For those open source Software as a Service (SaaS) solutions that collect and store Personally Identifiable Information (PII) on behalf of your clients and employees, including many installed learning management systems (LMS) open source solutions, the increasing exposure warrants your immediate attention.
While getting more than its fair share of press about security issues this year, open source is not inherently less secure than other methods of application development. However, systems that utilize open-source libraries can quickly become a target simply because of how far reaching the initiative has spread. As we have seen, when many use the same code libraries, one un-discovered flaw can end up effecting millions of websites. Unfortunately, this has spread to open source LMS solutions, where vulnerabilities are beginning to surface.
As part of your organization's standard vendor due diligence, you must ask the right security questions, understand the ramifications and risks involved, make smart decisions and take the right remediation actions in order to safeguard your intellectual property, customer and client PII, to ensure you have mitigated any risks before you suffer a breach and data loss.
Here are 5 questions you should be asking your existing and potential SaaS LMS vendors:
1. Do you perform External Application and Network Penetration Tests?
This means the company has hired or obtained testing services to "attack" their website and network looking for exposed weaknesses in security. LMS vendors and other SaaS providers who are serious about security will have this performed at least quarterly, with additional testing completed against any updates to their systems. You should ask for the most recent report as well as requesting each new report be shared with you.
2. If open source is used in your LMS solution, how have you addressed the recent security flaws discovered?
Good software development calls for system and application hardening. It also calls for regular updates, patches, and modifications to stay "one step ahead" of risk. The vendor should have specifically addressed the “Shellshock” and “Heartbleed” vulnerabilities.
3. If you utilize eCommerce in your LMS, are you PCI compliant?
The Payment Card Industry (PCI) Data Security Standards call for assessments and adherence to a rigid set of rules defining best practices to ensure the safety of data used for making online purchases. An LMS or other SaaS vendor should be able to deliver to you a signed attestation of compliance, or in the case of larger organizations, a report from a qualified external assessor.
4. Where will my data be housed and who will have access to it?
It is important to understand where exactly your LMS data is stored. In today's cloud environment, without asking, you may find out your data is stored in an insecure facility or in a part of the world you may not be confortable with. Additionally, you must understand who has access to the data outside the systems that use it. Solid organizational security procedures call for a separation and regulation of duties so that only "trusted" individuals have access to your data behind the scenes, strictly limited to only what they need to know and access.
5. Will our data be encrypted both in transit and at rest?
Note that even the best practices have gaps. Generally the biggest gap can be a "trusted" employee becoming untrusted. If your data is protected through encryption while moving (perhaps with HTTPS forced across the entire application), and encrypted at rest (while stored in the database), much of the value of the data is lost to the casual data thief.
While you may have asked some of these questions when originally vetting your LMS vendor, now is the time to ask again. As the Internet evolves, things change often. Ensuring that you are knowledgeable and remain concerned about your organization's data will help keep your vendors in line and above board.
Click here to learn more about the SmartPros eCampusTM Learning Management System (LMS).
Joseph Fish is EVP, CTO at SmartPros Ltd.