BlueConic Security Best Practices

BlueConic provides a secure environment for its customers. Security is of paramount importance to BlueConic customers. To help you have the safest environment possible, we created a checklist that you can leverage to enhance and protect your BlueConic environment. We suggest assigning someone, probably a BlueConic application manager, to go through this checklist every month.

Understand the context:

  • Check out the Security section for additional information about BlueConic and Security
  • Understand and follow the principle of least privilege. Err on the side of caution and try to remove users, roles, channels and other permissions as much as possible, you can always add them back.
  • Be aware that security is often a balance between secure and user-friendly, as an application manager you have to make that trade-off.

Users management

Check user management, especially be aware of the following:

  • Verify who currently has user management rights, and minimize the number of users that can create or update rights for other users. 
  • Verify which user has which role and remove any non needed roles for a user.
  • Verify which users can access a domain and remove access to domains not necessary.
  • Verify if a user is still active in the organization, and if not remove the user.
  • Also, sort on 'last login' in user overview, and consider removing users that have not been active for quite a while. You can always add them back.

Roles management

Verify the roles in BlueConic and make sure to understand the permissions, and what role has what permissions. Especially be aware of the following permissions:

  • User management (this gives users the power to add or remove roles & users, so, the less people have this power, the better)
  • Connections (connections are used to transfer bulk profile data to and from BlueConic, so they are a bit more sensitive of data leaks)
  • Profiles (users with this permission can view individual profiles, which might be privacy sensitive) 
  • Plugins (users can add or remove plugins. Plugins can change functionality in BlueConic, so be careful to assign this to a user)

Privacy settings

Check the Privacy tab for settings that might be relevant, especially:

  • Check the default permission setting. When default permission is level 0, website visitors have to opt-in first before you start collecting data, which can be a better model if you are privacy conscious
  • Check the 'External analytics' settings, as exposing information will expose data in the BlueConic JavaScript datalayer, which is accessible for people with technical skills with some effort. Determine if activating these checkboxes is really needed, and disable if not.

Other security tips

  • As a general policy, User Management is always fully owned by the customer. This means that BlueConic Support cannot add, remove or update users without your explicit consent through email, and even then we prefer you do it yourself to prevent confusion about who can access your data.
  • Logging in uses two factor authentication through email which is mandatory for all users.
  • There is a forgotten password mechanism using mobile phone numbers and security codes through texts. If BlueConic does not know the mobile phone number of someone who tries to reset their password, an email is sent to all users that can access user management. Consider sending the new password through another channel then email to prevent social engineering attacks, and always check ‘change password on next login’ for that user.
  • Be really careful with username/password, certificates and other data to access other systems. Don’t send them to BlueConic support, don’t use them on Slack or other group chats, as these kind of systems send data to multiple users.

And most important of all: be aware of security risks with everything you do and be smart about it!