Security in an Open-Source Learning Management System—Why Your Data Is Safe

Learning management systems (LMSs) have become indispensable to both higher education institutions and corporate organizations. As teams explore their options for an LMS or for other forms of digital learning and training environment, the terms “open source”, “closed source”, and “proprietary software” inevitably come up.

While open-source systems have gained wider acceptance and continue to gain in popularity, the general public still has many questions and misconceptions regarding the benefits and unique considerations of choosing an open-source alternative.

At Open LMS, we’re experts in open-source LMS technology and are able to explain its advantages and disadvantages in a simple, digestible manner. Let’s take a look at what it really means to be an open-source LMS while addressing a common concern about the technology: why open source can be just as secure as any other type of solution (if not more!)

What Is Open-Source Software?

One simple way to explain the idea of open-source software is to compare it to a recipe. In open source, the whole recipe is available to the public—everyone can read it and prepare it. They can also make changes to it, whether that’s changing a few spices or swapping out half of the ingredients to make a new creation. Closed source, on the contrary, is more like walking into a restaurant and ordering something from the menu. The recipe remains hidden, and customers are only able to buy the final product.

A common argument against open-source software is that “if everyone can see the source code, then anyone can notice where it has flaws and issues.” People argue that if the software isn’t hidden or protected, then a random stranger can go find a security hole, making the program unsafe.

Are Open-Source LMSs Secure?

Having the code open publicly is in fact a way to verifiably create a stronger, more secure system. We believe that open-source technology has the potential to be more secure because anyone who wants to look at the source code can go and find if there's a problem, whether it's a serious security issue, or just a button malfunction. Thanks to this transparency, errors often get found and fixed much faster.

With closed-source software, no one besides the owner can see the source code. Customers won’t find out about any security problems or risks until the companies happen to fix them. When security researchers find a security bug, they report it to the company’s security team and then it disappears. Nobody knows about it until those companies happen to tell the public that it’s fixed.

In fact, many organizations follow a coordinated vulnerability disclosure, where problems found by security researchers can only be made public once the companies have had the time to fix them. In some cases, issues in high-profile closed-source software have gone unfixed for hundreds of days.

Because of this, such agreements are something of a double-edged sword. While they can prevent details about how to exploit dangerous vulnerabilities from reaching a wider audience, they mean that users of a closed-source solution can never really be certain whether or not they’re currently vulnerable to some unacknowledged exploit.

With properly maintained open source projects, you can see immediately if somebody reports an issue or vulnerability. Even better, anybody can fix the issue because everyone has access to the source code. Since anybody can access the code, find errors, and report them, problems usually get more attention and get fixed faster. Furthermore, users can be fully updated on every stage of the process, from acknowledgment of the issue through to creation and deployment of the fix. Additionally, in rare circumstances where the “cure is worse than the disease” an open-source fix can be further reviewed and tested before integrating it into a local release.

For an example closer to home, any user can go to the Moodle™ website and find their system tracker. In this resource, users can check which issues are being worked on and see if someone reports a bug.

In the rare event that security bugs or vulnerabilities are found in Open LMS software, the Moodle™ development community is notified. There are times when the Open LMS team can deploy fixes for Moodle™ security bugs that may not have otherwise been addressed by anyone else. With those fixes, the Open LMS team contributes back to the Moodle™ community and its customers. Open LMS also provides additional layers of development support for its customers. If an organization or institution operates a legacy version of Moodle™, Open LMS has been able to apply critical security fixes that are not usually available with that version.

HANDPICKED FOR YOU | ‘10 Differentiators Between Open LMS and Self-Hosted Moodle™

Data Privacy and Security in an Open-Source LMS

Every organization wants their employee and/or student data to be as secure as reasonably possible. They must mitigate risks and stay compliant with data protection laws, while also providing a great, trouble-free learning experience to the users. At the end of the day, no one wants their information to be out in the public or at risk.

Likewise, if you were to acquire an LMS, you would want all your content (videos, courses, tests, etc.) to be entirely secure and only available to people with the right permissions.

When it comes to operational security management, there’s no effective difference between open and closed source. The underlying technology of an LMS, whether open or closed-source, doesn’t dictate the data storage and protection methods used. The data you enter into an open-source system is, of course, not “open”. Open source only means that you get to see the recipe for the underlying platform—each user then decides what technologies and techniques to use to keep the ingredients safe.

MORE ON TECH | ‘The Learning Lowdown: What Separates an LMS From an LXP, and Why You Could Need Both

Data Privacy and Security in Open LMS

At Open LMS, all the proper safeguards like encryption, authentication, and backups have been set up in much the same way as they would be in a closed-source service. With these services, we make sure that the application both runs efficiently for the customers and ensures that all of their data is protected.

Encryption

Information needs to be protected by different layers of security. One of those is encryption. Through this process, human-readable data gets converted into a secret code to hide the information. Only appropriately authorized software with the correct decryption key is able to decode the data. Open LMS encrypts data wherever possible so that it can't be viewed without access to those decryption keys.

Authentication

Whether meant for 5,000 or 50,000 users, a secure learning management system has to be able to verify each user’s identity. In most training deployments, anonymous users should not be able to just enter the LMS without having a user account or a password. Open LMS uses tight authentication controls to ensure that all requests to access the system have the right credentials. Additionally, there are a number of open-source integrations with a variety of third-party authentication systems. Another great part of open source is being able to review sensitive mechanisms for authentication to verify they’re written securely.

Backups

There are many scenarios where backups can save you from losing your LMS’s entire data or content library. Sometimes due to human or system error, data gets deleted or modified. Open LMS does regular backups: if somebody deletes something accidentally or it gets changed, it can be easily restored. However, retention periods are critical windows of opportunity to restore data which is balanced against the more expensive data storage fees over longer time spans.

Make Security a Priority

No matter the use case, security should be a key consideration for every learning technology. When searching for an LMS, you must ensure that the solution can meet and maintain your security and data protection standards. Likewise, you need a system that allows you to resolve any security issues quickly and efficiently. Caring about this topic will ultimately help you build a platform where both you and your users can enjoy a secure learning experience.

Open LMS’s technology provides a flexible, customizable, and modern solution that can accommodate every security need. Besides offering tip-top security protocols, Open LMS also leverages the best of open-source innovation and the guarantees and benefits of a SaaS service.

To learn more about how open-source LMSs handle security, read our ebook "Open-Source LMS Security Myths Debunked." Alternatively, if you need guidance on how an open-source learning solution works for your organization or educational institution, contact our experts—we would be eager to help!
Derek Brost
About the author

Derek Brost

Derek Brost has over 26 years of professional experience in Information Technology engineering, security, and leadership roles. Derek was the founder and Chief Security Officer of the first network medical device security and compliance company in the United States. In addition to his direct experience in industries ranging from manufacturing, healthcare, and technology services, he also has served for many years in security and compliance consulting to an even wider variety of industries, sizes and shapes of organizations.

Discover our solutions