Database and Security Overview – lmsportals

LMS Portals is a powerful cloud-based, multi-tenant Learning Management System (LMS) designed with centralized administration and robust security. This document provides LMS Portals administrators with guidance on database management, security practices, and system hardening to ensure data integrity and compliance.

Database Security

LMS Portals prioritizes the security and integrity of each client’s data. Below are the key security practices implemented:

2.1 Dedicated Database

Each portal has its own dedicated database, providing:

Easier debugging and issue resolution in real-time.
Enhanced performance and query execution speed.
Reduced risk of system-wide breaches.

2.2 Dedicated Database Credentials

Each database is created with unique credentials.
Passwords are stored in an encrypted format.
Access to credentials is strictly controlled and not shared publicly.

2.3 Indexing

Indexes are implemented on frequently queried columns to improve database performance.
Optimized indexing ensures faster query execution, especially for complex joins.

2.4 Cascading / Constraints

Foreign key constraints with cascading operations are used to maintain relational integrity.
Deleting parent records automatically removes dependent child records, preventing orphan data.
Cascading also prevents accidental deletion of child records directly.

2.5 Minimize Database Value

Only essential data is stored in the database.
Unnecessary records are periodically purged.
Sensitive data that must be retained for compliance can be moved to secure offline storage.

2.6 Strong Password Requirements

Minimum of 8 characters.
Must include uppercase, lowercase, numbers, and special characters.
Passwords are hashed using SHA-512 with a long encryption key.
All sensitive data is encrypted at rest.

2.7 Backups

Automated daily database backups are performed.
Backups protect against data loss from hardware failures, data corruption, hacking, or natural disasters.

2.8 SQL Injection Prevention

LMS Portals leverages the CodeIgniter framework to prevent SQL injection.
Query builders and input escaping protect against malicious query manipulation.

2.9 Database Physical Security

Direct database access is restricted to authorized personnel only.
Dedicated credentials prevent unauthorized access.
Sensitive configuration details are removed from public code or comments.

Server and Application Security

Strong Cryptography

Sensitive data is encrypted using SHA-512 hashing.
Proprietary encryption functions protect database and configuration credentials.
No passwords or encryption keys are stored in plain text.

Directory Exposure Prevention

Subdirectories and file listings are disabled.
.htaccess files prevent unauthorized directory access.

Restricted Database Administration

Direct access to phpMyAdmin is blocked for unauthorized users.
Database access is limited to approved IP addresses.
Unauthorized attempts redirect to a forbidden page.

Server Hardening

fail2ban is configured to block repeated failed login attempts (maximum 3 attempts).
SSH connections require a private key and passphrase for secure access.

Handling Sensitive Information

No sensitive credentials are stored in code comments.
API keys, client IDs, and passwords are encrypted in the database.
Dead links and unused database entries are regularly removed to reduce attack surfaces.

Summary of Administrator Best Practices

Regularly review portal activity and enforce password rotation policies.
Ensure only required data is stored and purge unnecessary records.
Monitor backup processes and confirm successful restores periodically.
Limit database and SSH access to trusted personnel and IP addresses.
Stay informed about LMS Portals security updates and best practices.