D2L takes a layered approach to protecting its network infrastructure and resources.
- Perimeter stateful packet inspection firewalls and edge routers block unused protocols and help protect against malicious network traffic, viruses and malware.
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) detect and remediate potentially malicious network traffic. Signature sets are reviewed and updated on a regular cadence for typical releases and point in time for high priority releases.
- Deep packet inspection technology is deployed to allow for forensics if required.
- VLAN segmentation helps keep traffic segmented and internal firewalls segregate traffic between network boundaries.
- Security Information and Event Management (SIEM) technology is deployed throughout D2L infrastructure. This technology collects and aggregates events from end points and stores it centrally for event correlation, security alerting and analysis.
- Connection to the Brightspace environment is via TLS cryptographic protocols with RSA® encryption, ensuring that customers have a secure connection from their browsers to our service.
- Individual user sessions are identified and re-verified with each transaction, using a unique token created at login.
Denial of Service Monitoring
- D2L uses internal network technology such as firewalls, WAF’s and IDS/IPS to protect against denial of service (DoS) attacks.
- D2L uses a 3rd party service provider to protect against distributed denial of service (DDoS) attacks. This service provides detection and mitigation for volumetric DDoS attacks.
Vulnerability Management and Patching
- System hardening
- Vulnerabilities and Patching
- D2L tests all code for security vulnerabilities before release, and regularly scans its network and systems for vulnerabilities.
- Each month following “patch Tuesday”, a group representing Brightspace Cloud, QA, Product Development, and Implementation meets to review all Microsoft® patches in order to assess the critical nature, risk and potential effect to D2L services. Patches may go through a QA process prior to being scheduled for implementation during the next available maintenance period.
- Annual Third Party Assessments
- D2L uses a third party to conduct penetration and vulnerability scans against the Brightspace platform annually.
Endpoint Threat and Protection
- Anti-virus software is deployed on all personnel laptops and desktops and is centrally managed to ensure all DAT files are up to date. Centralized reporting ensures malware infections are properly quarantined and escalated for further actions where needed.
- The application is developed using the OWASP Top Ten framework and various security components are integrated into the application architecture. Security analysts regularly look for vulnerabilities through code reviews, application scans, and internally-run penetration tests. Third parties validate the technical controls by conducting regularly-scheduled network penetration and application vulnerability tests.
D2L has a defined Security and Privacy Incident Management process to handle security and privacy incidents. This process can be initiated by a D2L customer, internal D2L employee or the public. In the event that a security incident is identified the following high level process is followed.
- Monitoring and Awareness: A security and/or privacy incident is identified, communicated to the Security Incident Response Team (SIRT).
- Detection and Analysis (triage): The incident is assessed to determine the severity, priority, scope and impact. This step can include evidence preservation and containment activities.
- Mitigation: Recommendations are created and executed that will to contain, eradicate and/or recover from the incident in question.
- Recovery: Containment is complete. Where applicable, scanning of environments occurs to ensure mitigation is complete.
- Communications: This can include communications with internal resource teams, stakeholders and D2L customers. Based on the findings of triage and analysis, the appropriate communications are drafted, approved and shared.
- Post Incident Activity: In this stage, lessons learned are completed to gather feedback and evolve incident response process and procedures. Where applicable, root cause is identified and logged.
Vendors and Subcontractors
- D2L vets all applicable vendors and subcontractors to ensure they too provide an appropriate level of security.
- D2L has a security awareness program that serves to ensure employees understand the importance of security and its intersection with their workday.
- New employees are required to take security training and training completion is audited throughout the year.
- The Information Security team leverages several security threat intelligence sources to keep up to speed on the latest and emerging security threats. This information is disseminated through regular security awareness campaigns to help ensure that D2L staff are aware of these threats and what to do in the event that they encounter them.
Back to D2L security overview