As more businesses opt for a SaaS cloud hosted Learning Management System (LMS), the main concerns for the stakeholders who procure LMS systems and also their end users is, how secure is our data?
To ensure data is secure there has also been Data Protection Legislation put in place around Europe, Australia, North America and in some parts of Asia. Where, this data protection legislation within the EU countries is designed to ensure personal information is used responsibly by organisations, businesses or the government. Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
There is stronger legal protection for more sensitive personal information, such as:
- ethnic background
- political opinions
- religious beliefs
- sexual health
- criminal records
The key element here is that the data needs to be stored securely and only used for the stated purpose, where in the Learning Management System this is to ensure users can:
- Access digital learning content
- Register for online virtual and offline classes
- Record any social interactions on the LMS that support Social Learning
- Record any scores for tests that may be undertaken on an LMS and store certificates associated with these tests
So taking the above points into consideration, the LMS vendor needs to ensure the data is secure at the following levels:
- Data Security: At the Database level to ensure data stored by the LMS vendors on their database is secure
- Network Security: At the network and hardware level to ensure data transferred between the cloud hosted environment and the users is kept secure
- Application Security: At the application level to ensure the data processed within the application layer is secure
To ensure data is secure at the database level the following principals need to be adhered to on the LMS Database, such as:
- Ensure the Database Application software is kept up to date with the latest patches. For example if an Oracle or MS SQL database is used then the latest patches from Oracle and Microsoft for the version of database are installed.
- Ensure that the Database is password protected and there is a separate application password available that only has the lowest level of access which is used at the application level. The database admin password should only be used by the Database administrator for the admin tasks.
- Ensure that frequent SQL Injection penetration testing is done via the application to the database to ensure that the data can be protected from the application level.
To ensure data is secure within the SaaS hosted cloud environment network, the following principals needs to be adhered:
- Ensure all the Firewalls and Load Balancer are patched with the latest Firmware if the hosted environment is managed by the LMS vendor. However, if the application is on a shared cloud service like AWS (Amazon Cloud) or Azure (Microsoft Cloud), then this would be taken care of by the cloud service providers.
- Carry out Network Penetration testing on the hosted environment using network penetration testers such as Nexpose, Nessus or OpenVas.
- If SSL certificates are used for the application then using SSL Application testing to ensure the HTTPS communication protocol is secure for data transfer. This can be done using testing provided by Qualys SSL Labs
To ensure data is secure within the application level, the following principals need to be adhered to:
- Ensure the application developers are aware of all the latest coding standards to ensure they are building the application with security in mind.
- Also ensure that there is a strategy in place to ensure that frequent Penetration (PENs) testing is done on the application. Where this can be done using tools from OWASP.
So taking into account the above 3 key areas of data security, we at Jzero Solutions ensure that we adopt these key principals to ensure our JLMS and JLMS Cloud solutions are secure in terms of protecting our customer data that we host. In the coming months I will be writing a blog on the Penetration testing strategy we adopt at Jzero and also how we seeking to achieve GDPR (General Data Protection Regulation) Compliance for our hosted environments.