Security And The LMS: Your Various Options With eFrontPro

Security And The LMS: The Security Guards Of eFrontPro

If you had a great retail business, would you keep it unlocked and unguarded at night? No security guards and all?

Yeah, didn’t think so.

Well, neither you should tolerate sub-par security from your eLearning portal - whether eLearning is your core business (as in, you sell courses) or a business asset (e.g. you are doing corporate employee training).

Perhaps the importance of security in the LMS is more self evident for those selling eLearning courses - after all it’s their core business, they have private user profile information, they accept payments, etc.

But security is equally important for corporate and organizational eLearning deployments, because then your LMS becomes part of your intranet network - and as they say, a chain is only as secure as its weakest link.

You wouldn’t want your LMS to be that weakest link in your enterprise network.

In this post we’re going to examine the security options offered by the popular eFrontPro Learning and Talent Development Platform and discuss their importance and how they fit in an overall security strategy of the LMS.

Security Starts With The Login

The login page (and the authentication mechanism behind it in general) is one of the most important security aspects in a software system. Doubly so if it’s meant to be accessible from the public internet, allowing any hacker (or wannabe hacker) to try to get in.

For an SME, and especially a larger enterprise or organization, it’s important that your LMS can align itself with the authentication solutions used by the rest of your infrastructure.

To that end, eFrontPro natively supports the two most popular enterprise authentication protocols, LDAP/Active Directory and SAML.

SAML support with eFrontPro

LDAP is the de-facto enterprise standard for storing authentication credentials and authorization information, with its most popular implementations being Active Directory, Microsoft’s proprietary directory service, and OpenLDAP, its widely popular Open Source sibling.

Using either of the two not only gives you the convenience of central authentication management and Single Sign On (SSO), that is, the ability for your users to login to all your intranet portals and systems (your intranet portal, mail server, group chat, LMS, etc.) with the same login credentials, but it also helps with the security of your LMS.

With SSO enabled, your IT team can have a unified, centrally managed authentication system and enforce password strength and expiration policies across all accounts. If a seasonal employee, for example, is leaving, your administrators can just de-activate his single, central login account, instead of having to repeat the process for your LMS and whatever other non-SSO compliant system you might have.

Of course, if you’re operating a public facing commercial eLearning portal, then you don’t have other systems for your learners to Single-Sign-On to. But you can still use something similar in the form of federated authentication - e.g. by leveraging Facebook’s login service or any authentication provider for that matter.

Facebook Login eFront SSO method

If you opt for Facebook login, for example, not only you get the benefit of Facebook’s security expertise, but you also eliminate the need for your learners to create and remember yet another login/password pair just for your site. (On the other hand, you do rely on a third party service, which you may, or may not, find acceptable).

You can configure these SSO and federated login options in System Settings -> Integrations -> LDAP, SAML and Facebook panels.

eFrontPro Integrations

Native eFrontPro Authentication

While SSO is great for the enterprise, and something like Facebook login can work well for a public facing portal, eFrontPro also comes with its own native authentication system, and it’s nothing to sneer at, either.

In fact, the native authentication mechanism is the standard mode that most of eFrontPro’s users prefer, and the development team has worked hard to make it as secure as possible, using industry standard best practices for password encryption, salting (a technical term - the practice makes it harder for hackers to guess your password) and storage.

2-Factor Authentication

This one is so important that it deserves its own paragraph. Once constrained to banking accounts and the most paranoid about security online services, nowadays Two-Factor Authentication is becoming increasingly popular, with all major players, from Google and MS to Apple and Facebook adopting it in one way or another.

The "two" in the "two factor" comes from the authentication system asking for two different pieces of identification in order to let you in - e.g. your password AND an one-time PIN that the service sends via SMS to your mobile phone. Other identification methods used in 2FA include token cards (often used by banks), USB keys, fingerprint scans (like in Apple’s TouchID), etc.

This makes it far more secure than merely using either key alone, as, even if an attacker guesses or steals your password for a 2FA protected page, he also needs to have your mobile phone, token card, fingerprint, or whatever its "2nd factor" key is, in order to get access to your account.

eFrontPro, starting with the 4.4 update, offers a variety of 2FA options to choose from, namely SMS tokens, the Google Authenticator (a special mobile app that generates time-based authentication PINs for you), as well as an email-based option.

Enabling 2FA couldn’t be any easier. After the eFrontPro administrator configures system-wide 2-factor authentication from the System Settings -> Security page, any user can enable it for their own account, by going to their profile page, and clicking "Enable 2 factor authentication" link.

