Security and Data Protection have been of paramount importance to RMM Central ever since its inception. RMM Central aims on creating a secured operating environment for service providers and their customers and that is why, a comprehensive set of practices, technologies and policies have been developed to make sure all data stays secure. This document provides insights on how we offer security to our customers. Our security strategy involves the following components:
We have an Information Security Management System (ISMS) in place which takes in into account our security objectives and the risks and mitigation concerning all the interested parties. We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.
Employee background checks
Each employee undergoes a process of background verification. We hire reputed external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.
Security Awareness
Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security, that they may require based on their roles.
We educate our employees continually on information security, privacy, and compliance in our internal community where our employees check in regularly, to keep them updated regarding the security practices of the organization. We also host internal events to raise awareness and drive innovation in security and privacy.
Dedicated security and privacy teams
We have dedicated security and privacy teams that implement and manage our security and privacy programs. They regulate and maintain defense systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity. They provide domain-specific consulting services and guidance to our engineering teams.
Internal audit and compliance
We have a dedicated compliance team to review procedures and policies in ManageEngine to align them with standards, and to determine what controls, processes, and systems are needed to meet the standards. This team also does periodic internal audits and facilitates independent audits and assessments by third parties.
For more details, check out our compliance portfolio.
Endpoint security
All workstations issued to ManageEngine employees run up-to-date OS versions and are configured with anti-virus software. They are configured such that they comply with our standards for security, which require all workstations to be properly configured, patched, and be tracked and monitored by ManageEngine's endpoint management solutions. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle. Mobile devices used for business purposes are enrolled in the mobile device management system to ensure they meet our security standards.
Secure by Design
Identity and Access Control
We support SAML authentication (Single Sign-On (SSO) capability), that allows users to integrate their company's Identity Provider, such as AD FS, Okta, etc., with RMM Central services as the Service Provider. SSO simplifies the login process, ensures security compliance, provides effective access control to users/administrators. This also reduces the risk of password-fatigue, and hence weak passwords.
Two-Factor Authentication provides an extra layer of security by demanding additional verification from the user. This reduces the risk of unauthorized access if a user's password is compromised. Two-Factor Authentication can be done through Email or an Authenticator App like Zoho OneAuth, Google Authenticator, Microsoft Authenticator, DUO Auth, etc.
Role Based Access Control allows only authorized users to access a specific function. Users are allowed to access only those functionalities that are permissible to their designated role. We follow role-based permissions to minimize the risk of data exposure.
Agent Security
The agent always sends its identity, that is encrypted, to the server for mutual authentication. Only an agent with a trusted certificate can contact or interact with the server. It is configurable to suit one's requirement. Refer this document to learn how.
RMM Central server uses client certificate authentication to authenticate agent installed computers that try to establish a connection with the server. Each agent will have a unique certificate and a corresponding private key signed by the server's trusted root certificate authority. If the validation of the certificate and the key is successful, the server connects to the agent or else the connection is dropped. Learn more on how to configure it here.
i) An agent's access to any data from the server is restricted to its current domain only.
ii) All agent binaries are signed using ZOHOCORP signature.
iii) DLL file loading paths are restricted to agent installed directories.
iv) The agent service binary path is restricted to the agent folder.
Encryption
a) In transit:
b) At rest: Sensitive data, such as passwords, auth-tokens and the like, that is stored in database are encrypted using 256-bit Advanced Encryption Standard (AES). A unique installation key is derived and used for encryption for every customer.
Database Protection
The database is only accessible by providing instance-specific credentials and is limited to local host access. The passwords stored are one-way hashed using bcrypt and are filtered from all of our logs. Since bcrypt hashing algorithm with per-user-salt is used, it would be exorbitant and heavily time-consuming to reverse engineer the passwords. Also, the database resides in the customer set-up only.
Application Binary Protection
Prevents malware DLL Loading from the agent binaries.
General
In RMM Central, we have signature verification for our PPM (Patch) files. During PPM upgradation, if any of the ppm files are tampered, the UpdateManager will refuse to load the file for server upgradation.
Customer data security
The customer data resides only in their own environment, for the RMM Central.
Each customer data, managed under RMM Central is independently maintained, protected and ensured that users can only access the details of the customers associated with them and restricts access to other customers' data.
Note: In case any customer requires help in resolving any issue, we may require the customer's logs. The customer uploads the logs through a secure portal owned by us, that can be accessed only by authorized personnel, and grants us the permission to access them. The logs will be deleted automatically after 25 days from the time of upload.
Vulnerability and patch management
We have a dedicated vulnerability process that actively scans for security threats or vulnerabilities using a combination of certified third-party scanning tools, and in-house tools. Subsequently, automated and manual testing is performed. Furthermore, the security team actively reviews inbound security reports and monitors public mailing lists, blog posts, and wikis to identify security incidents that might affect the company. Once we identify a vulnerability that requires remediation, it is logged, prioritized according to severity, and is assigned an owner. We further identify the associated risks and mitigate them by either patching the vulnerable systems or applying relevant controls.
After assessing the severity of the vulnerability based on the impact analysis, we commit to resolve the issue within our defined SLA. Depending upon the severity, we send security advisories to all our customers describing the vulnerability, the patch and the steps to be taken by the customer.
Business continuity
Reporting
We have a dedicated incident management team. We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will provide you with necessary evidence regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations.
We respond to the security or privacy incidents you report to us through incidents@zohocorp.com, with high priority. For general incidents, we will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using the e-mail address with which you have subscribed for breach notification and not your primary email address that is registered with us). Please subscribe to our Data Breach Notification to receive notifications on any security incidents without delay.
Note: It is required of the user to subscribe to the Data Breach Notification to receive incident notifications since only subscribed members can be sent this email.
A vulnerability reporting program in "Bug Bounty", to reach the community of researchers, is in place, which recognizes and rewards the work of security researchers. We are committed to working with the community to verify, reproduce, respond, legitimate, and implement appropriate solutions for the reported vulnerabilities.
If you happen to find any, please submit the issue at https://bugbounty.zohocorp.com. If you want to report vulnerabilities directly to us, e-mail us at security@zohocorp.com.
Security is taken very seriously at RMM Central and we continuously strive to create a secured environment with minimal security risks. However, as a customer, you too shoulder the responsibility as security is a two-way street. 'All-hands-on-deck" approach is needed to constantly keep reinforcing security. Kindly read RMM Central security recommendations to know what you can do on your part for achieving maximum security.
Conclusion Your data's security is your right and a never-ending mission of Zoho. We will continue to work hard to keep your data secure, like we always have. For any further queries on this topic, take a look at our FAQs or write to us at security@manageengine.com.