Save and Exit

Our security strategy involves the following components

We have an Information Security Management System (ISMS) in place which takes in into account our security objectives and the risks and mitigation concerning all the interested parties. We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.

Employee Background Checks

Each employee undergoes a process of background verification before their commencement of employment with us. We hire reputed external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.

Security Awareness

Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security, that they may require based on their roles.

We educate our employees continually on information security, privacy, and compliance in our internal community where our employees check in regularly, to keep them updated regarding the security practices of the organization. We also host internal events to raise awareness and drive innovation in security and privacy.

Dedicated Security and Privacy Teams

We have dedicated security and privacy teams that implement and manage our security and privacy programs. They regulate and maintain defense systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity. They provide domain-specific consulting services and guidance to our engineering teams.

Internal Audit and Compliance

We have a dedicated compliance team to review procedures and policies in Endpoint Central to align them with standards, and to determine what controls, processes, and systems are needed to meet the standards. This team also does periodic internal audits and facilitates independent audits and assessments by third parties.

For more details, check out our compliance portfolio.

Endpoint Security

All workstations issued to Endpoint Central employees run up-to-date OS versions and are configured with anti-virus software. They are configured such that they comply with our standards for security, which require all workstations to be properly configured, patched, and be tracked and monitored by ManageEngine's endpoint management solutions. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle. Mobile devices used for business purposes are enrolled in the mobile device management system to ensure they meet our security standards.

Secure by Design

We adhere to the secure coding guidelines of the Software Development Life Cycle (SDLC) and all our developers are mindful of these guidelines. As a next step, we screen the code changes to look for potential security issues by manually reviewing it first and then using our code analyzer. Before the release of any new feature, this entire process is carried out. If any issue surfaces during this check, they are immediately rectified. Furthermore, a robust security framework that is based on the OWASP standards is implemented in the application layer. This framework provides means to mitigate threats such as SQL Injection, Cross-Site Scripting, Application Layer DoS attacks, code injection, authentication bypass and file upload related vulnerabilities. To top it all, we conduct regular sessions to keep the developers informed about secure coding practices.

Identity and Access Control

  1. Single Sign-On (SSO):

    We support SAML authentication (Single Sign-On (SSO) capability), that allows users to integrate their company's Identity Provider, such as AD FS, Okta, etc., with Endpoint Central services as the Service Provider. SSO simplifies the login process, ensures security compliance, provides effective access control to users/administrators. This also reduces the risk of password-fatigue, and hence weak passwords.

  2. Two-Factor Authentication:

    Two-Factor Authentication provides an extra layer of security by demanding additional verification from the user. This reduces the risk of unauthorized access if a user's password is compromised. Two-Factor Authentication can be done through Email or an Authenticator App like Zoho OneAuth, Google Authenticator, Microsoft Authenticator, DUO Auth, etc.

  3. Role Based Access Control:

    Role Based Access Control allows only authorized users to access a specific function. Users are allowed to access only those functionalities that are permissible to their designated role. We follow role-based permissions to minimize the risk of data exposure. 

Agent Security

Trusted Communication:

The agent always sends its identity, that is encrypted, to the server for mutual authentication. Only an agent with a trusted certificate can contact or interact with the server. It is configurable to suit one's requirement. Refer this document to learn how.

Client Certificate Authentication:

Endpoint Central server uses client certificate authentication to authenticate agent installed computers that try to establish a connection with the server. Each agent will have a unique certificate and a corresponding private key signed by the server's trusted root certificate authority. If the validation of the certificate and the key is successful, the server connects to the agent or else the connection is dropped. Learn more on how to configure it here.

Miscellaneous:

i) An agent's access to any data from the server is restricted to its current domain only.

ii) All agent binaries are signed using ZOHOCORP signature.

iii) DLL file loading paths are restricted to agent installed directories.

iv) The agent service binary path is restricted to the agent folder.

Encryption

a) In transit:

  1. Any data transfer from the agent application to the server happens using strong encryption protocol, HTTPS. Users can choose HTTPS as the default protocol for all communication from the web console directly.
  2. Users can disable older version of TLS in the web console. The support for older version of TLS is present to manage computers running on older Windows versions. Additionally, TLS 1.2 and strong ciphers are supported for latest systems.

b) At rest:

Sensitive data, such as passwords, auth-tokens and the like, that is stored in database are encrypted using 256-bit Advanced Encryption Standard (AES). A unique installation key is derived and used for encryption for every customer.

