Moodle security and privacy – the basics

27 October 2021 by Catalyst

As an established and widely adopted learning management system, used in both education and the corporate sector, Moodle has a mature security model that protects its users’ most valuable information. However, like any complex software platform, you need to have configured it correctly to make sure your staff and students are protected from the cyber threats that may impact the integrity of your classes and the personally identifiable information (PII) of anyone using the system.

 

Understanding security for e-learning

There are many considerations and threats you must be aware with online learning, especially when the platform collects and stores personal information about students, as well as class notes, lectures and gradings for academic or even professional qualifications.

When you design your learning management system, security should be front of mind.  As there’s a lot at stake, you don’t want to place your systems and its information at risk, with exposure to cyber criminals or malicious insiders that can lead to a data breach.

The impact of a data breach can have a physical impact on the continuity of your business.  However, it can also lead to reputational damage that could impact student enrolments.  There’s also the consideration of privacy laws, should a breach include the personal information of your students or employees.  This type of breach comes with a hefty fine, as well as public humiliation and scrutiny of your online service.  Paying attention to the information security of your LMS, as early as you can, is vitally important.

Getting Started with Moodle Security

Moodle is a complex web application with many features for running the platform: creating and managing courses, managing your users from registration to retirement, plus a vast array of additional modules and plugins to service almost any business need.

Configuration

When you configure your site, make sure you follow the Moodle security recommendations. This should include a review of the site’s security settings (Site administration > Security), which includes site-level settings and HTTP security. However, do bear in mind there is no silver bullet in information security.  Moodle is a complex solution.  You can almost certainly expect to encounter some security issues.

Once your solution is deployed, you should aim to continuously monitor, maintain and update your installation of Moodle and its plugins to ensure any security bugs (vulnerabilities) are patched as soon as possible. 

Moodle application infrastructure

Given that many Moodle LMS instances are internet-facing, it’s critical that your Moode is managed to the highest standard, just like any other Enterprise web application.

Maintaining your Moodle application infrastructure involves making sure that all your web and API endpoints are hardened, that is checking that your system configuration and settings help reduce IT vulnerability and the possibility of being compromised. While there is a vast amount of great information online, to help you set up and deploy Moodle, it does not match the knowledge, experience and commercial guarantees that are provided by a Moodle Certified Partner.  Depending on the size, workload and time constraints that your IT team is under, exploring a fully managed service can often be the most effective, value for money option for your business.

 

Backup and recovery

Some of the most common security advice we offer our clients is to treat Moodle like you would any other cloud-based service platform. To protect your data, for example, you need a solution for backing up and recovering your most important information should it become corrupt, or you have a hardware failure.  See Moodle site backup recommendation on Moodle Docs. This kind of backup and recovery process also lends itself to your overall security protection since data encrypted by a ransomware attack can also be recovered using a sound recovery strategy.

Moodle security overview report

Beyond the obvious, straightforward systems administration advice, you can use Moodle’s Security Overview Report to identify any misconfigurations in your platform that pose security risks to your data. Anything reported by this Moodle tool should be investigated by your system administrators or the  security team (or service provider) and action taken to remediate the risk.

Identity and access management

Another important consideration for any Moodle installation is how well you lock down access to users. You can see the standard roles and what access they have in Moodle’s standard roles documentation.   Ideally, you should only provide access to what’s needed to either do a job or participate in a course.  If a student doesn’t need to upload files, for example, this feature should be removed from that user’s capability.

The more privileged roles, such as teacher accounts, should be reserved for you most trusted users.  Teacher accounts have more liberal system privileges than most.  Consequently, it’s easier for a compromised teacher account to be used to stage an attack. 

Incidents happen – be prepared

In terms of cyber security, there is no perfect solution. You should always be prepared to deal with a cyber incident and have documented incident response plans. These should include the procedures your teams goes through when identifying the threat, containing any outbreak, and recovering from the breach.

Every step in your plans should be well documented and rehearsed with the team. This is not something every IT team has the skills, knowledge or even the time to put into place, which is something Catalyst’s team can help you plan and deploy.

Items to include

In its most basic form, your preparations should include:

  •  Document your incident response plan
  •  Document your investigation and containment procedures
  •  Document your recovery procedures
  •  Have a backup and recovery strategy and ensure you have rested recovery procedures
  •  Run some incident management tabletop exercises to identify issues in your processes
  •  Use technology, such as rootkit detectors and firewalls, to identify threats 

Privacy considerations

If you are providing an online learning service, you are almost certainly collecting and storing personal information about your students.

Be aware of the personally identifiable information that your Moodle holds

Information such as a person’s home and/or business address, date of birth, contact information, and of course, the grades associated with the courses they are attending is all considered private under most countries’ privacy laws.  You really do need to make sure you are doing everything you can to protect it from cyber criminals.

The place to start is with digital age of consent verification. If you have it enabled, any user registering with an age lower than the age of consent (specific to the country they reside in), they will require a parent or guardian to contact your support team before the account can be activated.

We also recommend you appoint a Privacy Office role within your Moodle administration team, such that they can service PII disclosure requests from users and meet the obligations required by privacy laws. 

Management of PII

An important consideration for any privacy management solution is the ability to delete PII from your systems when the data is no longer needed.

Moodle can remove data automatically once it passes an expiry date, using a scheduled task. We recommend you implement this, to provide some assurance that you’re not exposed to holding onto data unnecessarily, which increases your risk exposure.

Stay vigilant with the help of Moodle

The final thing we’d recommend, is keeping up to date with the latest Moodle security developments.  You can do this by regularly monitoring Moodle’s Security Announcements page.  

Support services for Moodle

Catalyst is a Premium Moodle Certified Partner, with ISO 27001 certification. We specialise in the design and deployment of highly secure Moodle platforms.  Working closely with our clients , we ensure they meet all the requirements of their regulatory commitments.

 Contact us to to leverage our experience. We can help to develop the cyber resilience of your Moodle.