Security is top of mind at Blackboard.
Blackboard is vigilant about building security into our products and providing prompt and carefully tested product updates.
Blackboard follows industry accepted security practices. Blackboard Learn is developed according to a set of security engineering guidelines. These guidelines are derived from many organizations such as the Open Web Application Security Project (OWASP), including specific countermeasures for OWASP Top Ten vulnerabilities. Blackboard incorporates these security practices in all phases of the software development lifecycle (SDLC).
The SaaS application code has been built with security in mind. The Security Team has been involved in the full SDLC to ensure we build security in from the very beginning, following our Security Assurance Program. We have adopted new technologies and taken advantage of their built-in security features and best practices.
Blackboard uses several methods to protect our applications including "top-down" security assessments through Threat Modeling and analysis. We also use "bottom-up" code-level threat detection through static analysis, dynamic analysis, and manual penetration testing.
Blackboard follows best practice guidance from many organizations to help strengthen the security of Blackboard Learn's product and program, including:
- National Institute of Standards and Technology (NIST)
- European Network and Information Security Agency (ENISA)
- SANS Institute Open Web Application Security Project (OWASP)
- Cloud Security Alliance (CSA)
Security threats and countermeasures surrounding Learning Management Systems are ever-changing. Thus, Blackboard regularly assesses its Product Security Roadmap.
Blackboard built security into Blackboard Learn from the beginning. The following items present the security measures and practices Blackboard put in place to secure the SaaS offering.
The Learn SaaS offering secures all communication over the Internet with Transport Layer Security (TLS) technology. TLS ensures that a communication is not read or changed by another entity. Blackboard Learn uses TLS to secure communications between the Web server and the client machine; e.g., a browser.
The SaaS offering requires TLS system-wide by default. TLS terminates at the Amazon Elastic Load Balancer (ELB). TLS certificates require 2048-bit encryption.
The Learn SaaS offering customer instances terminate TLS at the Amazon Elastic Load Balancer (ELB). Thus, the only assets with inbound access are the ELBs. The available ports are 80 (http) and 443 (https). Access to port 80 causes a redirect to port 443, meaning secure communication over TLS. All other ports are inaccessible externally, as Blackboard enforces a default-deny firewall policy for the Learn SaaS offering by leveraging the full power of AWS Security Groups. Moreover, the Learn SaaS offering places all non-ELB infrastructure in a private subnet, completely removed from the Internet.
Customers can access their Learn SaaS offering instances using only the web interface over TLS. For security reasons, customers cannot access their instances using command-line or back-end access.
Only authorized Blackboard staff may access the Learn SaaS offering instances via the web interface over TLS.
A limited set of staff would have command-line and back-end access through the use of SSH keys. Access is only possible via SSH keys, a more secure method of access versus username/passwords. Keys are managed by a small group and can be revoked at any time.
Blackboard access to the Amazon Web Services web console requires multi-factor authentication (MFA.)
The Learn SaaS offering uses the PostgreSQL as the database. Blackboard's PostgreSQL database service provides enhanced availability and durability such that in the event of a database failure, the service would cut-over to an alternate availability zone. Our PostgreSQL database service also takes nightly backups.
Backups are stored in a medium that provides extremely high durability. The Learn SaaS offering does not use database encryption at rest at this time.
The Learn SaaS offering uses access control to protect the database. Access to the database is not available externally and limited to authorized Blackboard staff.
The Learn SaaS offering uses Amazon Simple Storage Service (S3) for backups of critical file system data. This data is backed up every 5 minutes. S3 offers "11 nines of data durability.
Backups are not encrypted at this time though Blackboard is evaluating this as part of its Learn SaaS offering roadmap. Backups are not accessible externally and access is limited to authorized Blackboard staff.
Customers have access to the Blackboard Learn application-level logs through the System Admin panel's integrated Kibana interface. Customers will be able to review security logs as described here: Audit and Accountability.
Blackboard partnered with Amazon to ensure we built the Learn SaaS offering on a sound foundation of AWS best-practices from the start. Blackboard subsequently engaged a third party auditor to specifically focus on the Learn SaaS AWS deployment. These two approaches taken together ensure our highest confidence in the security of our SaaS offering.
Partnering with AWS for Learn SaaS offers many advantages of scale, efficiency, and security. One clear advantage area presents itself when leveraging the high availability infrastructure on which AWS is built. For example, The Learn SaaS offering benefits from the DDoS countermeasures provided natively by AWS.