RMM Central - Security Policy

Security and Data Protection have been of paramount importance to RMM Central ever since its inception. RMM Central aims on creating a secured operating environment for service providers and their customers and that is why, a comprehensive set of practices, technologies and policies have been developed to make sure all data stays secure. This document provides insights on how we offer security to our customers. Our security strategy involves the following components:

I) Organizational Security

We have an Information Security Management System (ISMS) in place which takes in into account our security objectives and the risks and mitigation concerning all the interested parties. We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.

Employee background checks

Each employee undergoes a process of background verification. We hire reputed external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.

Security Awareness

Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security, that they may require based on their roles.

We educate our employees continually on information security, privacy, and compliance in our internal community where our employees check in regularly, to keep them updated regarding the security practices of the organization. We also host internal events to raise awareness and drive innovation in security and privacy.

Dedicated security and privacy teams

We have dedicated security and privacy teams that implement and manage our security and privacy programs. They regulate and maintain defense systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity. They provide domain-specific consulting services and guidance to our engineering teams.

Internal audit and compliance

We have a dedicated compliance team to review procedures and policies in ManageEngine to align them with standards, and to determine what controls, processes, and systems are needed to meet the standards. This team also does periodic internal audits and facilitates independent audits and assessments by third parties.

For more details, check out our compliance portfolio.

Endpoint security

All workstations issued to ManageEngine employees run up-to-date OS versions and are configured with anti-virus software. They are configured such that they comply with our standards for security, which require all workstations to be properly configured, patched, and be tracked and monitored by ManageEngine's endpoint management solutions. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle. Mobile devices used for business purposes are enrolled in the mobile device management system to ensure they meet our security standards.

II) Application/Data Security

Secure by Design

    We adhere to the secure coding guidelines of the Software Development Life Cycle (SDLC) and all our developers are mindful of these guidelines. As a next step, we screen the code changes to look for potential security issues by manually reviewing it first and then using our code analyzer. Before the release of any new feature, this entire process is carried out. If any issue surfaces during this check, they are immediately rectified. Furthermore, a robust security framework that is based on the OWASP standards is implemented in the application layer. This framework provides means to mitigate threats such as SQL Injection, Cross-Site Scripting, Application Layer DoS attacks, code injection, authentication bypass and file upload related vulnerabilities. To top it all, we conduct regular sessions to keep the developers informed about secure coding practices.

Identity and Access Control

  1. Single Sign-On (SSO):

    We support SAML authentication (Single Sign-On (SSO) capability), that allows users to integrate their company's Identity Provider, such as AD FS, Okta, etc., with RMM Central services as the Service Provider. SSO simplifies the login process, ensures security compliance, provides effective access control to users/administrators. This also reduces the risk of password-fatigue, and hence weak passwords.

  2. Two-Factor Authentication:

    Two-Factor Authentication provides an extra layer of security by demanding additional verification from the user. This reduces the risk of unauthorized access if a user's password is compromised. Two-Factor Authentication can be done through Email or an Authenticator App like Zoho OneAuth, Google Authenticator, Microsoft Authenticator, DUO Auth, etc.

  3. Role Based Access Control:

    Role Based Access Control allows only authorized users to access a specific function. Users are allowed to access only those functionalities that are permissible to their designated role. We follow role-based permissions to minimize the risk of data exposure. 

Management Agent Security

Trusted Communication:

The management agent always sends its identity, that is encrypted, to the server for mutual authentication. Only an agent with a trusted certificate can contact or interact with the server. It is configurable to suit one's requirement. Refer this document to learn how.

Client Certificate Authentication:

RMM Central server uses client certificate authentication to authenticate agent installed computers that try to establish a connection with the server. Each agent will have a unique certificate and a corresponding private key signed by the server's trusted root certificate authority. If the validation of the certificate and the key is successful, the server connects to the agent or else the connection is dropped. Learn more on how to configure it here.

Miscellaneous:

i) An agent's access to any data from the server is restricted to its current domain only.

ii) All agent binaries are signed using ZOHOCORP signature.

iii) DLL file loading paths are restricted to agent installed directories.

iv) The agent service binary path is restricted to the agent folder.

