Security Guidelines for Data Integration Implementations
Even if the technologies leveraged in your integration solution can be considered secure, there are still many security risks in data integration, especially during implementation. With support from Digital Square, we have therefore developed a Security Guidebook for Data Integration Implementations.
Since 2014, we at Open Function Group (the primary custodians of OpenFn) have helped implement nearly 100 data integration solutions for over 45 NGO and government partners around the world. Through our engagements with security teams at different partners, our own research and development, consultations with security experts internal and external, and partnerships with other communities of practice, we have developed a strong understanding of security best practices and considerations for data integration projects that we would like to share with the wider digital development community.
This Guidebook aims to help digital implementers in the Digital Public Good and Global Goods communities better understand security risks and presents 23 best practices for the various implementation phases of data integration projects. It also links to some open-sourced OFG resources our team uses in our own implementation process for OpenFn projects.
You can find a complete list of the 23 best practices on this page below.
To access the Guidebook, check out the below slides or click the link to share & download: https://bit.ly/security_guidebook
Secure Data Integration: 23 Implementation Best Practices
Core Tenets
- Understand relevant policies specific to data sharing, storage, and protection
- Only extract & transfer essential data points
- Document, document, document
Analyze & Plan
- Don’t take API security for granted
- Budget time for security testing
Design
- Resource: Mapping specification template
- Resource: Architecture data flow diagram
- Resource: Project Security Configuration & Go-Live Checklist
- Consider idempotency, unique identifiers, & “upsert” operations to ensure data integrity
- Design for failures & transaction reprocessing
- Consider data validation
Build
- Use change tracking & version control
- Encrypt where possible
- Use strong authentication; don’t talk to strangers
- Authorization scopes to limit access
- Log transactions for activity monitoring & control what information is logged
Deploy
- Test again, especially credentials, before deployment
- Train users and system administrators on integration security
- Review your security requirements again before go-live
- Determine point of contacts for reporting security issues
Ongoing Monitoring & Management
- Consider Governance models for ongoing management & changing requirements
- Train partners on change management
- Have a strategy for access management
Read on for other resources and implementer communities to check out.
Resources referenced in the guidebook
- Principles of Digital Development Privacy and Security Guide
- UNICEF policy on personal data protection
- International Committee of the Red Cross Handbook on data protection in humanitarian action
- GDPR Quick Guide
- Sanity.io A Rough Guide to Running a GDPR Compliant SaaS Business
- OWASP API Security Project
- GovStack Security & API Standards
- Health Data Governance Principles
- CDC Health Data Privacy, Confidentiality, and Security Guidelines
OpenFn Resources
More implementation guidance can be found across this Docs site. For OpenFn users, learn more about OpenFn security & compliance at openfn.org/trust and openfn.org/compliance.
Here are the key OpenFn templates and resources referenced in the Guidebook:
- Mapping Specification Template
- Solution Architecture Diagram
- BPMN Diagram resources
- Project Security Configuration & Go-Live Checklist
Communities of practice & other experts
Here are some other communities you may consider following for more security guidance.