Re: Potential Security Risks in OpenSource LMS environments

[Cathy Hubbs <hubbs () AMERICAN EDU>]

Kees, thank you for sharing your experiences, this is exactly what I am
trying to uncover.

Many Universities are making the shift to Open Source LMS environments,
most from what I hear, for cost savings and a perception of a richer
feature set, and I'm sure there are more reasons than these. When making
the decision to make the LMS shift, considerations such as TCO need to be
thoroughly researched and shared with our business officers another
consideration (the one I am posing) is, are there any additional risks to
potentially sensitive data sets that  may be more prevalent in the Open
Source environment verses the Commercially supported environment.
Commercial proponents often point to "slow to patch" as the big risk
factor, I'm looking to see if there are any other considerations.

If anyone else has experience comparing risks in LMS environments
(opensource vs Commercial) I am still interested. Happy to receive a phone
call too.

Thanks in advance.


Cathy Hubbs,
Chief Information Security Officer
American University
Washington, DC
202.885.3998




Kees Leune <LEUNE () ADELPHI EDU>
Sent by: The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
07/15/2009 02:49 PM
Please respond to
The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>


To
SECURITY () LISTSERV EDUCAUSE EDU
cc

Subject
Re: [SECURITY] Potential Security Risks in OpenSource LMS environments






> > > On 7/14/2009 at 5:26 PM, in message
<OFCA6EF495.D93D6FB8-ON852575F3.0075B517-852575F3.0075F0F5 () american edu>,
Cathy
Hubbs <hubbs () AMERICAN EDU> wrote:
> In thinking about the move toward Open Source Learning Management
Systems
> (i.e., Moodle, Sakai, ATutor, etc., etc.) from Blackboard...
>
> Has anyone encountered or addressed potential security risks/concerns
that
> may be more prevalent in the Open Source LMS environment vs the COT LMS?
>
> 1. Timeliness of Patch Deployment


We have just completed the transition from Blackboard to Moodle and we
have been very happy with it. The few times that vulnerabilities were
discovered, they were patched very quickly.


> 2. More difficulty protecting data stores  (i.e., distributed, the
potential for DBs on individual Faculty workstation)


I do not see how Moodle vs. Blackboard would be different in that--- all
data resides on the server; faculty members can always make local copies
of the information to which they have access, but that is true for
Blackboard also. Our general experience is that we have less downtime with
Blackboard than we have with Moodle and that Faculty, Students and
Administration are happier with it than they were with Blackboard. Moodle
has been tied in to our authentication infrastructure, and very detailed
logging has helped me in investigations in the past.

Hope this helps,

Kees
--

Dr. Kees Leune
Information Security Officer
Adelphi University
Garden City, NY
+1 (516) 877-3936