The issue of automation of information technology support for distance learning is the subject of many studies and heated discussions among scientific and pedagogical workers, as well as the object of special attention from society. Existing software platforms supporting the educational process provide solutions mainly to problems of management of the digital learning environment, while only partially responding to challenges and threats from cyberspace and the potential for dishonest actions by participants in the educational process. The paper analyzes the characteristics of common learning management systems and identifies the security functions implemented in them. Based on the concept of Zero Trust, the paper proposes an appropriate threat model for the digital learning environment and formulates proposals for building an improved information security policy and implementing relevant mechanisms and architecture for Distance Learning System (DLS) security.
Distance learning spreads easily due to the natural adaptability of young people to the surrounding world and the technologies that evolve in it [1]. The relevance and spread of this education support technology began to grow rapidly in the conditions of strict quarantine due to the COVID-19 pandemic [2]. Recently, advanced experience has been gained in the use of distance learning tools for the training of specialists in various fields of humanitarian and natural sciences. In the conditions of martial law, more and more Participants in the Educational Process (PEP) are forced to switch to distance learning, which determines the need to create Distance Learning Systems (DLS), that by the requirements of the law [3–5] can ensure the protection of personal data processed and stored in them, as well as to prevent unauthorized use of educational resources of systems, violation of their integrity and availability.
A distance learning system is understood as a set of hardware and software platforms, including a Learning Management System (LMS), educational information resources, methodical support, and reporting documents, as well as participants in the educational process who support the functioning of the system and use it as intended [6].
The issue of automation of information
technology support for distance learning is the
subject of many studies and heated discussions
among scientific and pedagogical workers, as well
as the object of special attention from society. As
the world becomes increasingly digital, the need
for secure distance learning systems will only
grow, as there is no alternative to investing in
modern technologies to ensure the security of
digital learning environments. Lack of proper
attention to this issue can have negative
consequences in the medium and long term [
The analysis of the latest scientific and
practical publications on the construction of
reliable and safe DLS, as well as the state of
regulatory and legal support of the relevant
processes, shows the importance of conducting
research and development in the field of
information security of digital educational
environments [
In particular, in [
Existing approaches to the construction of
information security policy and its components
are generally considered in international and
national standards [
The main provisions and architecture of the
concept of Zero Trust are given in [
It should be noted that the analysis of the
publication [
The review shows the efforts of scientists and practitioners to solve the problem of building and protecting the digital learning environment of higher education institutions using different approaches. However, the issue of improving their information security policy is still an urgent task.
Taking into account a detailed comparison of
the provisions of the concept of Zero Trust
[
The purpose of the work is to develop and research the principles and methods of building the Information Security Policy of the domestic distance learning system, including: • Analysis and comparison of the state of information security of common educational platforms. • Formation of a model of threats to the DLS based on the concept of Zero Trust. • Determination of practical aspects of improving the information security policy based on the concept of Zero Trust and mechanisms for ensuring the protection of information resources of the DLS. 2. Analysis of the Security Functions of Common Educational Platforms and Formation of a Threat Model Based on the Zero Trust Concept
Considering the publications [
Taking into account the analysis of the generalized data, it is possible to pay attention to the fact that the “User authentication” function is implemented in all identified systems, while multifactor authentication is provided in products 1–4.
The Access Control feature in the abovementioned LMSs is mostly controlled by the learning event organizer, and only in product 1 role-based access control is announced.
The availability of the “Event monitoring, logging” function in products 1, 3, and 5 allows to monitor of the occurrence of certain incidents in environments and facilitates investigation in cases of undesirable situations.
All products in one way or another provide encryption of data transmitted between the server and client browsers, in particular, using the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols, which increases the security of confidential information when it is forwarded through an unprotected environment. At the same time, only product 4 provides encryption of data during their storage on servers.
The implementation in products 4 and 5 of the Privacy Policy function allows you to store data only as long as it is necessary to provide the service or allow users to control their data. Таble 1 Security functions of educational process support systems 5
Khan Academy
+ HTTPS + + + + Educational process support systems (LMS)
2 3 4 Blackboard Canvas ClGasosorgoloem
+ + + SSL/TLS
HTTPS
SSL/TLS Security functions of systems
User authentication Access control/management Event monitoring, log keeping
Data encryption Personal information privacy
policy Backup copying
Security testing/auditing/updating
Strong password policy Moodle 1 + + + + + +
The “Backup copying” function, provided in products 1 and 2, forms the basis for ensuring the stable functioning of the LMS and the possibility of restoring its operation in the event of the implementation of threats that can lead to the destruction of critical information resources.
