 
  • Does the solution offer access management?
  • How is access controlled?
  • Is access management fit for purpose?

Part #3 - Everything is under control how do we go live

• The application can be largely built and tested using the sandbox
• It can also be pen tested - but please let us know if you plan to do this.
• Formal processes
  • The school would need to move under contract as a TI - contact us to begin the process.
  • Once under contract we will
    • Set the school up as a vendor
    • Grant access to the TI site (parallel to the school)
    • Provide a login
    • Help the school to create a tile
    • Lock the tile down to the set of schools who should see it. (if appropriate)
  • The school will then choose the tile.
  • ESS will help with (if needed)
    • Setting up DeX within the school
    • Setting up OneRoster/RAP within the school
    • Initial school go live.

Part #4 - It doesn't end there..

• The school needs to budget for:
  • On going running costs:
    • Azure / Amazon / Hosting
    • Ongoing pen tests - threats change
    • GDPR requests / best practice 
    • Data purging when no longer needed.
  • Ongoing training costs:
    • As staff change, knowledge needs to be retained
• If we replace the system / stop using it
  • How will it be purged including back ups
• If budget pressure occurs
  • How do we fund ongoing duties
  • If we suffer a data breach - who pays the costs?

This may sound like we are trying to dissuade schools from DIY solutions; however once a school makes their own solution available on the web it is open to bad actors and the school takes on all of the responsibilities that a software house would have but usually without the economy of scale.  To be clear, we have a responsibility to raise the questions here but are more than happy to support any informed schools who wish to enhance the use of their data via our Local or Web APIs.

One intermediate route would be for a school to employ a commercial vendor to provide a bespoke solution for an individual school or a group of schools.  This certainly mitigates many of the concerns assuming that the vendor retains the IP and the responsibility for securing and maintaining the solution.  If a school/group is considering this route then please engage with our TI Management Team who will be happy to discuss how best to organise contracting between the 3 parties.

If a commercial solution is available then this would usually be a better choice for the school because any ongoing liabilities and costs lie with the vendor.  This would remain true if the solutions available were not the 'ideal' one for the school but did at least what was needed.