Essential Security Measures for an Open-Source LMS

Everyone should care about the security of the technology they use. This is no less true when it comes to learning systems. From higher education institutions looking to secure the data privacy of their students to corporate organizations ensuring their training complies with their security requirements.

Although open-source software is widely accepted and welcomed in the learning industry, some still have the idea that it isn’t as secure as closed-source solutions. When something is free to access, it’s sometimes perceived as being of lower quality. However, the fact that open-source software is available for everyone doesn’t mean its security is in jeopardy.

Open LMS is a Moodle™-based learning management system (LMS). As Open LMS is based on one of the most popular open-source LMSes on the market, the Open LMS team knows a thing or two about how to build a robust and secure open-source system. In fact, an open-source LMS can actually be even more secure than a closed-source solution.

This article explains the measures open-source systems must take to build a secure platform, based on Open LMS’s example. We also dive deep into what it means to utilize Amazon Web Services (AWS), and how this solution increases the security of cloud-based software.

How Open LMS Mitigates Security Risks

Open LMS is actively growing its security program and undergoing internal and external audits and assessments. Through this program, a team of experts tracks over 100 information security controls and associated hosting, data, and software risks. Treatment plans are created for manageable risks and a combination of mitigation and remediation efforts can then be applied. The team makes sure to verify that controls are operating correctly and evidence is recorded. They work with internal auditors to prove the information security management system is in compliance with the correct security controls.

Open LMS also works with external auditors. As part of the audits, the security team has to demonstrate that there is a well-defined and executed security program and it follows all the right protocols. These auditors also help to identify if any weaknesses, deficiencies, or problems come up at any point in the process.

If necessary, Open LMS helps customers build an LMS that’s compliant with specific data protection legislation, such as General Data Protection Regulation (GDPR) in Europe. The experts at Open LMS advise customers on which Moodle™ plugins or integrations comply with the respective data protection laws.

Moreover, Open LMS has a security addendum included in customer contracts that goes into detail on each of the aforementioned protocols. For clients subject to specific privacy regulations or privacy laws, a special data privacy agreement is added.

MORE ON SECURITY | ‘5 Reasons Why You Should Switch from Self-Hosted Moodle™ to Open LMS

Leveraging Amazon Web Services to Increase Security and Efficiency

If you’ve been on the lookout for a digital learning solution, the term Amazon Web Services (AWS) might have already come up in your search. In short, AWS is a cloud platform with over 200 cloud-enabled products available in different regions worldwide. Currently, it serves 245 countries and territories, with data centers available around the globe.

To fully understand the role of AWS with Open LMS, it’s first necessary to acknowledge that every piece of software needs a place to be stored and operated—simply speaking, a place to “live”. Building that whole infrastructure to store and maintain software might be complicated, costly, and particularly hard to keep secure. AWS makes that easier by providing a robust and compliant underlying structure upon which to deliver an application securely.

Security Benefits of AWS

The advantage of using AWS is that neither Open LMS nor the customer must maintain the whole infrastructure of an LMS. AWS is in charge of protecting and securing everything—from hiring security guards for their data centers to maintaining the servers installed within their buildings.

Open LMS is an AWS Partner, which evidences the level of security in our solution. AWS has a lot of security requirements that they need to fulfill. Partners have to prove that they’re secure, as AWS may well refuse to host products that can cause security issues and problems in the future.

Thanks to the partnership, Open LMS can count on AWS’s expertise in building and running data centers, using computing equipment, storage equipment, networking equipment, and much more. As experts, they secure all that structure with their own rigorous protocols. They're physically protecting those servers, maintaining the electricity in case there's a power outage or storm. They protect the data at that level.

Then, Open LMS adds its own security layer on top providing all the systems and security for the LMS application. On top of that, we're maintaining the system by following processes such as applying security patches, encryption, backups, and more. AWS can assist with these processes, but Open LMS is primarily responsible for designing, implementing, operating, and supporting them at scale.

AWS has a shared responsibility model that explains the division of security responsibilities clearly. It states that:

  • AWS is responsible for securing and protecting the infrastructure that hosts all the services Open LMS needs in order to run its solutions. That includes hardware, software, networking, and physical centers.
  • Open LMS is in charge of configuring all the AWS services they hire. They need to be set up for compliance with key security standards and data protection rules. This configuration includes managing the stored data, classifying assets and information, and giving proper permissions to admins and users.


Finally, it’s important to highlight that customers also share a responsibility for the security of an LMS. For example, a final security layer is that users make sure their passwords are secure. Whether a higher education institution or a business utilizing an LMS for corporate training, organizations need to make sure that their end-users understand their security responsibilities. Open LMS gladly assists customers in understanding what those expectations mean.

US Government Security

Amazon maintains a wholly separate data center built specifically for US government customers. These AWS GovCloud (US) facilities offer even greater security than their normal data centers. Open LMS, has used this service for government customers who need learning management systems, which could be the military, financial departments, or any kind of government agency, state or federal.

HANDPICKED FOR YOU | ‘10 Differentiators Between Open LMS and Self-Hosted Moodle™

Choose the Most Secure Alternative

The ultimate conclusion is clear: an open-source LMS doesn’t inherently represent a security risk, no matter the use case. Contrary to closed-source solutions, the visible code of open-source software accelerates the discovery and fixing of vulnerabilities and issues. In any case, an open-source LMS might even be verifiably safer than other options!

Open-source software provides the perfect technology for eLearning, as it can be modified to integrate elements or features at will. Every business or educational institution has its own challenges and requirements, so having the ability to customize and adapt is hugely important in an LMS. This is just one of the reasons why Open LMS benefits from being based on one of the leading open-source LMS platforms in the market: Moodle™.

An LMS that leverages the best of open source, implements world-class security protocols, and partners with industry-leading providers will set your learning program off on the path to success.

This article has been adapted from our recent ebook “Open-Source LMS Security Myths Debunked”. Download your copy now. Alternatively, if you want to talk to our experts about our secure open-source technology and how it can help you, contact us today.
Derek Brost
About the author

Derek Brost

Derek Brost has over 26 years of professional experience in Information Technology engineering, security, and leadership roles. Derek was the founder and Chief Security Officer of the first network medical device security and compliance company in the United States. In addition to his direct experience in industries ranging from manufacturing, healthcare, and technology services, he also has served for many years in security and compliance consulting to an even wider variety of industries, sizes and shapes of organizations.

Discover our solutions