Skip to main content

Security

:::info Source Sourced from services/assessment-service/SECURITY_MODEL.md in the documentation repo. :::

1. Authentication / Authorization

JWT from identity-service.
Scopes: assessment:read (learner self-reads), assessment:author (author), assessment:grade (instructor/reviewer), assessment:admin.

2. Multi-Tenant Isolation

RLS on every table.
Cross-tenant quiz/scenario reference rejected at domain layer.
QuizBank encryption uses per-tenant DEK.

3. Answer Key Protection

Answer keys encrypted at rest (AES-256 via tenant DEK).
Transit: only decrypted in memory in assessment-service; never serialized to logs.
Bundles: answer keys encrypted with per-bundle key (derived from tenant + device).
Learner-facing responses never include correct answers until after submission.

4. Anti-Cheat

Randomized question order (seed-based, reproducible offline).
Randomized answer choice order.
Time limits per quiz (soft + hard).
Navigation locks: cannot revisit after submit.
Browser fingerprint + copy/paste detection on text responses (optional per tenant).
AI-generated cheat detection (M5+): response-similarity analysis across learners.

5. Attempt Integrity

AttemptResult includes SHA-256 of (responses + seed + timestamp) as integrity proof.
Server recomputes on ingest; mismatch rejected.
Duplicate submissions: idempotent on attemptId + attemptNumber.

6. Threat Model

Threat	Mitigation
Answer key leak	Encryption + scoped access; never in plaintext logs
Cheat via DOM inspection	Server-authoritative scoring; no answers in client-visible payload until submit
Replay attack	Attempt integrity hash + idempotency
AI-generated question leak before release	Draft quiz banks scoped to author; publish required
Branching path brute-force	Rate limit on path-evaluation endpoint
Cross-tenant question reuse	Tenant-scoped QuizBank IDs

7. Audit

Every grade change (AI → human override, appeal resolution) logged.
Rubric weights changes logged.
Daily Merkle-anchored.

8. Data Classification

QuizBank (with answer keys): Restricted.
AttemptResult: Confidential (contains responses).
Published questions (shown to learner): Internal.

Participate in erasure: delete AttemptResults, responses, dispute records.
QuizBanks retained (not user data).
Learner-appeal audit record anonymized after erasure.

10. Compliance

Test-bank security per NIST/ISO assessment standards.
FERPA for education tenants.
HIPAA for healthcare CPE.

1. Authentication / Authorization
2. Multi-Tenant Isolation
3. Answer Key Protection
4. Anti-Cheat
5. Attempt Integrity
6. Threat Model
7. Audit
8. Data Classification
9. GDPR
10. Compliance