Encryption

a) In transit:

  • Any data transfer from the agent application to the server happens using strong encryption protocol, HTTPS. Users can choose HTTPS as the default protocol for all communication from the web console directly.
  • Users can disable older version of TLS in the web console. The support for older version of TLS is present to manage computers running on older Windows versions. Additionally, TLS 1.2 and strong ciphers are supported for latest systems.

b) At rest: Sensitive data, such as passwords, auth-tokens and the like, that is stored in database are encrypted using 256-bit Advanced Encryption Standard (AES). A unique installation key is derived and used for encryption for every customer.

Database Protection

The database is only accessible by providing instance-specific credentials and is limited to local host access. The passwords stored are one-way hashed using bcrypt and are filtered from all of our logs. Since bcrypt hashing algorithm with per-user-salt is used, it would be exorbitant and heavily time-consuming to reverse engineer the passwords. Also, the database resides in the customer set-up only.

Application Binary Protection

Prevents malware DLL Loading from the agent binaries.

General

In RMM Central, we have signature verification for our PPM (Patch) files. During PPM upgradation, if any of the ppm files are tampered, the UpdateManager will refuse to load the file for server upgradation.

III) Operational Security

Customer data security

The customer data resides only in their own environment, for the RMM Central.
Each customer data, managed under RMM Central is independently maintained, protected and ensured that users can only access the details of the customers associated with them and restricts access to other customers' data.

Note: In case any customer requires help in resolving any issue, we may require the customer's logs. The customer uploads the logs through a secure portal owned by us, that can be accessed only by authorized personnel, and grants us the permission to access them. The logs will be deleted automatically after 25 days from the time of upload.

Vulnerability and patch management

We have a dedicated vulnerability process that actively scans for security threats or vulnerabilities using a combination of certified third-party scanning tools, and in-house tools. Subsequently, automated and manual testing is performed. Furthermore, the security team actively reviews inbound security reports and monitors public mailing lists, blog posts, and wikis to identify security incidents that might affect the company. Once we identify a vulnerability that requires remediation, it is logged, prioritized according to severity, and is assigned an owner. We further identify the associated risks and mitigate them by either patching the vulnerable systems or applying relevant controls.

After assessing the severity of the vulnerability based on the impact analysis, we commit to resolve the issue within our defined SLA. Depending upon the severity, we send security advisories to all our customers describing the vulnerability, the patch and the steps to be taken by the customer.

Business continuity

  • We have backup power, temperature control systems, and fire-suppression and fire-protection systems to ensure business continuity. Dedicated business continuity plans are present for technical support.
  • We have a well planned business continuity and disaster recovery plan in place to assist us in the event of extended service outages, thereby affecting the services provided to the customers by factors beyond our control-e.g., natural calamities, man-made disasters, etc., to resume endpoint management operations to the maximum possible extent within a minimal time frame. The plan encompasses all our internal operations that ensures continued services for our customers. We have three recovery teams namely, the Emergency Management Team (EMT), the Disaster Recovery Team (DRT), and the IT Technical Services (IT) team, in place for better coordination and support among various teams.

IV) Incident Management

Reporting

We have a dedicated incident management team. We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will provide you with necessary evidence regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations.

We respond to the security or privacy incidents you report to us through incidents@zohocorp.com, with high priority. For general incidents, we will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using the e-mail address with which you have subscribed for breach notification and not your primary email address that is registered with us). Please subscribe to our Data Breach Notification to receive notifications on any security incidents without delay.

Note: It is required of the user to subscribe to the Data Breach Notification to receive incident notifications since only subscribed members can be sent this email.

V) Responsible Disclosure

A vulnerability reporting program in "Bug Bounty", to reach the community of researchers, is in place, which recognizes and rewards the work of security researchers. We are committed to working with the community to verify, reproduce, respond, legitimate, and implement appropriate solutions for the reported vulnerabilities.

If you happen to find any, please submit the issue at https://bugbounty.zohocorp.com. If you want to report vulnerabilities directly to us, e-mail us at security@zohocorp.com.

VI) Customer Controls for Security

Security is taken very seriously at RMM Central and we continuously strive to create a secured environment with minimal security risks. However, as a customer, you too shoulder the responsibility as security is a two-way street. 'All-hands-on-deck" approach is needed to constantly keep reinforcing security. Kindly read RMM Central security recommendations to know what you can do on your part for achieving maximum security.

Conclusion

Your data's security is your right and a never-ending mission of Zoho. We will continue to work hard to keep your data secure, like we always have. For any further queries on this topic, take a look at our FAQs or write to us at security@manageengine.com.