ManageEngine ADSelfService Plus' shared responsibility model

A shared responsibility model dictates and defines certain responsibilities between ManageEngine ADSelfService Plus and its users to ensure accountability. Each party (ManageEngine ADSelfService Plus and the customer) is accountable for different aspects and must work together to ensure full coverage. In this model, ownership is clearly defined with each party maintaining complete control over those assets, processes, and functions they own. Clearly defined shared responsibilities allow you to focus your efforts on your application delivery strategy, without overburdening your teams with day-to-day operational concerns.

The controls are segregated into three types:

• ManageEngine-specific controls: The controls that are the complete responsibility of ManageEngine ADSelfService Plus.
• Customer-specific controls: The areas of responsibility that are solely owned, maintained and controlled by you, the customer.
• Shared controls: Here, ManageEngine ADSelfService Plus provides the necessary support for security requirements. The customer should implement the guardrails in a way that suits their organizational requirements, including security, compliance, privacy, IT requirements, and applicable laws and regulations.

ManageEngine ADSelfService Plus's responsibilities

• Software: ManageEngine ADSelfService Plus is an identity security solution to ensure secure and seamless access to enterprise resources and establish a Zero Trust environment. With capabilities such as adaptive multi-factor authentication, single sign-on, self-service password management, a password policy enhancer, remote work enablement and workforce self-service, ADSelfService Plus provides your employees with secure, simple access to the resources they need. ADSelfService Plus helps keep identity-based threats out, fast-tracks application onboarding, improves password security, reduces help desk tickets and empowers remote workforces.
• Application platform security: ManageEngine handles the security vulnerabilities of the source code of the application platform (ManageEngine ADSelfService Plus).
  • Client-side & Server-side security: By design, we prioritize security in our products. Our robust security framework is built referring to OWASP standards and implemented in the application layer. It provides functionalities to mitigate threats such as SQL injections, cross-site scripting, and application layer DOS attacks, thereby taking care of the client-side as well as server-side security. All the software changes are authorized before providing it to our customers. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as a screening of code changes for potential security issues with our code analyzer tools, vulnerability scanners, and manual review processes.
  • Integrity: Data integrity refers to the accuracy and consistency of data. To ensure this, we apply encryption at rest (in-product). This refers to data that is encrypted when it is stored (not moving) — here, data is encrypted at the database (DB) level.

Customer's responsibilities

• Data management: Data is increasingly seen as an essential corporate asset that can be used to make informed business decisions. Managing data includes the process of acquiring, validating, storing, protecting, and processing the data collected by your organization.
• Integration: By default, integrations are not imposed in ADSelfService Plus. If you want to integrate ADSelfService Plus with any of your other applications (like importing/exporting data to/from ManageEngine ADSelfService Plus to any other third party apps), it would be your full responsibility to do so, starting from establishing the integration, data interchange, and so on. Customers should carefully choose the services they interact with to make sure that the third-party services do not compromise your security. By default, PostgreSQL DB is bundled with the product. You can also use (customer-end) MS SQL DB or an external PostgreSQL DB as its alternative.
• Anti-abuse monitoring: Instances of abuse can include generating a report and mailing it to potential targets to collect sensitive data or personal information. To avoid this, you must monitor your domain space and implement anti-abuse measures to protect your users and their data.
• Infrastructure: The customer handles the infrastructure that runs all of the services offered by ManageEngine ADSelfService Plus and must ensure to protect the same. This infrastructure is composed of the hardware, software, operating system (including updates and security patches), networking, firewall, and app server.
• Business continuity: This refers to the advanced planning and preparations by business organizations to ensure that they will have the capability to operate their critical business functions during emergency events.
  • Server monitoring: The customer must monitor their servers to ensure that there isn't any discrepancy between them, which may affect the overall availability of the services provided.
  • Scaling: The customer must have a proper system in place to scale up their resources and balance the load in case of multiple servers to run the infrastructure for a larger number of users.
• Endpoint security
  • Anti-virus(AV): The server provisioned for ManageEngine ADSelfService Plus service should be hardened before use. The customer must use various metrics (like anti-virus software, Intrusion Detection mechanisms, DDoS protection) to secure the system in which the product is installed.

Shared responsibilities

• Design and security: While ManageEngine ADSelfService Plus takes care of the application platform's security, it also provides various defense mechanisms to protect your data from unauthorized access such as installing SSL certificate. However, it's your responsibility to define the security needs of your IT environment, analyze and implement the various modes of security mechanisms, and design and build your IT environment in a secure way. This includes defining strict permissions to users, adding users to the product only on a need-to-know basis, using appropriate data-validation techniques, and so on.
• Identity security and password management: Identity security is an important aspect of an enterprise security management system. It allows IT administrators to secure user accounts and access to related tasks such as standardizing and managing identities, authentication, and authorization, and boosting the efficiency and effectiveness of access management across an organization while reducing business security risks. In your ManageEngine ADSelfService Plus setup, you will be able to configure AD domains for the product and set up advanced MFA flows and enable self-service actions and SSO for user accounts belonging to those domains. While configuring policies for product access, you must make sure to implement authorized mechanisms for logging in to the product.

Logging and Monitoring

• Logs feature: ManageEngine ADSelfService Plus captures application logs for statistical, security, and debugging purposes. Logs are automatically produced and timestamped. Admins can refer to these logs to check the product's performance and keep track of actions executed in the event of action failure.
• Business continuity — data backup: ManageEngine ADSelfService Plus supports backup and restore features in the product. The customer has to ensure that they schedule regular backups of the product's DB catering to their business use-cases.
• Application updates and patch management: ManageEngine ADSelfService Plus is responsible for identifying and fixing the security vulnerabilities in the product. Patch updates comprise of a collection of updates, fixes, or enhancements for software, delivered in the form of a single installable package. You must make sure to keep your build updated to the latest version. Alternatively, the Security Patch Updater feature in ADSelfService Plus automatically installs critical security patches without human intervention. Also, subscribe to the ADSelfService Plus release mailers and security advisories to remain updated about the latest patch releases. The in-product footer banner also regularly displays this information.