Security is top of mind at Blackboard.
Blackboard is vigilant about building security into our products and providing prompt and carefully tested product updates.
Blackboard follows industry accepted security practices. Blackboard Learn is developed according to a set of security engineering guidelines. These guidelines are derived from many organizations such as the Open Web Application Security Project (OWASP), including specific countermeasures for OWASP Top Ten vulnerabilities. Blackboard incorporates these security practices in all phases of the software development lifecycle (SDLC).
The SaaS application code has been built with security in mind. The Security Team has been involved in the full SDLC to ensure we build security in from the very beginning, following our Security Assurance Program. We have adopted new technologies and taken advantage of their built-in security features and best practices.
Blackboard uses several methods to protect our applications including "top-down" security assessments through Threat Modeling and analysis. We also use "bottom-up" code-level threat detection through static analysis, dynamic analysis, and manual penetration testing.
Blackboard follows best practice guidance from many organizations to help strengthen the security of Blackboard Learn's product and program, including:
- National Institute of Standards and Technology (NIST)
- European Network and Information Security Agency (ENISA)
- SANS Institute Open Web Application Security Project (OWASP)
- Cloud Security Alliance (CSA)
Security threats and countermeasures surrounding Learning Management Systems are ever-changing. Thus, Blackboard regularly assesses its Product Security Roadmap.
Blackboard built security into Blackboard Learn from the beginning. The following items present the security measures and practices Blackboard put in place to secure the SaaS offering.
The Learn SaaS offering secures all communication over the Internet with Transport Layer Security (TLS) technology. TLS ensures that a communication is not read or changed by another entity. Blackboard Learn uses TLS to secure communications between the Web server and the client machine; e.g., a browser.
The SaaS offering requires TLS system-wide by default. TLS terminates at the Amazon Elastic Load Balancer (ELB). TLS certificates require 2048-bit encryption.
Minimum attack surface area
The Learn SaaS offering customer instances terminate TLS at the Amazon Elastic Load Balancer (ELB). Thus, the only assets with inbound access are the ELBs. The available ports are 80 (http) and 443 (https). Access to port 80 causes a redirect to port 443, meaning secure communication over TLS. All other ports are inaccessible externally, as Blackboard enforces a default-deny firewall policy for the Learn SaaS offering by leveraging the full power of AWS Security Groups. Moreover, the Learn SaaS offering places all non-ELB infrastructure in a private subnet, completely removed from the Internet.
Customer administrative access
Customers can access their Learn SaaS offering instances using only the web interface over TLS. For security reasons, customers cannot access their instances using command-line or back-end access.
Blackboard administrative access
Only authorized Blackboard staff may access the Learn SaaS offering instances via the web interface over TLS.
A limited set of staff would have command-line and back-end access through the use of SSH keys. Access is only possible via SSH keys, a more secure method of access versus username/passwords. Keys are managed by a small group and can be revoked at any time.
Blackboard access to the Amazon Web Services web console requires multi-factor authentication (MFA.)
Database resiliency and backups
The Learn SaaS offering uses the PostgreSQL as the database. Blackboard's PostgreSQL database service provides enhanced availability and durability such that in the event of a database failure, the service would cut-over to an alternate availability zone. Our PostgreSQL database service also takes nightly backups.
Encryption at rest is available and enabled by default for all new Blackboard Learn SaaS environments. Environments created prior to release version 3200.10.0 won't have encryption at rest fully enabled by default. For these environments, enabling encryption at rest involves downtime to move data over to encrypted storage. Encryption at rest will be fully enabled for existing Blackboard Learn SaaS environments based on client requests with acceptance of downtime. Blackboard Support can also conduct the migration when an opportunity presents itself to enable encryption at rest without additional downtime such as during a mandatory migration not related to encryption at rest. Contact Blackboard Support to discuss the migration process and timing of enabling encryption at rest for your Blackboard Learn SaaS environment.
The Learn SaaS offering uses access control to protect the database. Access to the database is not available externally and limited to authorized Blackboard staff.
File system resiliency and backups
The Learn SaaS offering uses Amazon Simple Storage Service (S3) for backups of critical file system data. This data is backed up every 5 minutes. S3 offers "11 nines" of data durability.
Customers have access to the Blackboard Learn application-level logs through the Administrator Panel. Customers will be able to review security logs as described here: Audit and Accountability.
The Learn SaaS offering leverages powerful AWS auditing tools, including, S3, CloudWatch, CloudTrail, and TrustedAdvisor.
Built with security in mind, verified by a third party
Blackboard partnered with Amazon to ensure we built the Learn SaaS offering on a sound foundation of AWS best-practices from the start. Blackboard subsequently engaged a third party auditor to specifically focus on the Learn SaaS AWS deployment. These two approaches taken together ensure our highest confidence in the security of our SaaS offering.
Partnering with AWS for Learn SaaS offers many advantages of scale, efficiency, and security. One clear advantage area presents itself when leveraging the high availability infrastructure on which AWS is built. For example, The Learn SaaS offering benefits from the DDoS countermeasures provided natively by AWS.