Modern education offers incredible opportunities with the evolution of learning management systems. Today, the eLearning sector is extensively exploring the usage of IT systems and technologies to meet the requirements of modern learners who want more than traditional lessons in the classrooms. This gave rise to the new models of educational processes that can mix face-to-face elements of the so-called “traditional school” with state-of-the-art tools and digital content.
But let’s look at EdTech systems from the point of view of their security issues, instead of reviewing the obvious opportunities for these products. After all, such systems store huge amounts of personal data. So it is not enough to include just some basic security add-ins, like simple authentication solutions.
The architects of these systems must pay attention to the weakest spots of the systems and implement the latest security solutions on a regular basis because non-systematic approach could lead to the system security breach with little effort.
The typical types of cyber threats to eLearning systems are the following:
- Authentication break;
- Attacks that aim at gaining access to confidential data or intellectual property;
- Attacks focused on the backend of the product (SQL injections or cross-site scripting attacks);
- DoS attacks.
From the security point of view, any type of attack aims at an assumed or existing weakness of the infrastructure. Thus, initially, the software engineers have to get rid of the vulnerabilities of their systems.
Here are the most delicate spots of the majority of the learning management systems, usually threatened by the cyber-criminals:
The login spot
Before accessing the system’s content, a user has to login into the portal, so it is important to protect the user’s ID or the access point.
The verification spot
Access to the system must be granted only to the particular user whose credentials can be verified and confirmed.
The segmentation spot
There are always sections with access restricted to certain types of users.
The integrity spot
Only specific users are allowed to modify the contents of the system.
To achieve the basic security goals, several features have to be put in place. For example, a reliable user authentication for effective authorization, which in turn is essential for data integrity and confidentiality. Or non-repudiation that ensures someone has performed a certain action he/she is entitled to; for example, a student must not be able to deny his/her result after failing a test.
In general, certain high-level features ensure protection deployment, implementation, and operation of the learning management systems. These features generally assume work of both developers and users on maintaining the system’s security. They can be described as follows:
SSL, or Secure Sockets Layer, a widely used security technology designed to establish an encrypted connection between a user’s browser and a web server. This connection makes all the data transferred between the server and the browser private. A solution can use symmetric (in case the system uses similar keys for encryption and decryption) and asymmetric key algorithms (in case different keys are applied).
Secure access to an LMS involves several steps. The system usually requires the following information: some individual login or email address, date of birth and any other private information. By providing this information, the user satisfies the identity proof criteria needed to initiate a secure system account. This account, being a series of numbers used in combination, prevents duplication of users, and dramatically reduces the risk of identity fraud.
The companies insist on good password policies, such as the lower limit of six characters, and a reminder to the users not to use simple passwords. This is a simple truth, but some people forget about this rule and put their security and privacy in danger.
If we make security a moving target, it will be harder to hit. A solution constantly updated with the newest security enhancements and fixes make sure that any vulnerability can be patched within hours upon their discovery.
Other common protective mechanisms for users are biometric security mechanisms or the installation of a firewall and antimalware software on their device. Also, watermarks used by the popular document formats (like PDF, Microsoft Office kit, etc.) can be saved in a way to be seen online but with no possibility of being modified or downloaded.
Summarizing the talk, we can assume that with the steady grow in popularity of learning management systems, eLearning solutions will become even more complex in the future. New features and the increasing demand to host such complex systems will result in security and privacy becoming even more important and complicated issues.
At the same time, failure to address these issues appropriately may lead to the infrastructure instability and inconsistency. The essential methodology for security engineering must be applied as earlier as possible in the system design phase because security measures never work as an afterthought.
This article is written by Eugene Rudenko. He is a senior online marketing manager for Oxagile, a custom software development company with a focus on eLearning development. Headquartered in New York, Oxagile has local representatives in London, U.K., and a development center in Minsk, Belarus. Among company, clients are such industry leaders as Google, Vodafone, Disney, and others.