Introduction
In enterprise security, Zero Trust means organizations should not automatically trust any users, especially ones with privileged access such as administrators. This means establishing strict access control, segregated roles, domain perimeter, etc.
There are two types of access control: physical and logical. Physical access control limits access to physical IT assets and in our case, it applies mostly to how you host the data captured by Teramind.
Logical access control limits connections to computer networks, system files, and data. In this article, we will mostly focus on these logical or software access controls.
There are various elements to implementing an access control policy. For example, user roles, authentication and authorization, local and network access, public exposure, etc.
Here are some access control features and capabilities of the Teramind platform:
Authentication and authorization through SSO, 2FA, AD, etc.
Built-in accounts and user types that support the RBAC (role-based access control) framework.
A simplified Access Control dashboard that allows you to control which privileged users/admins have access to what information and the settings they are allowed to change.
You can control what data can be exported by the admins.
You can implement policies & rules to detect unauthorized logins, abnormal network activity, etc.
Finally, on the hosting level, there are physical and logical access controls in place to make sure your data stays secure whether it’s hosted by us on our data center, by you on your own servers, or servers on the private cloud such as AWS and Azure.
User Authentication
Authentication is the process of verifying who a user is. It’s the first step towards an access control policy while the rest of the steps revolve around Authorization (allowing what the user has access to).
In Teramind, the authentication options are located under the Settings > Security tab:
2FA: Two-factor authentication means, a user will be granted login only after successfully providing two pieces of factors/evidence to verify their authenticity. When enabled, a third-party authenticator (TPA) app such as Google Authenticator or Authy will need to be used to provide a changing random number along with the user login credentials. 2FA protects your Teramind data in case the user credential is stolen.
Basic User/Password Login: This allows you to authenticate to the dashboard using the user-password credentials you created in Teramind.
LDAP: Teramind integrates with Active Directory to import your users, OUs, computers, groups, and security attributes in a read-only mode with LDAP as the identity provider simplifying implementing a unified access control policy.
IP Restriction: This lets you specify which IP addresses are allowed to log in to the dashboard.
SSO: allows you to authenticate to the dashboard using a Single Sign-On (SSO) service such as Okta, One Login, etc. via SAML2 protocol. This is helpful if you are already using such a service for your other applications and want to implement a unified authentication policy.
Useful Resources:
Account Level Access Control
Teramind has several types of accounts/role permissions you can assign to users to limit which Teramind features and options they can access. These are:
Administrator: Grants a user the most powerful access level. These types of users can monitor all employees, other admins, and change any settings with no restrictions.
Operational Administrator: This type of user have access to system settings, rules, computers, other users, and can configure the access control of other users.
Infrastructure Admin: This type of admin can access system settings but can not browse session recordings.
Employee: These are regular users. By default, they have access to their own tasks only but an admin can allow them to access their own productivity dashboard. An employee can also be elevated to a Department Manager (see below).
Department Manager: Any employee can be assigned as a department manager and can view/manage the employees in their assigned department.
Of the five types of accounts, the first four can be set from the EMPLOYEES > Employee Profile screen, under the Account Information tab:
The Department Manager is a special type of permission and is not available under user profiles. It can only be assigned from the CONFIGURE > Departments screen:
Useful Resources:
Privileged User Access Control
The Access Control Policy Editor
The CONFIGURE > Access Control screen allows you to control which users/managers have access to what information on the Teramind Dashboard and the settings they are allowed to change. On Teramind, access control is implemented through policies. A policy is composed of the following elements:
Privileged Users: They are the users/managers who monitor certain groups of people (Target Users/Subjects).
Target Users / Subjects: These are the regular users monitored by the Privileged Users.
Permission: Defines what the privileged user can do with the information of the Target Users under their responsibility. The permission is grouped into Play, View, Edit, and Access Widgets categories.
The main window of the Access Control screen shows a list of policies, privileges, and the subjects they manage. You can create a new policy or edit an existing policy from this screen:
Useful Resources:
Role-Based Access Control (RBAC)
The Access Control Policy Editor also allows you to create special, "Role" access control permissions. A Role-Based Access Control (RBAC) policy allows you to assign special management permissions in addition to the view/edit permissions to a regular user (a user with the "Employee" account type). For example, the ability to edit other employees' profiles, create behavior policies and rules, etc. With the Role policies, you can create some unique user roles. For example, turn a department manager into a ‘semi-admin’ who can manage employees like an admin but only employees in his/her department (unlike an admin who has access to all employees).
When creating a new policy from the Configure > Access Control screen, select the ROLE ACCESS CONTROL POLICY to create a Role access control policy. Once you have created the policy, you can assign it to an employee through their profile:
Logging and Monitoring Privileged User Activities
The SYSTEM > System Log screen allows you to see all administrator/manager activities on the Teramind Dashboard:
This immutable session log is useful for monitoring privileged users’ activities and identify any abuse of the system.
Useful Resources:
Rule-Based Access Control
Teramind comes with a powerful Policy and Rule Engine that can be used to create rules to enforce endpoint-level access control for all monitored users and groups. For example, you can create a rule to detect unauthorized logins; monitor privilege escalation attempts such as an admin user attempting to execute the Group Policy Editor; users accessing confidential files, etc.
