I am Drik van Herk, 48 years old and active for over 22 years in developing online testing platforms for formative and summative testing. Within this domain, I started at Optimum Assessment as a developer and am now active as a software architect of our Optimum Assessment Platform.
Private hosting and cloud solutions have been the norm for a long time. However, currently, we are seeing a transition of online assessment platforms to the public cloud. This type of solution involves using a shared online infrastructure from a cloud provider. The reasons for this transition are availability, easy scaling of required capacity, and a high degree of flexibility.
Besides the transition to a public cloud, we also see that many customers are looking for integrations with our platform, for example, with APIs for exchanging data. Think of registrations for tests or the results obtained. But easy access to the platform is also an important component. For this, Single Sign-On (SSO) is a frequently requested feature.
There is much uncertainty about the security of an online platform, especially the data it processes and stores. For example, how are my test questions protected? Are personal data secure? Who can access the application?
To dispel these doubts, it is good first to emphasize that the public cloud does not have to be more insecure than private hosting. On the contrary, the public cloud is more secure in several ways. Large cloud providers, which Optimum Assessment uses, are generally ISO 27001 certified. Because of this high standard of information security, there is a greater chance of warding off outside attacks such as DDOS. In addition, at Optimum Assessment, we develop our software based on the principles of privacy and security by design and of OWASP (Open Web Application Security Project). All of these measures contribute to optimal security.
We consciously apply these (technical) measures from design to implementation. Moreover, we provide security layers in our platform. Therefore, should one fail, we can always fall back on the underlying layer with protective measures. In addition, we have all our actions audited annually by a specialized external party, so we have a four-eye principle here.
In addition to these technical measures, we also ensure security in the application itself. For example, test content and personal data are only available where necessary and to those authorized to access them. In doing so, we try to make it impossible to steal this information from our application. We do this by deploying physical supervisors during the test administration or by applying online proctoring. We also offer possibilities to provide excellent and clear feedback on the test result but thoroughly screen out non-necessary content. Thus, we make only the necessary information available.
From design to implementation, we apply comprehensive privacy rules.