No need to be paranoid about it, but integrity and security should be concerns for everyone who uses a Learning Management System on a regular basis. Learning professionals must counter threats to the integrity of both system infrastructure and the content placed on that system. This isn’t just the responsibility of the admin—it’s a regular practice to embed into the fabric of an educational community.
There is a common and somewhat understandable misconception about how the size and complexity of an eLearning environment relates to the challenge of ensuring structural integrity. The reality is, a bit of proper planning is all it takes to make security a scalable practice for your community. In this article, you will find a basic set of practices that will give you a bit more confidence that you’re running an “indestructible” LMS in practical and affordable ways.
Before you start: Set up CAPTCHA or a similar human verification method
A ground-level measure, CAPTCHA and similar tests remove the option for bots and malicious actors to simply brute-force username and password combinations. All modern LMSs provide a straightforward way to enable a CAPTCHA-style verification service from a trusted provider, either natively or through a plugin or integration.
№1. Allow concurrent logins from the same user under certain conditions
Learning platforms often allow a student to only be active on one device or browser at the same time.
It’s usually assumed that a student has no reason to be simultaneously online on more than one device. From an infrastructure perspective, preventing concurrent extra logins helps manage server load, allowing you to control usage and reduce associated costs. Arguably, a single-device requirement improves student focus too.
In an LMS where offline access is allowed via a mobile device, concurrent access to the environment, online and offline, may not be preventable.
There are legitimate reasons why concurrent logins are desirable, however, both from a user experience (UX) and an educational perspective. The student may find it more convenient to use two or more devices. They could be using a second device to look at the course materials for their work on a given research project, workshop, or assignment. For example, a language course may offer supplementary documents, like conjugation tables, that they can access from the app handily.
To avoid compromising on integrity and usability, it would be better to apply a set of conditions for multiple logins. These could include allowing concurrent logins from nearby IP addresses, or blocking traffic from more than one country.
If your LMS has a concurrency limit in place, make sure the community is aware, as the limit may undermine the user experience or lead to lost data from unsaved work.
Here’s how you can disable concurrent access in some of the most commonly used LMSs. Note that depending on your platform you can allow just one connection or define an appropriate number of concurrent logins.
- In Moodle™-based systems: Use the Unique Login plugin (auth_uniquelogin, compatible with 4.0 as of writing). It allows setting a login limit, kicking out the oldest device connected whenever there’s a new login.
- For other platforms: Check with your provider for a built-in solution, integration, or the possibility of a custom-made solution.
- For developers: Take advantage of server utilities to keep track and modify the status of the user (such as Debian’s limits.conf)
№2. Consider applying IP limitations or restrictions
When well implemented, IP monitoring can be one of the simplest, most effective security controls you can put in place. IP filtering usually works best when part of a set of measurements.
Begin by quickly filtering out IPs from places you can guarantee no actual user will access from. At least block IPs from unusual IP locations identified as so-called “roots of evil”.
It’s also possible to find a list, or subscribe to a service that identifies addresses as malicious or “flags” them, to include in your blacklist.
If you do implement IP restriction by country, survey your community for VPN use. VPNs obscure the original IP of the user, replacing it with an address from a country of the user’s choice. You might want to notify them about any restricted IPs.
- In Moodle™-based systems: The 4.0 compatible, Availability restriction by IP address plugin (availability_ipaddress) provides a granular take on IP restrictions, associating them not to complete sites, but to specific courses and activities.
- For other platforms: Check with your LMS provider.
- For developers: IP access restrictions are available through common server-level utilities.
№3. Implement Multi-Factor Authentication and Encryption
Double (2FA) and Multi-Factor Authentication (MFA) methods have become a widespread, mildly inconvenient though ultimately accepted extra hurdle for members of digital communities, and education is no exception. With 2FA or MFA, when you log in from a non-recognized device or browser, you are asked to enter an additional code sent via email, text, or an app in a recognized device. Other methods involve an exclusive USB drive or key (such as the infamous YubiKey). Though some users may find the extra effort a little irritating, research has claimed that MFA considerably curtails the rates of phishing and targeting attacks.
Any text or email-based MFA implementation will require a solution provider capable of sending codes as quickly as possible to the user. The responsiveness of the MFA procedure requires permanent attention to ensure all users—and only the intended users—can easily access your platform.
- In Moodle™-based systems: The Multi-factor authentication (tool_mfa, 4.0 compatible) adds an additional verification layer on top of the standard login process.
- For other platforms: Check with your LMS provider.
- For developers: Established MFA solutions, including those that follow the OAuth protocol, include text or email service from a simple login.
Where data access should be restricted to specific users, encryption methods are standard practice. It is also possible for applications to encrypt their whole database. When parts of the application database are encrypted, not even high-level admins—or government-funded hackers—can meaningfully obtain private data without the key to decrypt it, at least not in a humanly reasonable amount of time. Quantum computing could alter the paradigm. however. In any case, it is common practice to use information only the user holds, such as a password, or some “token” generated by the authenticating device, as the decryption key.
