Identity ManagementFor the customer instance of the SaaS Platform, ThousandEyes creates a user account with administrative permissions for the employee listed as a technical contact on the contract. It is the responsibility of the customer to:
- Configure single sign-on (using SAML) or appropriate password policies (complexity is always enforced, add password age);
- Create other users and accounts with appropriate roles (use of SCIM API is supported for automation);
- Periodically review access to the service to make sure only authorized workers have access with proper access levels;
- Configure groups and users using role-based access controls (RBAC) to ensure only authorized users can access/view sensitive data (including personal information);
- Avoid the use of shared logins (these are prohibited in most organizations), there is no charge associated user accounts on the ThousandEyes platform;
- For customers that use ThousandEyes Appliances (Virtual and Physical), customer administrators are required to change the password of the Virtual Appliance as part of the initial setup process.
Infrastructure Protection ServicesCustomers must ensure the security of their endpoints (end-user computers) and connectivity. If Enterprise Agents are in use, it is the customer’s responsibility to protect underlying physical infrastructure, virtualization and containerization (if present). If the Enterprise Agent is delivered as a Linux application, the customer must also secure the underlying Linux server.
Endpoint Agent ManagementIf an end-user asset leaves Customer’s operational ownership, it is recommended to uninstall Endpoint agent from the system. For all uninstalled and/or retired systems with Endpoint agent, ThousandEyes recommends removal of the Endpoint agent entry from ThousandEyes Endpoint agent inventory, as these will not be removed automatically.
Logging and MonitoringConfigure audit log ("Activity log") download into your log management solution via the ThousandEyes API (or CSV).
Session managementAssign permission "Keep session alive on auto-update" only for those roles containing users who need to have it (such as a NOC user). ThousandEyes application has a 30-minute session timeout which does not apply when the user has any of the following views open in their browser:
- Dashboards view
- Alerts > Alert list view
- Cloud & Enterprise Agents > Agent Settings view
NOTE: The automatic session prolongation described above requires the "Keep session alive on auto-update" permission enabled for the user. See the Role-Based Access Control article for more details about user roles and permissions.
Policies and StandardsIn relation to the ThousandEyes SaaS Application, the most important steps for customers to execute as part of the “Policies and Standards” domain management are to:
- Classify data stored and processed by ThousandEyes.
- Establish a worker awareness and training program.
- Comply with Data Subject Access Requests requirements (ThousandEyes will redirect data subjects to your Administrators).
Other security improvements to consider
- Customer may request from ThousandEyes support removal of access permissions into their organization from ThousandEyes personnel, this permission is enabled by default to facilitate support and other activities related to service operations;
- Carefully consider who in your organization should have the ability to perform “Snapshot sharing”, this functionality allows your internal users to share network events with your third parties (such as service providers) in a way that allows this data to be accessed anonymously;
- If Enterprise agents are deployed in your network, consider changing Enterprise Agent NTP settings by pointing to your authorized NTP servers (otherwise, the defaults for your operating systems will be used);
- Make sure your users are refreshing their API tokens according to your policy.