Whether you’re doing online corporate training or selling commercial training courses, the security of your eLearning portal is something you should take very seriously. In this post, we examine the five most essential online security features and explain how they apply to your Learning Management System.
LMS security features to demand from your eLearning vendor
What’s missing from most review sites and LMS features lists? Security capabilities. And yet, it should be your first requirement from any online training platform.
Whether you want to train employees or run a commercial training business, it’s important to consider an LMS’ security features. Especially in this new era of GDPR. In a few weeks, companies will be liable for security breaches under European law. So, if you can prevent a breach, you should.
In this post, we’ll go through the five most important LMS security features you should demand from your eLearning solutions vendor.
Why is online security important?
Physical security is easy to understand. If you leave your house unlocked people can steal things from you. Similarly, if you leave your offices unguarded, people can break into them and steal, cause damages, or disrupt operations.
Online security is more nuanced, but it still boils down to the same kind of thing:
- Your business data, while intangible, are valuable, and can be stolen.
- Your online properties (e.g. your learning portal) can be broken into and/or have their operation disrupted.
How serious the damage can be depends on the kind and extent of the attack. But even a simple “hacking” of your training portal can expose private employee information, leak business secrets, or wreak havoc with your training program.
Now let’s see how certain major LMS security features can help keep your business safe from internal and outside attacks.
1) SSL — a rich layer of secure goodness
The web started out as an unsafe piece of technology. Every page you visited, and everything you read, wrote, or uploaded to it, could be read by anybody on the same network. That would include your credit card details, and make online commerce extremely unsafe. If it wasn’t for a little add-on technology called SSL (Secure Sockets Layer).
SSL takes the old, all too trusty, web protocol (http) and adds encryption to it, so that your web browsing is safe from prying eyes. SSL, in other words, is the technology behind the little green padlock in your browser address bar that informs you when a site is safe to do business with.
SSL has been legally mandatory on websites handling credit cards, and is increasingly required from any kind of website, even a personal blog. So much so, in fact, that major browsers have taken to marking sites without SSL as unsafe, and Google is starting to penalize them in its search rankings.
Given the above, you should demand (as opposed to merely ask), your LMS vendor to use SSL to protect your online training portal. Oh, and, because SSL works on a per-domain basis, your LMS security features should include the ability to SSL-protect your training portal whether you use your vendor’s catch-all domain, or your own custom one.
2) SSO — or one login to rule them all
After SSL, we’re moving forward with another acronym: SSO. Fortunately this one, short for Single Sign-On is a little easier to explain. It’s all about using the same username and password to connect to a bunch online websites and services. If you have used Facebook or Google login in websites other than Facebook and Google, you have made use of a form of Single Sign-On.
Now, you might be saying to yourself: this SSO thing sure sounds convenient, but what does it have to do with security, and why does it belong in a list of LMS security features?
The thing that makes SSO important, security-wise, is that it allows you to centralize authentication management across your online properties. So, your IT department can enforce the same security policies and restrictions for your corporate intranet, any third party Cloud services that you might use, and your training portal. And, there’s only one way to manage users, roles, and permissions, too.
(SSO also means that your employees will only have to remember a single password, instead of a kajillion, and will be less prone to writing passwords on a post-it note stuck to their monitor).
3) Users, roles and permissions — to each their own
Users, roles, and permissions represent the most basic concepts in computer security. Let’s go through what they are, what you can use them for, and how they keep you safe.
- Users, of course, represent user accounts (people that should be able to access an online system).
- Permissions, on the other hand, represent the actions a user logged into the system should (or should not) be able to do.
Web applications (including eLearning portals) come with a set of permissions that administrators can assign to users to allow them to perform certain actions or change certain system entities.
If a user should be able to edit lessons, for example, they should have the “Edit lessons” permission. If they should be allowed to create new courses they should be assigned the “Create Course” permission. You get the point.
Without permissions, any logged in user could do anything to your eLearning portal without any constraints. This would include a learner editing training content or reading the private data of other users.
In addition to Users and Permissions, most systems also support a way to bundle related permissions and assign (or revoke) them all at once. This, depending on the platform, might be called a User Type, a Permission Group, or a Role.
