LMS Must-Have #2: Highly Secure Data Practices
Every so often it’s good to review some of the basics about an LMS that should be kept in mind. These LMS “must-haves” are a way to check if your existing LMS is keeping up with the times, or are important features to look for when taking on a new LMS. This article will focus on what kinds of security and data backup options you want with an LMS.
The point of security is to make sure there is no unauthorized access to your content and learner records. Your LMS should provide password controls and privacy settings for total access management. Many organizations are moving to cloud-based LMS systems, and it is extremely important to understand the multiple security layers of SaaS (software-as-a-service) systems.
Download the free whitepaper How to Foster Employee Engagement through E-Learning
Here are ten questions you should be asking about data security:
- How is user authentication information protected? The best approach here is to make sure that passwords are stored on a completely different server from the one where the application resides. Going above and beyond here might include passwords being protected by cryptographic hash algorithms, which are largely impervious to any kind of crypt-analytic attack.
- What’s the level of encryption for user file storage? Data encryption is essential. A good high standard here for data at rest would be 256-bit AES encryption. AES is what the US government uses for an encryption algorithm, and a 256-bit key is highest level of security that goes along with it. Above and beyond here would be FTF (File Transfer Fabric) file storage that replaces all file names with random strings so files cannot be identified by name.
- Is it a multi-tenant system? A cloud-based SaaS may look the same for many customers, but all that data has to be adequately segregated on the back-end. Each so-called tenant’s data needs to be kept separate. This is a feature of the system’s database architecture, and the security provisioning that keeps different customers’ data segregated ought to be both multi-layered and multi-tiered.
- Can the vendor see user files? The vendor should not be able to view user files or confidential information, period.
- Who can access user files? In spite of what was just mentioned under #5, there are going to be some people who do have to have access to user files. However, the larger this group of people is, the greater the chances of a data breach occurring. As mentioned in #4, access should be strictly limited to a small group of security/operations staff.
- Are files deleted and if so, when? When users delete files in a cloud-based system, they’re usually still kept for some period of time in case they need to be restored. This period of time should be clearly defined, such as files being purged within 7 days after expiration or user deletion.
- How are worn out physical storage devices destroyed when being replaced? Hard drives do wear out and need to be replaced. What happens with the old one, however, is important because data could still be removed from them if there are simply placed in a trash bin. A good practice here is for the hard disk to be destroyed on-site and then disposed of by a third-party vendor.
- How does data transfer occur, whether account information or user files? A lot of the data that is transferred over the Internet is not encrypted in any way, which makes it vulnerable to being hijacked as it makes its way through cyberspace. Vendors should offer robust encryption for data transfers over the Internet. A good standard here is 256-bit SSL/TLS encryption, but understand that the user’s browser must also support this level of encryption. Many browsers in use may only support lower-bit encryption.
- How data backed up? Ideally, you want your backups to also be copied to a second location for redundancy and availability purposes. That way, in the event of a serious disaster or emergency, there’s another copy in a very different location.
The above represents 10 important questions you should be asking of your LMS vendor to make sure the system you are or will be using is up-to-speed where data security is concerned. There are many other aspects of security related to your LMS that also deserve attention, and those will be covered in additional articles.