- D2L Security and Privacy
- Security Best Practices
Security Best Practices
D2L takes a layered approach to protecting its network infrastructure and resources.
- Network Firewall provides protection at the network-level with capabilities such as stateful inspection and intrusion prevention. Amazon Virtual Private Cloud (VPC) security group provides protection at the host-level. Web Application Firewall provides protection at the application-level.
- Amazon Virtual Private Cloud (VPC) helps keep traffic segmented and multiple VPC services including Private Subnet, Public Subnet and Network Load Balancer are configured to segregate traffic between network boundaries.
- Cloud security posture management technology is deployed throughout D2L infrastructure. This technology collects events from end points and enables monitoring, alerting, and remediation of compliance risks and misconfigurations in cloud environments.
- Threat and intrusion detection service continuously monitors cloud environments for malicious activity.
- Deep packet inspection technology is available for forensics if required.
- Connection to the Brightspace environment is via TLS cryptographic protocols with RSA® encryption, ensuring that customers have a secure connection from their browsers to our service.
- Individual user sessions are identified and re-verified with each transaction, using a unique token created at login.
- D2L uses internal network technology such as firewalls, and WAFs to protect against denial of service (DoS) attacks.
- D2L also uses AWS Shield to protect against distributed denial of service (DDoS) attacks. This service provides detection and mitigation for volumetric, protocol and application DDoS attacks.
- System hardening
- Before a server image is certified, unnecessary services are disabled and ports closed. Templates (such as those from National Institute for Standards & Technology (NIST), Center for Internet Security (CIS) as well as Microsoft’s Baseline Security Analyzer (MBSA) are used in order to validate that the image has been hardened to industry standard best practices.
- Vulnerabilities and Patching
- D2L tests all code for security vulnerabilities before release, and regularly scans its network and systems for vulnerabilities.
- D2L experts regularly review any security patches from underlying software and operating systems in order to assess the critical nature, risk, and potential effect to D2L services.
- Annual Third Party Assessments
- D2L uses a third party to conduct penetration tests against the Brightspace platform annually.
Anti-virus software is deployed on all personnel laptops and desktops and is centrally managed to ensure all DAT files are up to date. Centralized reporting ensures malware infections are properly quarantined and escalated for further actions where needed.
The application is developed using the OWASP Top Ten framework and various security components are integrated into the application architecture. Security analysts regularly look for vulnerabilities through code reviews, and application scans. Third parties validate the technical controls by conducting regularly-scheduled network penetration and application vulnerability tests.
D2L has a defined Security and Privacy Incident Management process to handle security and privacy incidents. This process can be initiated by a D2L customer, internal D2L employee or the public. In the event that a security incident is identified the following high-level process is followed.
- Monitoring and Awareness: A security and/or privacy incident is identified, communicated to the Security Incident Response Team (SIRT).
- Detection and Analysis (triage): The incident is assessed to determine the severity, priority, scope and impact. This step can include evidence preservation and containment activities.
- Mitigation: Recommendations are created and executed to contain, eradicate and/or contain the incident in question.
- Recovery: Containment is complete. Where applicable, scanning of environments occurs to ensure recovery is complete.
- Communications: This can include communications with internal resource teams, stakeholders and D2L customers. Based on the findings of triage and analysis, the appropriate communications are drafted, approved and shared.
- Post Incident Activity: In this stage, lessons learned are completed to gather feedback and evolve incident response process and procedures. Where applicable, root cause is identified and logged.
D2L vets all applicable vendors and subcontractors to ensure they too provide an appropriate level of security.
- D2L has a security awareness program that serves to ensure employees understand the importance of security and its intersection with their workday.
- New employees are required to take security training and training completion is audited throughout the year.
- The Information Security team leverages several security threat intelligence sources to keep up to speed on the latest and emerging security threats. This information is disseminated through regular security awareness campaigns to help ensure that D2L staff are aware of these threats and what to do in the event they encounter them.