All analyzed LMSs have built-in “Security Testing/Audit/Update” functions in a certain way, which should be considered a positive factor in terms of responding to possible dangerous changes in the surrounding environment.
Based on the conducted analysis, it is possible
to claim that among the considered LMSs, product
1 has the best functionality from the point of view
of ensuring the confidentiality and availability of
information resources, as well as the observation
of processes. It is easy to see that this functionality
meets the minimum security requirements defined
in [
At the same time, none of the above-mentioned systems provides functions and mechanisms for checking the integrity and authenticity of resources as well as their authorship.
Note that the concept of Zero Trust applies to
all participants in information exchange,
therefore, based on the ontological model of the
educational process proposed in [
The role of “security manager” (denoted by M) involves granting them the authority to manage tools, measures, and parameters for the information security of the DLS. This role does not involve access to documents and materials of the learning environment for their modification.
The roles of the officials of the dean’s office of the educational institution (denoted by D) require to be given to them the authority in the system to approve plans, programs, class schedules, and information on the results of the final events as well as implement control over the progress and results of the educational process. The specified RSA/D-H + + roles provide access for modification of the relevant resources and fixation based on the results of measures to control the current state of information resources, including accounting logs.
The role of “teacher” (denoted by P) involves the direct implementation of the educational process, including the development of drafts of programs and plans of the educational discipline, the formation of educational and methodological support, conducting lectures, seminars, practical and laboratory classes, tests, keeping records of attendance at these classes and evaluating students based on their results, final control, etc. The role of P requires, in particular, to give them access to the instructional documents of the educational institution for “reading” and the approved Educational Methodical Support (EMS) for the educational discipline he or she teaches, to “form and edit” drafts of the EMS documents (before their approval).
“Student” roles (denoted as S1 … SK) require access to the resources of the EMS of the educational discipline and the authority to download reporting materials based on the results of training to record their status and integrity and to confirm authorship. Each reporting resource must be certified by the teacher as a fact: “the document as it is at the current time.” The change of reporting documents of the type “modular control work” must be approved by the role “dean’s office” (D).
Potentially, regarding the information resources of the educational environment I1, I2, …, IK, which are owned (or created) by certain participants of the educational process and require the protection of confidentiality, integrity, or availability, the following operations can be implemented: • Fr is a forgery—actions of some of the participants in the educational process aimed at misleading another participant by creating a fictitious information resource. • Md is modification—unauthorized actions of some of the participants in the educational process aimed at changing the real state of the information resource or its parameters (for example, the time and date of creation, identifier of the author of the resource, etc.). • Ms is masking—the actions of some of the participants in the educational process, aimed at misleading another participant and implemented by bypassing the access control system in the DLS or by using real personal identification and authentication parameters (for example, login and password) of a third participant. • Rj is a refusal to receive a certain resource or document placed or created by another participant in the educational process in the educational environment within the time and space frameworks determined by the regulation of the system by the established powers (for example, failure to confirm the fact of receiving the completed task within the specified time limit).
It remains to define the last side of the threat model—the violator of information security (let’s denote them as HC), who can act independently or in collusion with some participant in the educational process for unauthorized access to information resources I1, I2, …, IN—digital educational environment DLE and can potentially implement any kind of illegal operation(All).
Taking into account the assumptions made, a model of threats to the security of DLS was formed based on the concept of Zero Trust (Fig. 1).
In the given model, it seems appropriate to assume that only the following roles can potentially “act in a coalition” (collusion), namely: certain Si and HC, or Si and Sj, or Si and T, or Si and D.
To avoid disagreements or uncertainty in security policy, it is further assumed that the role of security management does not involve coalitions, nor is a coalition of three participants in the educational process possible. 3. Practical Aspects of Building the
Information Security Policy of the Distance Learning System based on the Concept of Zero Trust
The following were selected as the initial data
for the formation of the Information Security
Policy of the DLS:
• The provision of the law defines a safe
educational environment as a set of conditions
in an educational institution that make it
impossible to cause harm to the PEP, in
particular as a result of non-compliance with
the requirements of the legislation on cyber
security or personal data protection [3], as well
as academic integrity as a set of ethical
principles and rules that have to be guided by
the PEP during training, teaching and carrying
out scientific activities to ensure trust in the
results of learning achievements [4].
