ReviewLink and Security Concerns

blucero
blucero Community Member Posts: 17 ♪ Opening Act ♪
Hi All,



We've been using ReviewLink since it came out and use it extensively with our customers and really like the way it works. Those of you who use RL know that new users receive an email message indicating their new ReviewLink status and are prompted to change their randomly assigned password. When this is completed, an email message is sent to the user with their login and password in the same message. One of our IT security employees saw this and made us aware of the company security policy violation. One of the concerns is employees are using their internal network passwords as their ReviewLink password. Additionally, the email is sent in a non-secure format. So as of three weeks ago, we are not allowed to use ReviewLink at all. Aargh! Trivantis has been notified and understands the concern. There is no indication that a solution is coming anytime soon. Anybody have the same problem and if so, do you have a workaround?



We've already thought of informing our employees to use another password, but this isn't enough to satisfy our IT department. Thanks for your thoughts!

Comments

  • rwalters
    rwalters Community Member Posts: 276
    This is a huge security flaw. So far my workaround has been to warn people not to use a password they use for other websites as it sends the password unencrypted in an email. This has received some complaints but so far we have still been able to use it.
  • mshawn63
    mshawn63 Community Member Posts: 10
    That is something I had not thought of and we use ReviewLink frequently with all of our internal customers. I'm going to have to now go ask the question of our IT group about it. Thank you for making us aware of this.
  • grhnasen95
    grhnasen95 Community Member Posts: 5
    I love ReviewLink but am working with a new client that has security concerns about putting our courses on the cloud.so now I need to provide information that it is secure. Well I am already concerned because this topic above is still an issue where the username and password are both sent in an email... Did anyone else do research for their company and found that it is secure?.. or is not secure enough for them to use? I did find out that ReviewLInk is hosted in Amazon's cloud but need to put some documentation together for the client to make a decision. Any information would be helpful.. Thanks
  • karen-jensen
    karen-jensen Community Member Posts: 35 ♪ Opening Act ♪
    This is on the Trivantis site frequently asked questions. I have never had an issue with RL:

     

    <span class="fl-accordion-button-label">Is ReviewLink secure?</span> <i class="fl-accordion-button-icon fa fa-minus"></i>
    <div class="fl-accordion-content">

    All content published to ReviewLink and data transmitted between Reviewers and Publishers is private, secure, and password protected. ReviewLink is hosted on a secure server using a multi-tenant architecture, and all pieces of content are individually firewalled. For data integrity security, all data is stored in a SQL database that is accessible only from the ReviewLink application server. The files are never stored directly to a disk file that is accessible externally. All data is transmitted and received between Lectora and ReviewLink using 128-bit AES encryption. All content and comments are password protected such that it cannot be accessed without being logged into the system.

    </div>