Your Security, Our Priority
Your private data needs to stay that way. Which is why we design our products and services to protect it. With robust safeguards, continuous monitoring and real-time security insights, nobody minds your business but us.
Eliminating Vulnerabilities
Prevention
A strong foundation relies on solid building blocks. We favour languages and frameworks with inherent memory safety, built-in XSS prevention, and SQL injection protection.
Detection
The first step to correcting a vulnerability is to identify it—that’s why we’ve integrated static application security testing (SAST) tools into our CI/CD pipeline.
Safeguarding
We store data using secure cloud infrastructure and reinforce its protection by implementing security best practices.
Security in Every Step
Your security is top of mind at every stage of our Software Development Lifecycle (SDLC).Neutralizing Threats
Testing
We run periodic dynamic application security testing (DAST) scans, work closely with security researchers and perform annual 3rd party penetration tests to identify—and correct—any weaknesses in our product’s security.
Training
Security and learning go hand in hand. Our mandatory employee training program is extensive and dynamic—we are always looking for new ground to cover.
Risk Management
We operate an ISO 27001 certified risk management program that ensures vulnerabilities are identified, prioritized and addressed according to documented service level objectives (SLOs).
Monitoring
Disruption-free patches and updates keep our software and infrastructure secure as we closely monitor security threats and vulnerabilities.
Keeping You in the Loop
Network Infrastructure Protection
We take a layered approach to protecting our network infrastructure and resources.
- Network Firewall guards the network-level with capabilities such as stateful inspection and intrusion prevention. Amazon Virtual Private Cloud (VPC) security group provides protection at the host-level. Web Application Firewall protects the application-level.
- Amazon VPC helps keep traffic segmented using Private Subnet, Public Subnet and Network Load Balancer. These VPC services separate traffic between network boundaries.
- We deploy cloud security posture management technology throughout our infrastructure. This technology collects events from end points and enables monitoring, alerting, and remediation of compliance risks and misconfigurations in cloud environments.
- Threat and intrusion detection services continuously monitor cloud environments for malicious activity.
- Deep packet inspection technology is available for forensics if required.
Secure Transmission
- Connection to the Brightspace environment is established through TLS cryptographic protocols with RSA® encryption, ensuring that customers have secure connection from their browsers to our service.
- Individual user sessions are identified and re-verified with each transaction using a unique token created at login.
Denial of Service Monitoring
- Our internal network technology—such as firewalls and WAFs—protects against denial of service (DoS) attacks.
- We use AWS Shield to protect against distributed denial of service (DDoS) attacks. This service provides detection and mitigation for volumetric, protocol and application DDoS attacks.
Vulnerability management and patching
System Hardening
- Before a server image is certified, we disable unnecessary services and close all ports. We use the following organizations’ templates to validate that the image is aligned with industry-standard best practices:
Vulnerabilities and Patching
- We test all code for security vulnerabilities before release and regularly scan its network and systems for vulnerabilities.
- Our experts regularly review any security patches from underlying software and operating systems to assess the critical nature, risk, and potential effect to D2L services.
Annual Third Party Assessments
- We employ a third party to conduct penetration tests against the Brightspace platform annually.
Endpoint threat and protection
Anti-virus software is deployed on all personnel laptops and desktops and is centrally managed to ensure all DAT files are up to date. Centralized reporting ensures malware infections are properly quarantined and escalated for further actions where needed.
Application Security
Applications are developed using the OWASP Top Ten framework and various security components are integrated into application architecture. Security analysts regularly look for weaknesses through code reviews and application scans. Third parties validate the technical controls by conducting regularly scheduled network penetration and application vulnerability tests.
Incident Management
Our Security and Privacy Incident Management process handles security and privacy incidents. This process can be initiated by a D2L customer, internal D2L employee or the public. If a security incident is identified, the following high-level process is followed:
- Monitoring and Awareness: A security and/or privacy incident is identified, communicated to the Security Incident Response Team (SIRT).
- Detection and Analysis (triage): The incident is assessed to determine the severity, priority, scope and impact. This step can include evidence preservation and containment activities.
- Mitigation: Recommendations are created and implemented to contain, eradicate and/or contain the incident in question.
- Recovery: Containment is complete. Where applicable, scanning of environments occurs to ensure recovery is complete.
- Communications: This can include communications with internal resource teams, stakeholders and D2L customers. Based on the findings of triage and analysis, the appropriate communications are drafted, approved and shared.
- Post Incident Activity: In this stage, lessons learned are completed to gather feedback and evolve incident response process and procedures. Where applicable, the root cause is identified and logged.
Vendors and Subcontractors
We vet all applicable vendors and subcontractors to ensure they too provide an appropriate level of security.
Security Awareness
- Our security awareness program ensures that employees understand the importance of security and its intersection with their workday.
- New employees are required to take security training, and training completion is audited throughout the year.
- The Information Security team leverages several security threat intelligence sources to keep up to speed on the latest security threats. This information is shared through regular security awareness campaigns to help D2L staff are informed of these threats and what to do if they encounter them.
Secure by Design
We are committed to the continuous refinement of our security operations and practices, including ensuring that security is treated as an integral aspect of the D2L product roadmap. Because when your private data stays that way, everyone wins.