• Requirements of standards and regulatory
documents on information protection
[
Based on these data, using the constructed model of threats to the digital educational environment, the following basic principles of the Information Security Policy of DLS were formulated: • Awareness is the participants of the educational process should be informed in detail about the established procedure and conditions for the protection of information resources in the digital educational environment and about their obligation to comply with information security norms. • Responsibility is the participants are responsible for their actions that negatively affect information security (information dishonesty). • The response is the participants in the educational process act together to prevent, identify and respond to incidents in the information security system of the digital educational environment promptly.
A detailed definition of a partial response policy to incidents in the system is of special importance for the Information Security Policy of the DLS, which corresponds to the principles of the concept of Zero Trust. At the same time, a detailed incident response plan should be developed, which defines the areas of responsibility of the PEP and their tasks, recommendations regarding the sequence and content of the actions of officials in the event of a security incident and its investigation, proposals for measures to reduce the negative impact of incidents on the educational process and prevent their occurrence in the future (implementation of countermeasures).
Taking into account the recommendations of
security standards [
Development of incidents, which may include activities of surveying the
PFP, studying documents, copying information on media, viewing email, etc. 3. Formation of response procedures:
Determination of response tools, which may include localization
of the incident, temporary blocking of individual resources and/or users, adjustment of resource access policies, unplanned change of security parameters, etc. These tools are applied at certain steps of the response procedures.
Development of a basic set of response procedures to be followed by the IRT for each level of incident complexity.
Development of a list of measures/a plan to contain the incident and restore the initial state of the system. This plan identifies specific steps to prevent the incident from spreading and restore the system to a stable operation.
of the procedures for checking the effectiveness of the incident localization plan and restoring the initial state. 4. Conclusions, testing, and improvement:
Adjustment of the basic policy based on the findings of the incident investigation.
Conducting regular training to keep IRT skills up-to-date.
Regular testing of the incident response plan to ensure its relevance and effectiveness.
By its very nature, an information security incident response
plan should be a guiding document that is regularly updated to reflect new threats and changes in DLS security.
To a large extent, the effectiveness of the implementation of security measures, provided for in the information security policy of the DLS, depends on the reliability and sufficiency of the mechanisms used to protect the educational environment, so it seems appropriate to pay attention to the specifics of their implementation by the concept of Zero Trust. 4. The Architecture and Protection Mechanisms of DLS based on the
As it was noted, the mechanisms for ensuring the confidentiality and availability of information are implemented in common learning management systems. At the same time, the issues of ensuring integrity remain open. That is why it seems appropriate to pay attention to the requirements for minimizing the risks of illegal transactions in the initial environment Fr, Rj, Md, Ms.
A logical preventive measure to reduce the risk
of data forgery operations Fr, refusal to create or
receive Rj, or modification Md of an information
resource created by another participant in the
educational process, in conditions of Zero Trust
can be the implementation of a parallel structure
of a
digital
collective
signature
based
on
asymmetric cryptography [
The main disadvantage of this approach is the need for significant financial expenses of the educational institution to create and maintain the functioning of its own secure open-key certification center or to obtain relevant services from an accredited center. It should also be taken into account that the procedures for forming and verifying a digital signature are performed quite slowly compared to symmetric cryptographic transformations.
Under
the
conditions
of the
specified
assumptions, to ensure data integrity control in the
educational digital environment, it is proposed to
implement message authentication codes using a
reliable block encryption algorithm [
( ) is a bit string of length m which is the authentication code of the message (information resource, data) M supplemented with the time and date of its creation, as well as unique identifiers of its originator and other participants in the information exchange. = 1 ∥ 2 ∥ … ∥ is the submission of the message M in the form of a concatenation of blocks of equal length for their processing (the last block can be supplemented with a sequence of identical bits up to the specified length of the block to be encrypted). using the key .
is a secure block encryption algorithm ℎ
is the function of selecting the first m bits from the data block.
To prevent the coalitional falsification of
information
resources
in
the
educational
environment, it is proposed to create a joint secret
(private) key k [
{ , , } are for the case of resource control created by the student, accepted by the teacher, and confirmed by the dean’s office:
= ⊕ ⊕ , { , , } are for the case of resource control created by the teacher, confirmed by the dean’s office and security management:
= ⊕ ⊕ , where , , ,
are private keys of the student, teacher, dean’s office, and security management, respectively.