Database Protection

The database is only accessible by providing instance-specific credentials and is limited to local host access. The passwords stored are one-way hashed and are filtered from all of our logs. Also, the database resides in the customer set-up only.

Application Binary Protection

Prevents malware DLL Loading from the agent binaries.

General

In Endpoint Central, we have signature verification for our PPM (Patch) files. During PPM upgradation, if any of the PPM files are tampered, the UpdateManager will refuse to load the file for server upgradation.

Customer Data Security

The customer data resides only in their own environment, for the on-premise version. Detailed audit logging covering all operations performed by the user are available to the customers in the cloud service.

Note: In case any customer requires help in resolving any issue, we may require the customer's logs. The customer uploads the logs through a secure portal owned by us, that can be accessed only by authorized personnel, and grants us the permission to access them. The logs will be deleted automatically after 25 days from the time of upload.

Vulnerability and Patch Management

We have a dedicated vulnerability process that actively scans for security threats or vulnerabilities using a combination of certified third-party scanning tools, and in-house tools. Subsequently, automated and manual testing is performed. Furthermore, the security team actively reviews inbound security reports and monitors public mailing lists, blog posts, and wikis to identify security incidents that might affect the company. Once we identify a vulnerability that requires remediation, it is logged, prioritized according to severity, and is assigned an owner. We further identify the associated risks and mitigate them by either patching the vulnerable systems or applying relevant controls.

After assessing the severity of the vulnerability based on the impact analysis, we commit to resolve the issue within our defined SLA. Depending upon the severity, we send security advisories to all our customers describing the vulnerability, the patch and the steps to be taken by the customer.

Business Continuity

  • We have backup power, temperature control systems, and fire-suppression and fire-protection systems to ensure business continuity. Dedicated business continuity plans are present for technical support.

  • We have a well planned business continuity and disaster recovery plan in place to assist us in the event of extended service outages, thereby affecting the services provided to the customers by factors beyond our control-e.g., natural calamities, man-made disasters, etc., to resume endpoint management operations to the maximum possible extent within a minimal time frame. The plan encompasses all our internal operations that ensures continued services for our customers. We have three recovery teams namely, the Emergency Management Team (EMT), the Disaster Recovery Team (DRT), and the IT Technical Services (IT) team, in place for better coordination and support among various teams.

We have a dedicated incident management team. We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will provide you with necessary evidence regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations.

We respond to the security or privacy incidents you report to us through incidents@zohocorp.com, with high priority. For general incidents, we will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using the e-mail address with which you have subscribed for security advisories/data breach notification and not your primary email address that is registered with us).

1. To receive timely security advisories regarding critical vulnerabilities or security incidents, please login to Endpoint Central and navigate to Admin->Security Settings->Personalized Security Settings and subscribe.

2. To receive immediate notifications in case of any data breach, please subscribe to Data Breach Notification.

Note: It is required of the user to subscribe to the security advisories/data breach notification to receive respective notifications as these emails can be sent only to subscribed members.

A vulnerability reporting program in "Bug Bounty", to reach the community of researchers is in place which recognizes and rewards the work of security researchers. We are committed to working with the community to verify, reproduce, respond, legitimate, and implement appropriate solutions for the reported vulnerabilities.

If you happen to find any, please submit the issue at https://bugbounty.zohocorp.com. If you want to report vulnerabilities directly to us, e-mail us at security@zohocorp.com.

Security is taken very seriously at Endpoint Central and we continuously strive to create a secured environment with minimal security risks. However, as a customer, you too shoulder the responsibility as security is a two-way street. 'All-hands-on-deck" approach is needed to constantly keep reinforcing security. Kindly read Endpoint Central security recommendations to know what you can do on your part for achieving maximum security.

Conclusion

Your data's security is your right and a never-ending mission of Zoho. We will continue to work hard to keep your data secure, like we always have. For any further queries on this topic, take a look at our FAQs or write to us at security@manageengine.com.