Security features for LMS
Here is a list of the essential security features for your Learning Management System (LMS)
Behind the creation of e-learning courses and the management of your community, your LMS exposes private information and data. It is therefore important to take stock of the situation before selecting your eLearning Platform.
This LMS security checklist will help you make sure you don't miss anything. We also invite you to read our article on the GDPR.
Data centers
The Learning Lab, Learning Management System (LMS) is hosted with the industry-leading cloud hosting provider Amazon Web Services (AWS).
We make use of optimal performance with redundancy and failover options globally.
Physical access to our data centers, where customer data is hosted, is limited to authorized personnel only, with access being verified using biometric measures.
Physical security measures for our data centers include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.
Database backups
Amazon RDS snapshots are retained for 14 days with support for point-in time recovery and are encrypted using AES-256 encryption.
Backup data for your e-learning platform is not stored offsite but is replicated to multiple data centers within a particular AWS region.
We also perform quarterly testing of our backups.
Additionally to that database dumps are created daily and stored in an encrypted Amazon S3 bucked and kept for 30 days.
Uploaded asset backups
All uploaded data is also revisioned, and expired / deleted versions are kept for 180 days.
These include:
Photo / Audio / Video assets to learning materials
Uploaded documents, scorm packages
For all of our backups we follow the golden 3-2-1-1-0 backup rule, that means there is (at least) 3 copies of your data on different physical locations and access methods.
Encryption of data
Any customer data for your Learning Management System (LMS) must be encrypted in transit over public networks using TLS 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification.
Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.
Data drives on servers holding customer data and attachments use full disk, industry-standard AES-256 encryption at rest.
DDoS protection
Infrastructure layer: We are using AWS Shield which is a managed AWS Cloud service for DDoS protection against all known infrastructure (layer 3 and 4) attacks.
Application layer: We are using AWS Web Application Firewall that helps protect our applications and APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources.
AWS WAF gives control over how traffic reaches our applications by enabling us to create security rules that control bot traffic and block common attack patterns, such as SQL injection or cross-site scripting.
Code analysis
We have an automated code analysis platform that covers all code repositories.
This platform runs a variety of static analysis tools (which we are continually adding to and improving) that help to ensure the overall security of our code. Any time a pull request is raised in a repository, the Learning Management System (LMS):
Finds and identifies outdated code dependencies that may introduce vulnerabilities
Identifies any accidental or inadvertent disclosure of secrets in code repositories (e.g. authentication tokens or cryptographic keys)
Undertakes an analysis to identify any problematic coding patterns that could lead to vulnerabilities in our code
Controlling access to customer data
At the Learning Lab, We treat all customer data as equally sensitive and have implemented stringent controls governing this data.
Awareness training is provided to our internal employees and contractors during the on-boarding process which covers the importance of and best practices for handling customer data.
Only authorised employees have access to customer data stored within our applications.
Authentication is done via individual passphrase-protected public keys, and servers only accept incoming SSH connections via a dedicated VPN channel.
All access is restricted to privileged groups unless requested and reviewed, with additional authentication requiring 2FA.
With stringent authentication and authorization controls in place, our global support team facilitates maintenance and support processes.
Hosted applications and data are accessed for the purpose of application health monitoring and performing system or application maintenance, or upon customer request via our support system.
Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process.
This process includes instructions to notify affected customers if a breach of policy is observed.
Our Learning Management System (LMS) is the perfect solution for protecting your e-learning courses.
This leaves your mind free for creation and strategy!
We remain at your disposal for a more detailed discussion.
Ask for a free demo!
The Learning Lab - An Innovative eLearning Platform for Creative People.