Security in Focus
Cloud-based LMS solutions are an attractive option for elearning providers. There’s no infrastructure investment, no fiddling with technology, the cost is generally low and it’s easy to scale as your requirements evolve. For small projects and for companies without a big investment in elearning, cloud options make a lot of sense on paper.
While the appeal is obvious, choosing a cloud-based LMS represents a significant risk. You trust your data to a firm that you know little about, and you probably know even less about their security practices. This isn’t data you can afford to lose, either - you’re handing over all of your learner details and your proprietary courseware to a third party. Where does it go? How is it kept secure?
Data breaches should be a significant worry for every elearning provider. In a single incident a few weeks ago, Target lost the records of 70 million customers. And in a post-Snowden world, where your data is hosted can be as much of a concern as how secure it is, especially if you and your users aren’t based in the United States.
Cloud-based LMS Providers - eLearning Industry Findings
I reached out to the leading cloud-based LMS providers to find out more about their security practices. Only half chose to respond, and many cloud-based LMS providers seemed both wary and unprepared to answer questions about their security. In one case I was asked to sign an NDA and include results at an aggregated level only (I didn’t sign and their results aren’t included).
Much of the news was positive. SSL use is common (though not necessarily enforced), passwords are always encrypted and cloud-based LMS providers rarely store credit card information. Even better, there hasn’t yet been a reported data breach involving a cloud-based LMS provider.
Unfortunately, there’s a lot to be concerned about in the LMS space. Of the systems I reviewed, only Litmos had performed a recent security audit. Others (including Expertus and Mindflash) cite data center audits, but those mean little in the context of their application’s security. Customer and learner data (such as names, email address and physical addresses) are universally stored as plain text, which could cause significant problems if there ever were a data breach. Only ExpertusONE reported Safe Harbor certification; there appears to be little interest in getting compliance certifications for managing personal data.
For anyone concerned about where data is stored, every cloud provider I looked at hosts in the U.S. Rackspace and Amazon were the most popular hosting providers, and course data is often stored (albeit temporarily) on Content Delivery Network edge servers around the world for better performance.
How to Choose a Cloud-based LMS Partner
If security is paramount to your project, your best option is to host and manage your own platform. If you decide to choose a cloud-based LMS solution, ask lots of questions before you sign up. How is data stored and managed? How does a provider keep their LMS secure? What are their security practices and policies?
Of the providers who participated in our review, Litmos stood out for at least conducting audits and taking basic security steps. TalentLMS and ExpertusONE were also notable for doing things like giving clients the ability to force SSL, using third parties for payment processing and offering multiple authentication methods.
Your clients put a lot of trust in you to keep their user and company information secure. Make sure can put the same level of trust in your cloud-based LMS.
You may also find valuable: