The incident demonstrates the failure of traditional security models built on perimeter defense when trust is outsourced to vendors. The core pattern is the implicit assumption that the security posture of a trusted partner (Instructure) extends beyond the direct control of the consumer (school districts). This pattern relies on a "security by delegation" model, where the defense boundary is assumed to be the institution's firewall, ignoring the internal, complex flow of data through the cloud i...