Support
 
Phone Live Chat
 
Support
 
US: +1 888 720 9500
US: +1 800 443 6694
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9393

 
 
 
 
 
Shared responsibility model
Active Directory Management » Features » Shared responsibility model
 

ManageEngine ADManager Plus' shared responsibility model

A shared responsibility model dictates and defines certain responsibilities between ManageEngine ADManager Plus and its users to ensure accountability. Each party (ManageEngine ADManager Plus and the customer) is accountable for different aspects and must work together to ensure full coverage. In this model, ownership is clearly defined, with each party maintaining complete control over those assets, processes, and functions they own. Clearly defined shared responsibilities allow you to focus your efforts on your application delivery strategy without overburdening your teams with day-to-day operational concerns.

Note: The areas of ownership you control are yours alone, and ManageEngine does not dictate how you secure your systems. You do, however, have the ability and right to access our ISO certifications and SOC compliance reports to verify that our systems are secure.

The controls are segregated into three types:

  • ManageEngine-specific controls: The controls that are the complete responsibility of ManageEngine ADManager Plus.
  • Customer-specific controls: The areas of responsibility that are solely owned, maintained and controlled by you, the customer.
  • Shared controls: Here, ManageEngine ADManager Plus provides the necessary support for security requirements. The customer should implement the guardrails in a way that suits their organizational requirements, including security, compliance, privacy, IT requirements, and applicable laws and regulations.

ManageEngine's responsibilities

  • Software: ADManager Plus is an identity governance and administration (IGA) solution that simplifies identity management, ensures security, and improves compliance. With ADManager Plus, manage the user life cycle from provisioning to deprovisioning, run access certification campaigns, orchestrate identity management across enterprise applications, and protect data on your enterprise platforms with regular backups. Use over 200 reports to gain valuable insights into identities and their access rights. Improve the efficiency of your IGA operations with workflows, automations, and role-based access control policies. ADManager Plus' Android and iOS applications help with on-the-go AD and Azure AD management.
  • Application platform security: ManageEngine handles the security vulnerabilities of the source code of the application platform (ManageEngine ADManager Plus).
    • Client-side & server-side security: By design, we prioritize security in our products. Our robust security framework based on OWASP standards is implemented in the application layer, and provides functionalities to mitigate threats such as SQL injections, cross-site scripting, and application layer DOS attacks, thereby taking care of the client-side as well as server-side security. All the software changes are authorized before providing it to our customers. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as a screening of code changes for potential security issues with our code analyzer tools, vulnerability scanners, and manual review processes.
    • Integrity: Data integrity refers to the accuracy and consistency of data. To ensure this, we apply encryption at rest (in-product). This refers to data that is encrypted when it is stored (not moving) — here, data is encrypted at the database (DB) level.

Customer's responsibilities

  • Data management: Data is increasingly seen as an essential corporate asset that can be used to make informed business decisions. Managing data includes the process of acquiring, validating, storing, protecting, and processing the data collected by your organization.
  • Integration: By default, integrations are not imposed in ADManager Plus. If you want to integrate ADManager Plus with any of your other applications (like importing/exporting data to/from ManageEngine ADManager Plus to any other third party apps), it would be your full responsibility to do so, starting from establishing the integration, data interchange, and so on. Customers should carefully choose the services they interact with to make sure that the third-party services do not compromise your security. By default, PostgreSQL DB is bundled with the product. You can also use (customer-end) MS SQL DB or an external PostgreSQL DB as its alternative.
  • Anti-abuse monitoring: Instances of abuse can include generating a report and mailing it to potential targets to collect sensitive data or personal information. To avoid this, you must monitor your domain space and implement anti-abuse measures to protect your users and their data.
  • Infrastructure: The customer handles the infrastructure that runs all of the services offered by ManageEngine ADManager Plus and must ensure to protect the same. This infrastructure is composed of the hardware, software, operating system (including updates and security patches), networking, firewall, and app server.
  • Business continuity: This refers to the advanced planning and preparations by business organizations to ensure that they will have the capability to operate their critical business functions during emergency events.
    • Server monitoring: The customer must monitor their servers to ensure that there isn't any discrepancy between them, which may affect the overall availability of the services provided.
    • Scaling: The customer must have a proper system in place to scale up their resources and balance the load in case of multiple servers to run the infrastructure for a larger number of users.
  • Endpoint security
    • Anti-virus (AV): The server provisioned for ManageEngine ADManager Plus service should be hardened before use. The customer must use various systems (like anti-virus software, Intrusion Detection mechanisms, DDoS protection) to secure the system in which the product is installed.

Shared responsibilities

  • Design and security: While ManageEngine ADManager Plus takes care of the application platform's security, it also provides various defense mechanisms to protect your data from unauthorized access such as installing SSL certificate. However, it's your responsibility to define the security needs of your IT environment, analyze and implement the various modes of security mechanisms, and design and build your IT environment in a secure way. This includes defining strict permissions to users, adding users to the product only on a need-to-know basis, using appropriate data-validation techniques, and so on.
  • TFA and SSO: Two-factor authentication and SSO are known to drastically reduce the attack surface and help ensure cyber resilience. With ADManager Plus, you can enable two-factor authentication and SSO to facilitate secure authentication into the product.
  • Logging and Monitoring
    • Logs feature: ManageEngine ADManager Plus captures application logs for statistical, security, and debugging purposes. Logs are automatically produced and timestamped. Admins can refer to these logs to check the product's performance and keep track of actions executed in the event of action failure.
    • Business continuity — data backup: ManageEngine ADManager Plus supports backup and restore features in the product. The customer has to ensure that they schedule regular backups of the product's DB catering to their business use-cases.
    • Application updates and patch management: ManageEngine ADManager Plus is responsible for identifying and fixing the security vulnerabilities in the product. Patch updates comprise of a collection of updates, fixes, or enhancements for software, delivered in the form of a single installable package. You must always make sure to keep your build updated to the latest version. Alternatively, you can also enable the auto-update option in ADManager Plus. Once this is done, the product by itself, will watch out for the latest patch updates and install them without human intervention.

Featured links

Other features
  • Active Directory Management

    Manage AD, Office 365, Exchange, Skype for Business, and Google Workspace accounts of users, single or bulk, using CSV files or smart templates.

  • Active Directory Password Management

    Reset password and set password propertied from a single web-based console, without compromising on the security of your AD! Delegate your password-reset powers to the helpdesk technicians too!

  • Active Directory Computer Reports

    Granular reporting on your AD Computer objects to the minutest detail. Monitor...and modify computer attributes right within the report. Reports on Inactive Computers and operating systems.

  • Microsoft Exchange Management

    Create and manage Exchange mailboxes and configure mailbox rights using ADManager Plus's Exchange Management system. Now with support for Microsoft Exchange 2010!!

  • Active Directory Cleanup

    Get rid of the inactive, obsolete and unwanted objects in your Active Directory to make it more secure and efficient...assisted by ADManager Plus's AD Cleanup capabilities.

  • Active Directory Automation

    A complete automation of AD critical tasks such as user provisioning, inactive-user clean up etc. Also lets you sequence and execute follow-up tasks and blends with workflow to offer a brilliant controlled-automation.

Need Features? Tell Us
If you want to see additional features implemented in ADManager Plus, we would love to hear. Click here to continue

ADManager Plus Trusted By

The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products