2 Factor Authentication eFrontPro

Security And The LMS: Security Policy

On top of that, eFrontPro has several advanced security options that enforce correct password policies.

You can, for example, restrict valid passwords to those of a certain length and above, or require that they match a regular expression (e.g. to ensure that they include both letters and numbers, etc.).

To take it up a notch, you can also enforce password expiration (so your users don’t go on using the same passwords, which might get compromised eventually, forever), forbid password reuse (which some users try, thinking it’s a smart way to "beat" password expiration), and setup account lockup after several unsuccessful login attempts (so that potential hackers can’t keep trying different passwords until they chance into the correct one).

You can also set a time after which idle users will be disconnected from the LMS automatically - perfect for those people that forget to logout off of their accounts when using a publicly accessible computer.

Finally, you can disallow users from logging in multiple times simultaneously (e.g. to prevent commercial users from sharing their paid accounts with a third party).

Apart from these authentication-related options, eFrontPro also gives you the ability to restrict logins to a specific IP range (e.g. only allow computers in your intranet).

You will find all these security options conveniently located in the aptly named "Security" panel in the Settings page of the LMS.

Secure Payments

If you’re into selling courses commercially (as opposed to running an internal corporate employee training program) then you’ll need a way to get paid.

eFrontPro supports PayPal and Stripe, two of the most popular payment gateways, letting you accept payments from billions of users in over 90 countries through all major credit card companies (and thousands of banks).

Configuring eFrontPro to work with either payment processor couldn’t be easier - you just have to enter your PayPal or Stripe credentials at the System Settings -> Payments -> Payment gateway panel.

Secure payments through eFrontProeFrontPro’s PayPal or Stripe integration leverages the two payment processors’ security and credit-card handling capabilities, so that your eLearning portal never even sees your learner’s credit card details - and hackers can’t see them either.

Transactions are handled completely by the payment processor, securely encrypted with the industry standard SSL encryption schemes, and you just get notified whether the payment was successful or not.

Encrypt All The Things!

Speaking of SSL, eFrontPro supports SSL natively, letting you run your eLearning portal in a safe, encrypted manner, and preventing third parties from snooping into your user traffic.

This also makes it future-compatible with the HTTP/2 standard, which not only enhances web page speed, but also demands that web pages are run in SSL (HTTPs) mode.

Keeping Tabs On Your Users

For general troubleshooting, or in case you suspect that anything fishy is going on, eFrontPro lets administrators keep tabs on your logged-in users, from the Maintenance -> Online users page.

Online Users page at eFrontPro

You also have the option to keep access and error logs for anything that is going on in the LMS (page access, user logins, etc).

Staying Up To Date

All software, inevitably, has bugs. What’s different about good and secure software is that they find them and fix them early - which is what the team behind eFrontPro does behind the scenes for every update release.

Of course frequent updates won’t make much of a difference if the upgrading process is such a hassle that admins prefer to postpone it.

Fortunately, eFrontPro has hassle-free one-click update capabilities. And it’s literally one-click - you can update your installation to the latest version by just clicking the "upgrade" button from within the management interface.

This way eFrontPro users not only get all the new features (including security features) right away, but they always have the latest version of the software, with all known potential security issues patched and fixed.

Cloud Security (As A Service) Of The LMS

Some of the security options and features discussed here are especially applicable to the self-hosted version of eFrontPro, and have to be configured by your eLearning portal administrator.

eFrontPro, however, also comes as a "private (managed) Cloud" service, where you let the expert team behind its development tackle all installation, configuration, update, backup and security issues.

And while eFrontPro is very secure in any kind of installation, as long as you configure it properly (obviously letting your admin have 12345 as a password won’t cut it), in the managed cloud setup you also get "security as a service" - as a free part of your plan.

And unlike with a public Cloud, with eFrontPro’s managed cloud plans you get a private LMS environment that does not share resources with other installations - which is good from both a performance and a security standpoint.

Security And The LMS: Conclusion

Security is a very important aspect of running an eLearning management platform, whether you run it as a commercial venture (selling courses), or as part of your IT infrastructure in a corporate intranet environment.

In this post we had a look at the various security options that eFrontPro offers, covering everything from Single-Sign On and password expiration policies to secure payments and easy software updates.

eBook Release: eFront
eFront
Train your employees, partners and customers with eFront, the powerful learning management system that shapes to fit your needs.
Close