ManageEngine Exchange Reporter Plus's shared responsibility model

A shared responsibility model dictates and defines certain responsibilities between ManageEngine Exchange Reporter Plus and its users to ensure accountability. Each party (ManageEngine Exchange Reporter Plus and the customer) is accountable for different aspects and must work together to ensure full coverage. In this model, ownership is clearly defined, with each party maintaining complete control over those assets, processes, and functions they own. Clearly defined shared responsibilities allow you to focus your efforts on your application delivery strategy without overburdening your teams with day-to-day operational concerns.

The controls are segregated into three types:

• ManageEngine-specific controls: The controls that are the complete responsibility of ManageEngine Exchange Reporter Plus.
• Customer-specific controls: The areas of responsibility that are solely owned, maintained and controlled by you, the customer.
• Shared controls: Here, ManageEngine Exchange Reporter Plus provides the necessary support for security requirements. The customer should implement the guardrails in a way that suits their organizational requirements, including security, compliance, privacy, IT requirements, and applicable laws and regulations.

ManageEngine's responsibilities

• Software: ManageEngine Exchange Reporter Plus is an enterprise solution that helps audit your Exchange organization, monitor its health and performance, and ensure compliance. It comes with powerful capabilities such as comprehensive audits and granular monitoring. Exchange Reporter Plus's intuitive interface and powerful capabilities make it the ideal solution for your Exchange needs.
• Application platform security: ManageEngine handles the security vulnerabilities of the source code of the application platform (ManageEngine Exchange Reporter Plus).
  • Client-side & Server-side security: By design, we prioritize security in our products. Our robust security framework based on OWASP standards is implemented in the application layer, and provides functionalities to mitigate threats such as SQL injections, cross-site scripting, and application layer DOS attacks, thereby taking care of the client-side as well as server-side security. All the software changes are authorized before providing it to our customers. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as a screening of code changes for potential security issues with our code analyzer tools, vulnerability scanners, and manual review processes.
  • Integrity: Data integrity refers to the accuracy and consistency of data. To ensure this, we apply encryption at rest (in-product). This refers to data that is encrypted when it is stored Integrity: Data integrity refers to the accuracy and consistency of data. To ensure this, we apply encryption at rest (in-product). This refers to data that is encrypted when it is stored (not moving) — here, data is encrypted at the database (DB) level.

Customer's responsibilities

• Data management: Data is increasingly seen as an essential corporate asset that can be used to make informed business decisions. Managing data includes the process of acquiring, validating, storing, protecting, and processing the data collected by your organization.
• Integration: By default, integrations are not imposed in Exchange Reporter Plus. If you want to integrate Exchange Reporter Plus with any of your other applications (like importing/exporting data to/from ManageEngine Exchange Reporter Plus to any other third party apps), it would be your full responsibility to do so, starting from establishing the integration, data interchange, and so on. Customers should carefully choose the services they interact with to make sure that the third-party services do not compromise your security. By default, PostgreSQL DB is bundled with the product. You can also use (customer-end) MS SQL DB or an external PostgreSQL DB as its alternative.
• Anti-abuse monitoring: Instances of abuse can include generating a report and mailing it to potential targets to collect sensitive data or personal information. To avoid this, you must monitor your domain space and implement anti-abuse measures to protect your users and their data.
• Infrastructure: The customer handles the infrastructure that runs all of the services offered by ManageEngine Exchange Reporter Plus and must ensure to protect the same. This infrastructure is composed of the hardware, software, operating system (including updates and security patches), networking, firewall, and app server.
• Business continuity: This refers to the advanced planning and preparations by business organizations to ensure that they will have the capability to operate their critical business functions during emergency events.
  • Server monitoring: The customer must monitor their servers to ensure that there isn't any discrepancy between them, which may affect the overall availability of the services provided.
  • Scaling: The customer must have a proper system in place to scale up their resources and balance the load in case of multiple servers to run the infrastructure for a larger number of users.
• Endpoint security
  • Anti-virus(AV): The server provisioned for ManageEngine Exchange Reporter Plus service should be hardened before use. The customer must use various metrics (like anti-virus software, Intrusion Detection mechanisms, DDoS protection) to secure the system in which the product is installed.

Shared responsibilities

• Design and security: While ManageEngine Exchange Reporter Plus takes care of the application platform's security, it also provides various defense mechanisms to protect your data from unauthorized access such as installing SSL certificate. However, it's your responsibility to define the security needs of your IT environment, analyze and implement the various modes of security mechanisms, and design and build your IT environment in a secure way. This includes defining strict permissions to users, adding users to the product only on a need-to-know basis, using appropriate data-validation techniques, and so on.
• IAM tools and user management: Identity and Access Management (IAM) is an important aspect of an enterprise security management system. It allows IT administrators to automate numerous user accounts related tasks such as standardizing and managing identities, authentication, and authorization, and boosting the efficiency and effectiveness of access management across an organization while reducing business security risks.

Logging and Monitoring

• Logs feature: ManageEngine Exchange Reporter Plus captures application logs for statistical, security, and debugging purposes. Logs are automatically produced and timestamped. Admins can refer to these logs to check the product's performance and keep track of actions executed in the event of action failure.
• Business continuity — data backup: ManageEngine Exchange Reporter Plus supports backup and restore features in the product. The customer has to ensure that they schedule regular backups of the product's DB catering to their business use-cases.
• Application updates and patch management: ManageEngine Exchange Reporter Plus is responsible for identifying and fixing the security vulnerabilities in the product. Patch updates comprise of a collection of updates, fixes, or enhancements for software, delivered in the form of a single installable package. You must make sure to keep your build updated to the latest version. Alternatively, you can also enable the auto-update option in Exchange Reporter Plus. Once this is done, the product by itself, will watch out for the latest patch updates and install them without human intervention.