Why existing LMS security is a failure
Passwords & access controls are not enough to protect sensitive training material
Corporate training materials can often contain sensitive information that you do not want to be made available to unauthorized personnel or third parties.
Existing LMS systems rely on users logging in to a portal for security, but login details (credentials) can be easily shared. This defeats the purpose of ensuring only those specifically authorized can access sensitive training materials. This is certainly the case where you need to give third parties access (say a trading partner) and you have no real control over who is viewing your sensitive training material.
So it is clear that login credentials (username and password) is not adequate protection for a LMS containing sensitive training materials. Not to mention the additional overhead of LDAP or SAML integration to allow for SSO to keep password management down.
Apart from a weak access security mechanism, a LMS generally has poor user permissions (ability to allow/deny users to perform certain actions) that are limited to editing, deleting, and creating courses. But what about stopping users grabbing high-quality screenshots, copying/pasting content into other applications, and printing it to file drivers (i.e. a PDF file). Then of course there is the issue of automatic expiry. A typical LMS lets you manually revoke user access to training material and that is it.
Cloud Hosted Learning Management Systems
Some cloud LMS let you restrict user registration to specific domains, but not future access. They do not control the number of devices (or what devices) users can access training courses from or restrict access to locations. This therefore does not help when trying to prevent sharing. They also have additional security weaknesses:
- You have to upload unprotected content (your sensitive training courses) to a cloud server outside your control
- They do not encrypt training courses. Instead they rely on access controls to prevent unauthorized access
- Content must remain within the LMS for it to be ‘protected’
- Content is accessed via a browser. Since browsers cache content locally, users can access temporary files outside the LMS which they have full control over
- They do not prevent screen grabbing or printing, or printing to file drivers (e.g. PDF and other virtual printers)
In addition, they:
- Force you to use their system rather than your own LMS
- Users must always be online to access training courses