Educause Security Discussion mailing list archives
Re: Potential Security Risks in OpenSource LMS environments
From: Cathy Hubbs <hubbs () AMERICAN EDU>
Date: Wed, 15 Jul 2009 17:10:01 -0400
Kees, thank you for sharing your experiences, this is exactly what I am trying to uncover. Many Universities are making the shift to Open Source LMS environments, most from what I hear, for cost savings and a perception of a richer feature set, and I'm sure there are more reasons than these. When making the decision to make the LMS shift, considerations such as TCO need to be thoroughly researched and shared with our business officers another consideration (the one I am posing) is, are there any additional risks to potentially sensitive data sets that may be more prevalent in the Open Source environment verses the Commercially supported environment. Commercial proponents often point to "slow to patch" as the big risk factor, I'm looking to see if there are any other considerations. If anyone else has experience comparing risks in LMS environments (opensource vs Commercial) I am still interested. Happy to receive a phone call too. Thanks in advance. Cathy Hubbs, Chief Information Security Officer American University Washington, DC 202.885.3998 Kees Leune <LEUNE () ADELPHI EDU> Sent by: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> 07/15/2009 02:49 PM Please respond to The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To SECURITY () LISTSERV EDUCAUSE EDU cc Subject Re: [SECURITY] Potential Security Risks in OpenSource LMS environments
On 7/14/2009 at 5:26 PM, in message
<OFCA6EF495.D93D6FB8-ON852575F3.0075B517-852575F3.0075F0F5 () american edu>, Cathy Hubbs <hubbs () AMERICAN EDU> wrote:
In thinking about the move toward Open Source Learning Management
Systems
(i.e., Moodle, Sakai, ATutor, etc., etc.) from Blackboard... Has anyone encountered or addressed potential security risks/concerns
that
may be more prevalent in the Open Source LMS environment vs the COT LMS? 1. Timeliness of Patch Deployment
We have just completed the transition from Blackboard to Moodle and we have been very happy with it. The few times that vulnerabilities were discovered, they were patched very quickly.
2. More difficulty protecting data stores (i.e., distributed, the
potential for DBs on individual Faculty workstation) I do not see how Moodle vs. Blackboard would be different in that--- all data resides on the server; faculty members can always make local copies of the information to which they have access, but that is true for Blackboard also. Our general experience is that we have less downtime with Blackboard than we have with Moodle and that Faculty, Students and Administration are happier with it than they were with Blackboard. Moodle has been tied in to our authentication infrastructure, and very detailed logging has helped me in investigations in the past. Hope this helps, Kees -- Dr. Kees Leune Information Security Officer Adelphi University Garden City, NY +1 (516) 877-3936
Current thread:
- Potential Security Risks in OpenSource LMS environments Cathy Hubbs (Jul 14)
- <Possible follow-ups>
- Re: Potential Security Risks in OpenSource LMS environments Kees Leune (Jul 15)
- Re: Potential Security Risks in OpenSource LMS environments Cathy Hubbs (Jul 15)
- Re: Potential Security Risks in OpenSource LMS environments John Ellingsworth (Jul 15)
- Re: Potential Security Risks in OpenSource LMS environments Jim Dillon (Jul 20)