BlueConic provides a secure environment for its customers. Security is of paramount importance to BlueConic customers. To help you have the safest environment possible, we created a checklist you can use to enhance and protect your BlueConic environment. We suggest assigning someone, probably a BlueConic application manager, to go through this checklist every month.
Understand the context
- Review the Security section for additional information about BlueConic and Security.
- Understand and follow the principle of least privilege. Err on the side of caution and try to remove users, roles, channels, and other permissions as much as possible. You can always add them back as needed.
- Be aware that security is often a balance between secure and user-friendly. As an application manager you have to make that trade-off.
Check user management, and be aware of the following:
- Verify who currently has user management rights, and minimize the number of users who can create or update rights for other users.
- Verify which user has which role and remove any non-needed roles for a user.
- Verify which users can access a domain and remove access to domains that are not necessary.
- Verify if a user is still active in the organization, and if not remove the user.
- Also, sort on 'last login' in user overview, and consider removing users who have not been active for quite a while. You can always add them back.
Verify the roles in BlueConic and make sure to understand the permissions, and what role has what permissions. Be especially aware of the following permissions:
- User management: Gives users the power to add or remove roles and users, so, the fewer people who have this power, the better.
- Applications: Enables users to register applications to access the BlueConic APIs.
- Connections: Used to transfer bulk profile data to and from BlueConic, so they are a bit more sensitive to data leaks.
- Profiles: Users with this permission can view individual profiles, which might be privacy sensitive.
- Plugins: Users can add or remove plugins. Plugins can change functionality in BlueConic, so be careful when assigning this to a user.
- Data scientist: Users with this permission can use AI Workbench, which might be privacy sensitive.
Check the Privacy tab for settings that might be relevant, especially:
- Check the default permission setting. When default permission is level 0, website visitors have to opt-in first before you start collecting data, which can be a better model if you are privacy conscious.
Other security tips
- As a general policy, User Management is always fully owned by the customer. This means that BlueConic Support cannot add, remove, or update users without your explicit consent through email, and even then we prefer you do it yourself to prevent confusion about who can access your data.
- Logging in uses two-factor authentication through email which is mandatory for all users.
- There is a forgotten password mechanism using mobile phone numbers and security codes through texts. If BlueConic does not know the mobile phone number of someone who tries to reset their password, an email is sent to all users who can access user management. Consider sending the new password through a different channel than email to prevent social engineering attacks, and always enable the ‘change password on next login’ option for that user on the Users settings page.
- Be really careful with username/password, certificates, and other data to access other systems. Don’t send them to BlueConic support, and don’t use them on Slack or other group chats, as these kind of systems send data to multiple users.
And most important of all: Be aware of security risks with everything you do and be smart about it!