"Optimum security, also in the public cloud"

Key domain experts speaking: Drik van Herk

I am Drik van Herk, 48 years old and active in developing online testing platforms for formative and summative testing for over 22 years. Within this domain, I started at Optimum Assessment as a developer and am now active as software architect of our Optimum Assessment Platform.

The transition to public cloud

Private hosting and cloud solutions have been the norm for a long time. Currently, we are seeing a transition from online testing platforms to the public cloud. With this type of solution, you use a shared, online infrastructure from a cloud provider. Reasons for this transition are availability, easy scaling of required capacity and a high degree of flexibility.

Besides the transition to a public cloud, we also see that many customers are looking for integrations with our platform, for example with APIs for exchanging data. Think of registrations for tests or results obtained. But easy access to the platform is also an important component. For this, Single Sign-On (SSO) is a frequently requested feature.

Security in the cloud

There is a lot of uncertainty about the security of an online platform, especially the data it processes and stores. How are my test questions protected? Are personal data safe? Who all can access the application?

To dispel these doubts, it is first of all good to emphasise that the public cloud does not have to be more insecure than private hosting. On the contrary, the public cloud is actually more secure in a number of ways. Large cloud providers, which Optimum Assessment uses, are generally ISO 27001 certified. Because of this high standard of information security, there is a greater chance of warding off outside attacks such as DDOS. In addition, at Optimum Assessment our software based on the principles of privacy and security by design and of OWASP (Open Web Application Security Project). All these measures contribute to optimal security.

Additional security measures

Very deliberately, we apply these (technical) measures, from design to implementation. Moreover, we provide security layers in our platform. Should one fail, we can always fall back on the underlying layer with protective measures. In addition, we have all our measures audited annually by a specialised external party, so we have a four-eye principle here.

Only required information available

In addition to these technical measures, we also ensure security in the application itself. For example, test content and personal data are only available where necessary and to those who have authorisation to do so. In doing so, we try to make it impossible to steal this information from our application. We do this by deploying physical supervisors at test taking or applying online proctoring. We also offer opportunities for good and clear feedback on the test result, while completely shielding non-necessary content when viewed. This way, we only make necessary information available.