As an example, a user type called “instructor” could bundle permissions such as “Create Lesson”, “Edit Lesson”, “Create Test” and so on. This way, when a new instructor account is created, it could be defined to belong to the “instructor” user type — sparing you from manually assigning them each of the individual permissions. (Plus, when you want to add a new permission to all of your instructors, you only need to change the instructor User Type).
If your LMS security features don’t include the ability to define Users and set their Permissions, throw it away. If it doesn’t support user types or permission groups, you could maaaybe keep it. But know that without these features, user administration will be harder, take longer and there’s a higher chance of making mistakes. Mistakes will make your LMS less secure.
4) Password Settings — when 123456 just won’t cut it
Plain users are usually bad at coming up with safe passwords. Left to their own devices, they’ll use “password” as their password, or maybe “111111”, “123456”, an empty password, or something equally easily guessed.
The problem is that attackers eat passwords like those for breakfast — and can gain access to systems that they have no business being in.
To mitigate this issue, modern web platforms offer some kind of password-related settings to administrators. These allow you to e.g. demand that users enter a password that is at least N characters long, that has at least one or more numeric or uppercase characters mixed in, and so on.
Password settings might also be used to enforce a password validity period, after which users are asked to come up with a new password (this makes older broken passwords useless for hackers).
If you leverage SSO and control your password policies from your centralized authentication server, then Password Settings in your LMS might not be as important to you.
For users leveraging their LMS’ built-in authentication mechanisms, on the other hand, password settings are a must have that should be included in their LMS security features.
5) Registration and Authentication options — your LMS face control
Last, but not least, a couple of options that handle when and how users can sign-up in your system (registration options), and when and how they can log into it (authentication options).
If you’re using a Cloud LMS for your corporate training, you probably want to restrict registration to your eLearning portal to your employees. Registration options will allow you to do just that.
You could, for example, set your LMS to only allow registration from specific domains (e.g. from your enterprise network), or to have each registration manually approved by an administrator.
Authentication options are similar in concept, but concern when users are allowed to log in to your eLearning portal. Using your LMS authentication options, for example, you could disallow multiple logins from the same user (especially handy if you sell commercial courses and want to avoid account “sharing”).
Along with Password Settings, Authentication and Registration options are important LMS security features in your arsenal and allow your administrators to easily shape and control an effective defense policy.
LMS Security features case study: TalentLMS
As a leading Cloud LMS platform for corporate and commercial training, TalentLMS has all of the above security features and more (like, user activity logs).
What’s more important is that TalentLMS provides security options in an intuitive and ready to use form, that doesn’t require custom IT work, or hours of head scratching and manual reading.
When it comes to SSO, for example, TalentLMS offers support for all major enterprise SSO options, including Active Directory, LDAP (including OpenLDAP), SAML 2.0, Facebook login, and more.
Also, setting up SSL – a fearsome endeavor in some platforms – is very easy in TalentLMS. By leveraging TalentLMS’ integration with LetsEncrypt you can create and activate an SSL certificate for your custom domain in no time. (Plus, all portals under TalentLMS’ own domain enjoy full automatic protection).
Similarly, TalentLMS’ users, permissions, and user types system is both extremely flexible and super easy to use. But, more importantly, they offer a number of advanced capabilities, such as the ability to set a different default user type per Branch or to create User Types that extend a built-in role.
Equally full-featured are TalentLMS password settings and authentication and registration options. From custom password acceptance criteria, to automatic session expiration, TalentLMS offers all the tools you need to enforce best security practices.
And that’s just the part you see.
As a Cloud service, there is a large team of people (dev-ops professionals, network engineers, and software developers) that work behind the scenes to help keep TalentLMS a safe, reliable, and secure LMS.
A comprehensive set of security options are non-negotiable LMS features — and should generally be available on any platform connected to the internet.
This is doubly true with the arrival of GDPR — where security breaches you could have prevented can see you liable (and fined) under European law.
Whether you’re using your LMS for internal corporate training, or to run a commercial eLearning business, security should be a primary concern and not an afterthought. TalentLMS is a platform built with security in mind and offers all the necessary integrations and security options needed to function as an airtight part of your online corporate assets.
Originally published on: 09 May 2018