In the case of control of a resource created by the student and by the dean’s office and confirmed by the security management, which, according to our assumption, cannot be a member of coalitions, the private key is the result of adding the private keys of the dean’s office and the security management: PEP collusion is the introduction of multifactor authorization technology.
In particular, one of the factors in increasing
the reliability of the identification of PEP, as well
as reducing the risk of Ms masking, could be the
introduction of electronic scorebooks, which was
proposed in [
practical developments in this direction remains open.
Encouraging experimental results regarding
identification were obtained in [
It should be noted that this means that, on average, in about 10% of cases, the identification may not be satisfactory, and a legitimate PEP may not be identified, which reduces the effectiveness of using this method as the primary mechanism for identifying users of the DLS.
At the same time, the advantage of the method
of identifying a person by voice is the possibility
of software implementation of the corresponding
recognition algorithm [
DLS resources, registered in the system event log in the form of personal biometric information, can be used as indisputable evidence during incident investigations. The perspective of this approach is also enhanced by the possibility of creating certain random content during authentication, which can be used to modify the parameters of identification systems and control the integrity of resources.
Another user identification mechanism that has proven its effectiveness, in particular, in bank payment systems, is the confirmation of access to the system through an additional channel, through a smartphone application.
creates an additional way to pass identifying information that is difficult to track even at the Hc role level.
Taking into account the above considerations, the DLS user identification procedure will include (5) (6) = 〈 1, … ,
, ∈ {̅̅0̅,̅9̅̅}, Pr( = ) = 10−1, ∀ ∈ {̅̅0̅,̅9̅̅} , = 1,2, … , 〉, and invites them to read aloud. The length of the sequence w must be sufficient to identify the user by voice. On the other hand, to prevent brute force attacks, the length of the sequence must satisfy the inequality: 10 > ∙ , where
—the maximum speed of sorting through the variants of the sequence using the computing equipment at the disposal of the potential infringer,
—the time limit for the attack. In fact, (5) and (6) are the requirements for a strong password.
= ⊕ .
Ensuring the efficient operation of the the following steps: authentication subsystem is a central task in the process of creating any secure system. At the same time, in the case of the model of Zero Trust, the classic method of PEP authentication based on the “login-password” pair is ineffective due to the potential collusion of some PEPs.
1. Access to the system using a personal login and password. 3. Based on the received audio information, the system
attempts to identify the user using a database of standards—samples of PEP voice messages
4. In the case of a positive conclusion about the authentication of the PEP, the system informs them about it and gives them access to the digital learning environment (DLE) according to the access control matrix.
5. If the voice identification procedure is completed with a negative conclusion, a corresponding entry is made in the event log, and the person
who applied for identification is offered to confirm the identity by answering questions in the mobile application, but at the same time, some functions of the DLS for the user may be limited.
6. With the help of a secure hashing function H, the sequence of decimal numbers presented in the form of a bit string is expanded to the length of the private key of the corresponding PEP, thus creating a mask = ( ), which is used to modify the user’s password: the modified user password will be applied, and this improves the security of copying the key, which is stored on a medium such as flash memory, in compliance with the rules that must be defined by regulatory documents on the security system.
Taking into account the comments made and
the established rules of information protection in
information and communication systems [
Event Management System (EMS) is an event management system including registration.
(ICTS) is the integrity control system and protection system testing.
transport layer protection protocol.
To ensure the transparency of the proposed solution, mainly the elements corresponding to the constructed threat model are shown in Fig. 2 not including some other important components that are typical for any protection systems, for example, a system for creating backup copies of a digital learning environment. Zero Trust are used in Fig. 2:
The following abbreviations and designations
Identity and Authentication Management (IAM). • • • • • •
A Cryptographic Protection System (CPS) is a cryptographic protection system that provides key management, the generation of initial passwords for new users during their initialization, the formation of MAC codes, and file encryption.
Database of Audio References (DAR) is a database of voice standards of DLS users. 5. Conclusions and Further Research
Within the framework of the research, based on the concept of Zero Trust a model of threats to the DSL was developed, and practical aspects of improving the information security policy were determined, taking into account the requirements of the law and the concept of Zero Trust. Also, the mechanisms to ensure the protection of information resources of the DSL were proposed.
It seems appropriate to focus further research on the definition of safety protocols and interfaces of the components of the protection system and on modeling its behavior in conditions of random failures and failures of tools and equipment. 6. References