Thinking about LMS architecture and risk containment
43 views
Skip to first unread message
Charles Severance
May 14, 2026, 4:48:31 PM (3 days ago) May 14
to dev sakai
Colleagues,
The recent discussions around the Canvas security incident got me
thinking about an architectural tradeoff that we probably do not talk
about enough in higher education technology.
This is not meant as criticism of any particular vendor or platform. Any
sufficiently large system will eventually have operationl or security
incidents. That is just the reality of modern software systems at scale.
But architecture *does* affect "blast radius".
One thing I have always appreciated about the Sakai ecosystem is that
institutions tend to operate independently managed LMS environments
instead of participating in one very large multi-tenant instance. It is
not the easiest thing to do. Centralized single instance platforms keep
things simple easy, and convienent, but there are also advantages to
separation and bright walls between systems.
When systems are independent, a problem in one environment does not
automatically become a problem for everyone. Operational mistakes,
credential leaks, and even security breaches can often be contained more
effectively. Even a bit of version skew (which we usually don't like)
between servers can serve as a confounding factor for would-be
attackers. There are 150K Moodle servers around the world - how
difficult would it be for an attacker to compromose all of them at the
same time.
One of the use cases I always had in mind for SakaiPlus from the
beginning was that it could coexist with an institution’s primary LMS
instead of trying to replace it outright. A bit of technology geneitic
diversity as it were.
SakaiPlus can plug into Canvas, D2L, Blackboard, or other systems as a
single LTI tool. The learner activity, content, and interaction data
remain stored within locally managed Sakai infrastructure. The primary
LMS still handles enrollment flows, SIS integration, and final grade
reporting. Even if you have a vendor provide and support your Sakai
instance - it is still an independent instance with complete isolation
from all other Sakai instances from the same vendor or locally hosted.
I always liked the idea that a campus could continue using its
enterprise LMS while also giving faculty the option to teach in an
environment where the student activity data lived entirely on
university-owned and university-managed infrastructure.
There is no perfect architecture. Centralized systems bring consistency
and economies of scale. Distributed systems bring flexibility and
containment. But recent events are a useful reminder that resilience is
not just about preventing failures. It is also about limiting how far
failures can spread.
— Chuck
The recent discussions around the Canvas security incident got me
thinking about an architectural tradeoff that we probably do not talk
about enough in higher education technology.
This is not meant as criticism of any particular vendor or platform. Any
sufficiently large system will eventually have operationl or security
incidents. That is just the reality of modern software systems at scale.
But architecture *does* affect "blast radius".
One thing I have always appreciated about the Sakai ecosystem is that
institutions tend to operate independently managed LMS environments
instead of participating in one very large multi-tenant instance. It is
not the easiest thing to do. Centralized single instance platforms keep
things simple easy, and convienent, but there are also advantages to
separation and bright walls between systems.
When systems are independent, a problem in one environment does not
automatically become a problem for everyone. Operational mistakes,
credential leaks, and even security breaches can often be contained more
effectively. Even a bit of version skew (which we usually don't like)
between servers can serve as a confounding factor for would-be
attackers. There are 150K Moodle servers around the world - how
difficult would it be for an attacker to compromose all of them at the
same time.
One of the use cases I always had in mind for SakaiPlus from the
beginning was that it could coexist with an institution’s primary LMS
instead of trying to replace it outright. A bit of technology geneitic
diversity as it were.
SakaiPlus can plug into Canvas, D2L, Blackboard, or other systems as a
single LTI tool. The learner activity, content, and interaction data
remain stored within locally managed Sakai infrastructure. The primary
LMS still handles enrollment flows, SIS integration, and final grade
reporting. Even if you have a vendor provide and support your Sakai
instance - it is still an independent instance with complete isolation
from all other Sakai instances from the same vendor or locally hosted.
I always liked the idea that a campus could continue using its
enterprise LMS while also giving faculty the option to teach in an
environment where the student activity data lived entirely on
university-owned and university-managed infrastructure.
There is no perfect architecture. Centralized systems bring consistency
and economies of scale. Distributed systems bring flexibility and
containment. But recent events are a useful reminder that resilience is
not just about preventing failures. It is also about limiting how far
failures can spread.
— Chuck
Adrian Fish
May 15, 2026, 3:06:14 AM (2 days ago) May 15
to Charles Severance, dev sakai
Well said. I most definitely thought of you when I read about the Canvas outage!
El jue, 14 may 2026 a las 21:48, Charles Severance
(<drc...@learnxp.com>) escribió:
> --
> You received this message because you are subscribed to the Google Groups "Sakai Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to sakai-dev+...@apereo.org.
> To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/sakai-dev/afddc47e-078e-4121-a543-6d2d7ef7cb9c%40learnxp.com.
El jue, 14 may 2026 a las 21:48, Charles Severance
(<drc...@learnxp.com>) escribió:
> You received this message because you are subscribed to the Google Groups "Sakai Development" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to sakai-dev+...@apereo.org.
> To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/sakai-dev/afddc47e-078e-4121-a543-6d2d7ef7cb9c%40learnxp.com.
Charles Severance
May 15, 2026, 9:14:49 AM (2 days ago) May 15
to dev sakai, Adrian Fish
On 5/15/26 3:05 AM, Adrian Fish wrote:
> Well said. I most definitely thought of you when I read about the Canvas outage!
was sadly prescient:
https://www.linkedin.com/posts/charlesseverance_the-mass-outsourcing-and-export-of-student-ugcPost-7450202165039562752-jf7H?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAB-M7ABOYrPrtTjneauBtC-0FavJO3QQVo
I followed it up with a post after the event more about the event itself.
https://www.linkedin.com/posts/charlesseverance_change-is-good-a-parody-of-a-parody-share-7460315794179043328-bSM0?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAB-M7ABOYrPrtTjneauBtC-0FavJO3QQVo
If any of you want to study up on Learner Privacy issues so you can have
a good internal conversation about privacy, I made a little lecture
series that I called www.learnerprivacy.org about five years ago. It is
best viewed as a YouTube Playlist.
The first episode / lecture features me as a detective in a dimply lit
room drinking fake scotch and is filmed in black and white. The first
episode documents when, how, and why higher education lost control of
their student's data. It starts in the late 1990s and goes through 2020.
https://www.youtube.com/watch?v=13cC62jLAHo&list=PLlRFEj9H3Oj5_COWemO4hxAFpgPhqOY7e&index=1
It is a fun watch. Later episodes go into detail on topics like "The
FERPA Fig Leaf (002)" and "GDPR - The Flaws and Foibles of a
Well-Intentioned Privacy Policy (004)".
At a minimum they fella bit more relevant in the light of recent events.
I think former Sakai schools who understand privacy should have some
internal conversations about a possible SakaiPlus Pilot in the fall.
Sakai is definitely ready willing and able to help campuses to create
a responsible and gentle path forward improving student privacy on their
campuses.
No pressure, no panic, just some small quiet investment in contemplating
if there is a better way.
As the YouTube Influencers say, Like, Share, and Subscribe :)
/Chuck
P.S. My second race car - Black Mustang is sponsored by LearnerPrivacy.org
Reply all
Reply to author
Forward
0 new messages