Delivering Online Training Securely

While the goal of any training program is primarily to make sure your trainees get the vital information they need to be successful, a secondary concern is to make sure that the same vital information does not make its way to anyone else. Organizations often are training employees and partners on material that is sensitive or confidential. Moving your training online can dramatically reduce your costs and make training more convenient and enjoyable for your trainees, but it can also introduce concerns about security. At Mindflash we take security extremely seriously and have gone to great lengths to protect all our customers’ content and ensure their training materials are only accessed by their trainees. We have taken a multi pronged approach to security.

Physical Security

Much like locking your house or car, we first have to make sure all data hosted with Mindflash is physically secured. While the engineering team at Mindflash are experts in coding, we are not experts in securing data centers. Fortunately the folks at Amazon Web Services (AWS) are. The Mindflash platform is 100% hosted with Amazon Web Services. So the same systems and standards that are securing everyone’s shopping and personal credit card information are also securing your training content. AWS is the most mature and trusted cloud infrastructure provider and many of your favorite online services are hosted with Amazon. AWS has earned numerous security and compliance certifications and has recently been certified by the Federal Risk and Authorization Management Program (FedRAMP) so even federal government agencies are running their services on the Amazon Cloud. You can read more about security at AWS here.

Access Control

Locking your doors doesn’t do you any good if you give everyone the key. At Mindflash we require every user, trainer or trainee, to login with a password. Requiring a password helps prevent people from gaining unauthorized access to your account as long as everyone can keep their passwords secure. Protecting against un-authorized access to your user account only works if we both do our part. Our part includes:

• Storing your passwords in an encrypted hash: We store all passwords as an encrypted hash in our database instead of storing the actual plain text password. When a user logs in we generate an encrypted hash of the password they entered and compare it to the hash we have stored in the database. This prevents your password from being retrieved in the extremely unlikely case that a third party ever gained access to our database. It should be noted that this is also why no Mindflash representative is able to retrieve your password or login on your behalf. Because of this, if you lose your password you will need to request a password reset and a link to set a new password will be emailed to you.
• Login users using a Secure Socket Layer (SSL): If you login to Mindflash using https Mindflash will use a 256bit encrypted SSL connection between your browser and our servers to ensure your password is not intercepted as your request travels across the internet.
• Levels of access: For accounts on the Pro plan we have recently introduced a level of access feature which allows you to grant administrators, trainers, and managers different levels of access to the system

We can only do so much to prevent un-authorized access. We also need your help and that is where we get to your part:

• Don’t share accounts. Make sure every user has their own account on Mindflash. When you share accounts you lose the ability to control access at the individual level and you lose the ability to manage access when someone is no longer part of your organization
• Don’t pick easily guessable passwords. Also, don’t write your password down. 
• Archive users who no longer need access to the system. All your user records will be retained but the user will no longer be able to login to Mindflash. You can always un-archive the user at any time.

Content Security

  by    alex_ford  

One of the biggest concerns people have with online training is content security. At Mindflash we understand that your training content is proprietary and we go to great lengths to keep it safe while still allowing fast streaming to your trainees wherever they are in the world. The first thing we do is we store all content on Amazon’s Simple Storage Service (S3). S3 allows us to make sure your content is not only stored redundantly to protect against data loss but also secured so it cannot be accessed by anyone other than your trainees.  Many web applications store and serve content directly from S3. We specifically do not because it doesn’t provide the security our customers demand.  When you serve content directly from S3, links to that content can be intercepted or shared and now your content can be accessed by anyone who has the link.

At Mindflash we store content on S3 but serve content from a Content Delivery Network (CDN). When a trainee requests a piece of content from Mindflash, that content is copied to a secure CDN edge location that is physically closest to the trainee. Once the content is copied, a secure link is generated specifically for that trainee and that piece of content. The link is also given an expiration time. When the trainee’s browser requests the content from the edge location, the link is verified to ensure it is still active and if it all checks out, the content is delivered to the trainee’s browser. Even if someone were to go to the great lengths required to sniff out the link, it would be useless to try and share because it will have expired before someone could use it.

While this might sound a bit complex, all of this is handled behind the scenes by our course player in your browser or on our iPad app. As long as your trainee is logged into Mindflash, they don’t need to worry about any of this because the player handles everything automatically, including generating new content links as they expire. All you need to know, is that your content will always be served from a secure location that is as close as possible to your trainees.

We take content security so seriously we don’t even allow ourselves to access your training materials. No Mindflash employee is allowed to access customer content unless specifically authorized by the customer. This is why in the unlikely event there is a problem converting your content you will see a pop-up message asking if we can be granted access to view the content so we can investigate the issue. Unless you grant us this access no one at Mindflash will view your content.

Hopefully this post answers many of the concerns you may have about online training security but, as always, if you have any questions, we are always happy to do our best to answer them. Hopefully this will allow you to focus on creating great training material, while we stay focused on delivering it smoothly and keeping it secure.

Share this on