Managing Security in A New Learning Management System (LMS) : July 2009
Managing Security in A New Learning Management System (LMS) : July 2009
Managing Security in A New Learning Management System (LMS) : July 2009
net/publication/224573972
CITATIONS READS
2 2,171
4 authors:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Visar Shehu on 16 May 2014.
Abstract. Common security problems when often ignored, and this why this paper tends to
creating a new system range from basic browser emphasize common security issues when
authentication to physical access to servers. The developing new Information Systems.
security perspective in e-learning systems is In order to manage the potential security
often ignored, and this why this paper tends to flaws, three layers of security are presented in
emphasize common security issues when this paper:
developing new Information Systems. • Physical Control Layer – manages the
We introduce a three layered security physical access to the University network.
measure, such as: the physical control layer, the • Software Control Layer – manages the user
software control layer and the social engineering credentials by a domain controller and the
training. These three layers tend in various custom Access Control List (ACL) delivering the
methods to secure users credentials and other Roles inside the application.
data in the newly created Learning Content • Social Engineering Training – manages the
Management System (LMS). human nature regarding the security.
337
st
Proceedings of the ITI 2009 31 Int. Conf. on Information Technology Interfaces, June 22-25, 2009, Cavtat, Croatia
1. MS Active Directory integration into the
LMS
2. Secure Socket Layer (SSL)
3. Custom roles using the Access Control List
(ACL) in the database
4. File System Security
338
depending on the user level and specific recourse
on the LMS. 3.4. File System Security
ACL defines four types of user levels, and as
such their permissions to the system: The ACL used in the solution not only limits
1. System Administrator – level 1 the listing of the content on the Web application,
2. Course Instructor – level 5 but the download of the content as well.
3. Teaching Assistant – level 10 Every time a user attempts to download some
4. Student – level 15 content from the course, the content of that file is
5. Everyone – level 20 streamed to the user. Before the streaming even
A gap between user levels is intentionally occurs, a check to the ACL for permissions is
left, due to the fact that there might be an done. If the user has access to the given content
introduction to another group of users (Example: (file), then the streaming will start.
Foreign Students, Seminar Users). Those users File and Folder names on the file server
will probably need specific permissions, which (Figure 1), are stored as globally unique
will need to be identified with another group of identifiers (GUID) [7]. The correct name,
users, such as Level 16. description and permission level for that file or
The level number is given to a user by the folder are kept on the database and only a
administrator, the Active Directory role or by the reference to the newly created GUID is set.
Course Instructor. The lower the user level, the By using this kind of file storage we are able
higher the permissions to a specific course or to:
recourse are appointed. • Allow duplicate file names and folders for
This way of ACL, allows Course Instructors the same course
to have more control over resources they create. • Control the access to these files by streaming
On one hand, a newly created folder or file, can the content instead of using the whole Query
have its permissions set to “Teaching Assistants” string on the browsers address to do so.
only, which will limit every user above level 10
to enter and see this content. On the other hand,
the same Course Instructor can appoint any user
to a Teaching Assistant level for his/her course.
339
this case a check against the ACL will be
performed. This attempt of “guessing” the files
GUID will be double checked which will ensure
extra security measure.
6. References
340
[2] Bindiganavale, V.; Jinsong Ouyang, "Role
Based Access Control in Enterprise
Application ¿ Security Administration and
User Management," Information Reuse and
Integration, 2006 IEEE International
Conference on , vol., no., pp.111-116, 16-18
Sept. 2006.
[3] Chia-Chu Chiang,; Bayrak, Coskun,
"Modeling role-based access control using a
relational database tool," Information Reuse
and Integration, 2008. IRI 2008. IEEE
International Conference on , vol., no., pp.7-
10, 13-15 July 2008
[4] CISCO, Inc. Secure Use of VLANs: An
@stake Security Assessment [Report]. -
[s.l.] : @Stake, Inc., 2002.
[5] Fennelly Lawrence J. Effective Physical
Security [Book]. - [s.l.] : Elsevier Inc., 2004.
[6] Jakobsson M. Modeling and Preventing
Phishing Attacks. Phishing Panel in
Financial Cryptography '05 (FC'05). 2005
[7] P. Leach, M. Mealling, R. Salz, A
Universally Unique Identifier (UUID) URN
Namespace, July 2005.
341