As a cloud based web application Absorb LMS implements industry standard security practices to keep all Users safe. At times, secure practices take the place of restrictions, or specific methods of performing a task. These specific use cases are in the best interest of all Users, as they enhance the security of a Portal by preventing bad states from occurring.

This article provides an overview of security topics, and best practices:

Supported File Formats

Across the LMS, there are opportunities to upload files to the Portal, whether as Resources for Learners, or from the Learner to complete Course requirements. Absorb allows for the usage of standard formats for audio, images, video and general files. When a file is uploaded to the LMS it is scanned by Absorb's anti-virus protocol, and validated as a file of the correct format.

The following file types are supported:

Unsupported Formats

It may be possible to upload and use alternative formats for content such as images. Using file formats with limited supported, or those not listed above may affect the functionality of content. It is recommended to convert existing files to a supported format before uploading them to the Portal.

Some file types are prevented from being uploaded to the LMS, among these are:

• htm or html files.
• Executable code.

Uploading Code or Executable Files

In a case where it is required to upload code to your Portal, the best practice would be to save the code and compress it into a .zip folder, then upload the .zip folder. This method makes it so the code is still accessible to anyone who downloads the file, without causing concern when the file is scanned by the Absorb anti-virus.

File types that should be uploaded in a .zip folder include, but are not limited to:

• .exe
• .msi
• .com
• .htm
• .html
• .js
• .py

Some files types that are prevented from being uploaded directly, such as the .htm or .html formats can be safely uploaded as Resources, if compressed into a .zip file first.

User Authentication and Authorization

By default Users will manually log into Absorb LMS using a Username and Password. So long as both of these credentials are preserved safely, this method of access is typically considered secure. In some cases, additional oversight is required to make sure that all accounts accessing your Portal have been correctly authorized to view the information contained therein.

One method of authenticating the Users accessing your Portal is to require access via Single Sign On. Single Sign On (SSO) is a method of centralizing access to Absorb LMS, by requiring a User authenticate via another service. Access via SSO can be further enhanced via the usage of transport layer security, as determined by the services of your SSO provider.

For more information about SSO review the following article:

• Absorb LMS & Single-Sign On (SSO)

Network Security

In the context of Absorb LMS, network security refers to the ecosystem your Users will be accessing your Portal from. If your Portal is focused on external sales, with Users accessing from across the world via their home computers, the content they are accessing is intended to be purchased and reviewed. If your Portal is used for internal training, or sensitive material, the network your Users are accessing the Portal from may be more pressing.

Managing network security is largely about connections, and where they happen. To prevent unwanted connections the usage of IP restrictions, or allow lists/block lists can limit the number of Users that may access your Portal. It is important when configuring any sort access control, to fully scope out all Users and how they will be accessing your Portal. It may be valuable to configure a VPN and make it so that the allow list only allows IP addresses associated with the private network.

For more information about network security review the following articles:

• IP Addresses, Ports, Allow Lists & FQDNs
• Can I Allow or Block Certain IPs?

Regular Security Audits

When and where possible, it is beneficial to outline potential security concerns in your Portal, and review to make certain there have not been transgressions. Especially if your Portal facilitates sales that your business relies on, it is important to make certain there are not bad actors in the population of your Users.

Standard items to review in a security audit include, but are not limited to:

• Users with random or gibberish credentials.
  • Example: "Username = gp6s77wlll"
• Users with excessive or impossible login figures.
• Users making transactions that are flagged by your Payment Gateway.
• Enrollments created without explanation, or by Admins you do not recognize.

For more information that may benefit you in preparing a security audit, review the following articles:

• Logins Report
• User Login Best Practices

Incident Response Plan

In the modern ecosystem of digital threats, it is always possible that a bad actor, or targeted attack will occur. Preparing a plan for such a worst case scenario provides an outline to successfully respond in the case a crisis does occur, even if this is unlikely.

An incident response plan may include a series of choices that can be quickly implemented to prevent access to your Portal, or to lock down essential components such as a Payment Gateway. In your incident response plan make sure to determine the following:

• Where critical data is stored.
• Who is responsible for each component.
• Which systems should be locked down, or temporarily disabled.

Backup and Recovery Procedures

Data is both essential and easy to permanently destroy, whether by accident or not. For this reason anything that is deemed critical and is stored digitally must abide strict protection policies. Keep in mind the mantra:

• Two is one, one is none.

When backing up data you must first categorize it based on priority. What is absolutely critical to maintain, what can be recreated or retrieved from alternate sources and what is ultimately negligible or acceptable to lose. All data that is critical should be kept up to data in your Portal, but also stored in at least two other accessible digital locations in addition to a physical, external backup.

Digital storage solutions include cloud services such as OneDrive, or Google Drive.

Physical storage solutions vary in effectiveness, but are strong backups provided the physical storage solution is maintained in a safe location. An external SSD is preferred to an SD card, or USB drive for long term physical storage.

Make certain to determine strict backup policies for data that is considered critical, whether that is Enrollment or E-Commerce information. Regularly create reports and incorporate the report files into your backup policy. The same process should be applied to uploaded Course content, including Resources.

When creating a backup policy, make certain that it isn't tied to a specific account and information can be accessed by your organization successfully. If backups are associated with a specific User, or an account that cannot be easily accessed outside of Absorb, it may effect your ability to perform a restore or access lost information.

Security Awareness Training

Often the best devised system can be undermined by a human not interacting with it, or incorrectly applying its concepts. Depending on how protective you are required to be regarding the information in your Portal. It may be valuable to develop and distribute security training specific to Absorb LMS and how your organization interacts with your Portal.

Elements that may be relevant to outline in training include:

• How to backup content Instructors create.
• What information can be shared, what information cannot be shared.
• How to safely and securely access SSO systems.
• How to navigate a VPN.
• Safely managing credentials or private information.
• Approved browser addons/extensions.