№4. Automated monitoring for suspicious and malicious behavior
More commonly implemented where data sensitivity or the consequences of malicious conduct are more onerous, data-based solutions add pattern-matching, real-time statistical analysis, machine learning, and AI methods where standard measurements are not enough. Common use cases in education include e-proctoring, for high-stakes examination.
Phenomena like “SIM Hacking” has been proven capable of bypassing MFA protections. A poorly implemented policy regarding lost devices, for example, may present fatal vulnerabilities. Or a user device could get infected by malware that disables one or several protective measures.
Arguably, there is no weaker point of failure than users themselves. Targeted individuals may neglect a device for just enough time to be maliciously overtaken. They may use a compromised network. Or they can leave their password written on a post-it note stuck to a monitor when images of their office are being broadcast nationwide. And then there’s the most insidious threat to cybersecurity in recent times: social engineering.
This family of security methods are not, to our knowledge, available for specific LMSs. Rather, they are implemented at the server level. Amazon Cloudfront is a famous solution, as are Cloudflare, Akamai, and vendor-specific ones in Azure or Netlify.
№5. Provide security, social engineering protection training
To fully consider the integrity of an environment, all factors must be taken into consideration—including the users of the system. There are currently no known wholistic integrity antidotes that act as adequate replacements for user awareness and skills.
The evolution of UX thinking has led to clever tactics that embed knowledge into interfaces. Certain designs can, for example, prime the user into being careful when they’re about to make a sensitive action. But basic concepts, known vectors of attack and security measures are topics users can always acquire more effectively, even if they can never fully avoid them.
Because of its psychological, social and technical ramifications, social engineering can be a fascinating, multidisciplinary subject. Likewise, sound competencies can lead to positive ramifications, like a better awareness of your own cognitive biases, or common flaws in the design of communication systems. Given that most of the exploits aim to impersonate someone with some authority within a group, community-based topics and training can be especially effective.
There are a variety of security and social engineering education alternatives in the market, both generalist and LMS specific. The ability to embed learning into the interfaces, or more generally reduce security best-practice friction, tends to improve effectiveness in more modular, flexible or open source platforms.
№6. Comply with data protection measures
There’s a lesser known benefit of GDPR and the wave of data protection regulation it sparked: The movement among LMS developers to create better tools that help ensure compliance, respond to requests more quickly and offer a more manageable overview of systemic integrity.
In Open LMS and Moodle™-based systems, comprehensive policy and data management dashboards are available. Admins can keep track of the policies a site must implement, their versions and user acceptance status. When users request a download of all their LMS data, from activity to grading and performance, to chat messages and forum posts, the system makes it easy to get ahold of all data by requiring all relevant sections of the site to go through a Privacy API that keeps track of everything. This tool also allows full erasure requests.
Privacy controls—and proper user education on them—can become a powerful cultural booster for awareness regarding the location of personal information and proper security and integrity measures.
№7. Conduct regular audits
Some define cybersecurity as a cat-and-mouse game. As security researchers and staff surveil systems and explore technologies, they alert the public about new threats. They also discover glaring loopholes likely to become attack vectors that have remained hidden for decades.
In any case, security and system integrity in an LMS isn’t merely a goal to accomplish, but a wider community practice that takes consistent, regular promotion, education and practice.
An LMS integrity audit begins by defining a scope. Naturally, a broader and more detailed scope, focusing on the several dimensions of integrity—human and otherwise—offers greater reassurance about the effectiveness of the audit. Once a scope is defined, common steps that follow include:
- Documentation review, covering technical documentation, designs, user manuals, policies and procedures
- Analysis of system controls, permissions and user access
- Analysis of system logs or monitoring tool reports, possibly including forensic analysis for the integrity of monitoring data, if tampering threats are credible enough
- Generalized data integrity verification methods across the whole scope of the audit
- Backup comparisons and restoration testing
- Penetration testing, and other “white hat” approaches to probe into the system’s existing measures and rules. This includes keeping the techniques up to speed with the current state of the art
- Reporting and follow-up
In the case of well-populated open source systems, integrity audits can benefit from outcomes and reporting from fellow users. Several instances of reported issues in open source LMS software such as Moodle™ involve an independent developer flagging a situation which is quickly addressed and patched for millions of users worldwide. Overall, shared auditing might just be the single most powerful factor behind the dominance of open source software, from operating systems to utilities and libraries, in server infrastructure.
To sum up—and a note on Blockchain as a cybersecurity measure
Safeguarding the integrity of a learning environment is a multi-pronged exercise that may be spearheaded by an LMS admin or a security manager, but one that only has realistic odds of success through a community approach. It consists of an active process that keeps design and development, rules and procedure, user education, and auditing steps up to date.
In recent years, the idea of blockchain, a decentralized public ledger architecture, has gained momentum as a potential technology for security and integrity measures. In the consensus of the global cybersecurity community, blockchain does not represent a new paradigm worth turning towards. As renowned expert Bruce Schneier would summarize, while the idea of a “trust-less transaction system” is appealing, it remains utopian. Fundamentally, blockchain is still a trust-required system. Implementing blockchain-based integrity without proper laws and policies is a recipe for failure, which makes blockchain an ineffective solution compared to the existing landscape of better, proven alternatives.