Once the rule detects such access violation incidents, it can take automated actions such as block the action, lockout the user or send a notification to an admin, etc.
Behavior policies and rules allow you to implement granular access control down to a group and even individual user-level. Especially, if you are using Teramind DLP, you have complete access to all types of rules (Scheduled, Activity, and Content Sharing). There are hundreds of pre-built templates and samples that you can easily customize to create your own access control rules.
Useful Resources:
Other Security Settings Related to Access Control
Restricting Data Export
Teramind has several options that allows you to control the export of data from Teramind to outside. These settings can be found under Settings > Security screen:
The ALLOW DATA & VIDEO EXPORT EMAILS TO THIS DOMAIN option under the Outgoing exported data section allows you to enable/disable the export of reports and video recordings to a specific email domain.
There are two more options under the Access to exported data section. The first option (ONLY AUTHORIZED USERS CAN DOWNLOAD EXPORTED FILES), when enabled, allows you to restrict access to the scheduled report to active Teramind users only. The second option (DISALLOW MANAGERS TO SEE AND EXECUTE EXPORTS) determines if the department managers will be able to export the BI Reports / Monitoring Reports.
By default, only admins get the daily digest/snapshot report via email. The SEND DAILY SNAPSHOT EMAILS TO DEPARTMENT MANAGERS option lets you enable the emails for department managers too. The email looks exactly the same as the one received by the admins except that the data is shown only for the users the department manager is assigned to:
Useful Resources:
Remote Access Control
Teramind’s Session Player allows you fully control a user’s desktop remotely. You can also disable the user’s input controls such as keyboard and mouse or, completely lock them out of the system:
Useful Resources:
Server-Level Access Control
Teramind Cloud Deployment
Teramind Cloud deployments are hosted on Tier-3 data centers where it’s designed to meet even the strictest access control requirements of mission-critical industries including finance, manufacturing, utilities, and governments. From a security and compliance perspective, the data centers are accredited for PCI, PS951, ISO, and other industry standards. In addition to physically protected facilities and bespoke rack+cage security, the data centers feature a wide range of access and movement controls and threat detection systems in place (i.e. video surveillance, sensor-equipped fence, 24/7 onsite NOC, etc.).
In addition to the data center access control policies, Teramind follows ISO 27001:2013 compliance for its internal information security management systems and the Cloud infrastructure that it manages on behalf of its customers.
Some of the key ISMS suggested access control policies that Teramind has implemented for its Cloud and internal systems are:
Administrative Entitlements and Access Provisioning for Operations Purposes | Strict access control for all administrators and privileged users is implemented under ISO 27001 reference A9.4.1 (Access Control). Additionally, screening and auditing (A7.1.1), access rights, and compliance monitoring are maintained under the appropriate ISMS guideline. |
Policy for Privileged Users with Access to Client Data | Privileged user credential use and access are controlled primarily through an internal IT Security Policy using the ISO 27001 reference A9.3 (User Responsibilities) guideline. Additional compliance is enforced under A9.2 (User Access Management) and A9.4 (System and Application Access Control). |
Third-Party Risk Management | Only authorized third parties (i.e. data center admins) have access to the databases and backups. But all the client data is encrypted so protected from misuse. TPRM policy is implemented as per ISO reference A.15.1.1 (Information Security Policy for Supplier Relationships). |
IT Asset Management as Applicable to Access Rights | Control for IT assets, returns, and access right removal under termination or transfer are handled as per ISO 27001 reference A8 (Asset Management) and A9.2.6 (Removal or Adjustment of Access Rights). |
Applications Access Control | Controlled under ISO 27001 reference A9.4 (System and Application Access Control). Access to information and systems is granted only to authenticated users. PKI keys for authentication are issued and managed according to Teramind Cryptographic Key management policy. |
Password Security Policy | Password strength, storage, escrow, reuse, expiry etc. are controlled under ISO 27001 guideline reference A9 (Access Control). More specifically, A9.3.1 (Use of Secret Authentication Information). |
Protection of Logon Credentials | All customer account credentials that are in persistent storage are encrypted with strong AES 256-bit key encryption. |
Employee Remote Access | Remote access to Teramind resources on internal Teramind network is granted to Teramind employees over individually authenticated and encrypted VPN connection only. |
Revoking Access Privileges | Customer can disable a user or request Teramind to remove them due to compliance purposes. |
Server Roles | As per ISO 27001 A9, A13 (Communications Security and Network Segregation) and PCI DSS clause 1.3.4. |
Access Control Policy Test | Carried out both quarterly and annually. |
On-Premise / Private Cloud Deployment
On-Premise/Private Clouds (e.g., AWS, Azure, etc.) can implement their own access control and security policy for their instances as needed. For example, VMware has support for Role-Based Access Control policies for both stand-alone ESX/ESXi servers, or vCenter Servers. Similarly, AWS has Identity and Access Management (IAM) profiles while Azure has various Management/Subscription/Resource groups to manage access to Azure resources.
Please check your VM environment’s documentation to learn how to set up access control policies on it.