LMS Security Considerations – “How Secure is your LMS?”

When did you last test your LMS against Security? Are you convinced that your LMS is secured enough.

The job of LMS Administration is not complete with installation, configuration and rolling over the LMS application to the Stakeholders a Learners, Instructors and the Management. The real job starts once it becomes operational. There will be many non-functional aspects that would keep the LMS Administration group stand up on their toes all the time a Performance Finetuning, High-Availability, Load Balancing, Security and much more.

Every consideration listed here has got its own importance a nothing is less and nothing is more. For a typically sized LMS Deployment a be it for Corporate Training or an Online Training Business all these factors may soon become the show a stoppers or roadblocks if not handled in time or not given enough importance. As much importance is given to the Functional and User Experience aspects of the Learning Management System, equal and sometimes more importance to be given the non-functional aspects listed above.

Here, we list down the consideration of the Security of the LMS deployments.

The LMS Security is a broader subject. Most of the LMS Security considerations are no different to that of the Security Considerations of a Web Application. The only additional consideration for Security of an LMS Application would be Content Security in LMS. Securing the Learning Content is very important business considerations. As much as an eLearning business or a corporate can protect their interest with Legal and Copyright practices, there will always be enough damage possible if the eLearning content is not protected from being copied or downloaded. So, Content Security in LMS is what something different for Learning Management Systems from typical Web Applications.

Below is the quick compilation of LMS Security Checklist. The more and more needs to be added to the checklist should you need to harden the LMS Security more and more. There has to be a Strategic Planning, supported with Tactical Security Hardening practices.

  • Network
    • At a minimal level, Layered Firewalls
    • And anything and everything to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources
  • Server
    • At a minimal level
      • Establish and Use a Secure Connection.
  • Use SSH Keys Authentication.
    • Secure File Transfer Protocol.
    • Secure Sockets Layer Certificates.
    • Use Private Networks and VPNs.
    • Monitor Login Attempts.
    • Manage Users.
    • Establish Password Requirements
    • Anti Spam
    • Anti Virus
    • All Server & Infrastructure Security Hardening for a Server hosting a typical Web Application
  • Application
    • IP Blocker
    • Password Authentication
    • SSL Encryption
    • Single Sign On
    • Roles and Permissions
    • Good Password Policy; Encrypted Passwords
    • …and more…
  • Content (Donʼt lose your content to your Learners)
    • Special requirement for the Security of the LMS
    • Disable Right Click (Copy & Paste)
    • Prevent Download of Content
  • Database
    • Data is Lost -> Everything is Lost
    • At a minimal level
      • Ensure physical database security
      • Use web application and database firewalls
      • Harden your database to the fullest extent possible
      • Encrypt your data
      • Manage database access tightly
      • Audit and monitor database activity
  • Backup and Restore; Disaster Recovery Planning
    • Backup at a frequency that is not too high or not too low
    • Be able to Restore from the Backup
    • Have a Disaster Recovery Plan

So, LMS Security Hardening is not just the job of the LMS Administrator but the overall Infrastructure Management group.

To make the discussion complete with an example, let us take Moodle LMS, the most popular OpenSource LMS. Moodle Security is very strong. No platform or application can claim to be 100% secure, but Moodle Security is no less to that of any leading proprietary LMS platforms. Moodle Security Recommendations and Moodle LMS Security plugins together makes Moodle LMS Security stronger. The following link may be referred to as a starting point for Security of Moodle.

Moodle Security – https://docs.moodle.org/39/en/Security

All LMS Providers make Security Patch releases from time to time. It is highly recommended to keep your LMS installation up-to-date with all latest Security Patches installed.

Other LMS providers may have similar documentation for LMS Security Hardening checklist.

WhatsApp chat