LMS365 uses end-to-end Encryption as a technical security measure to protect customer data being processed while data is in transit and at rest.
Data in Transit
Transmission of data between the application and Azure is secured using an encrypted TLS 1.2+ connection with AES encryption. SSL/TLS certificates are signed by a publicly known Certificate Authority using the SHA256 with a 2048 bit key.
Cookies containing session information and other sensitive data from the LMS365 platform are all configured with HttpOnly and Secure flags enabled. This protects the cookie contents from being accessed by scripting as well as from being transmitted over unencrypted connections.
Furthermore, the LMS365 application domain is included in the HTTP Strict Transport Security (HSTS) preload list of all major browsers, meaning that these browsers will never connect to the LMS365 application without an encrypted connection.
More information on the preload list can be found here: https://hstspreload.org/?domain=365.systems.
Data at Rest
Azure SQL Transparent Data Encryption (TDE)* helps protect the Azure SQL Server & Database(s) against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest. Each database page is decrypted when read into memory and then encrypted before being written to disk. Hence, data is never written to disk without first being encrypted.
* LMS365 uses TDE with a customer-managed key (BYOK) stored and managed securely within an Azure Key Vault within the Azure data region selected doing the installation.
For further information please visit: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql
Storage data (large file storage)
Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted.
For further information please visit: https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption.
Azure VPN encryption
Accessing customer data on the LMS365 platform requires a Point-to-site VPN connection using OpenVPN and a certificate with a 2048 bit RSA Encryption key to creating a secure tunnel with the Azure AD authorization to protect the privacy of the data being sent across the network. The Azure VPN client is distributed through Intune and is available for installation only by authorized users.