Secure Agent design
Our agent ensures your devices, account, and data is secure. Thought is given to each interaction and transition involving your account and data. Below are some of the key features and design principles.
Light touch: Our agent only retrieves the in-focus application's process name, the current window title, and, when possible if the activity is browser related the current URL. In addition, the agent retrieves information about whether the machine is connected to wifi, the number of monitors connected, keystroke and mouse click activity (not the detail but just the existence of it), the machine name, the logged in user name, the machine IP address, and the machine make/model, CPU, RAM and available disk size.
Our agent will never automatically use cameras, take screen shots, log keystrokes, capture web form content, or anything else than what is described above. It only gathers what is described above. Furthermore, through our privacy controls (here) you control what is measured and what is kept.
Data safety: Your activity data is held in memory when possible, and regularly transitioned to our data center for processing when online.
Code signing: Our agent is digitally signed using Digicert Extended Validation Code Signing technology in order to prove that it has not been altered or compromised by a third party. This also prevents unnecessary warning messages and protect our software from malware, tampering, and theft. The use of the extended validation certificate also reduces warning messages with Microsoft’s SmartScreen Application Reputation filter. Further, because of DigiCert’s partnership with Microsoft, we have immediate reputation in Windows 8, 8.1, and 10.
Data transmission and authentication
We leverage a number of controls in order to:
- ensure that the agent is authenticated to transmit data to our servers; and
- secure the transmission of data from the agent to our servers.
Insightcentr uses a two factor, subscription specific approach to authenticate the agents that you deploy. This authentication relies on a unique 8 character Subscription Id and a 32 character API Key. Access to your API Key can be controlled to be accessed and reset by specific users that only you grant access to.
Data transmission security
The Insightcentr agent uses Shared Access Signatures (SAS) as the primary security mechanism to secure data transmission from the agent to our servers.
SAS authentication uses the following elements:
- A 256-bit primary cryptographic key in Base64 representation; and
- A Shared Access Signature token which is generated using the HMAC-SHA256 with an Insightcentr specific string with the cryptographic key.
Data transmission protocol
Insightcentr uses the Advanced Message Queueing Protocol (AMQP) over HTTPS to asynchronously, securely, and reliably transfer messages between the agents and our servers.
Our server requires the use a AMQP WebSockets binding creating a tunnel over TCP port 443 that is then equivalent to AMQP 5671 connections.
Cloud Service Hosting
Insightcentr data processing, reporting, and account management is handled through our website locations, which are all hosted with a tier 1 global cloud data center provider. This gives us audited robust infrastructure security, both physical and network level. On that foundation, we provide additional feature-targeted firewalling, privilege separation and controls, two-factor access methods, and logged, auditable operations interfaces.
All operational interaction with our platform is accomplished through either HTTPS or SSH (secure tunnels). Our testing and development deployments are maintained in a matching configuration, with access only through HTTPS and SSH tunnels. We do not maintain any office based data storage or services. All of our engineering resources are secured in our cloud data center under the same practices and policies applied to the production configuration.
Trust and compliance
Our cloud data center provider meets the following (not exhaustive list) compliance standards:
Alignment with the standards of ISO/IEC 27001 and the code of practice embodied in ISO/IEC 27018;
Australian Government Certified Cloud Services List (CCSL);
Level 2 CSA STAR Attestation and Level 2 CSA STAR Certification
The following compliance, certifications and standards are met. More information in relation to each of these can be provided upon request.
Accounts can be deleted at any time. Deleting your account will delete all your activity data. While your account is active, you can use various tools to export views of your all your data.
Your account and data are isolated by strict controls in the database and application logic, no other account can access your information.
Your relevant account activities are logged in an auditable historical record, including Insightcentr operations and support interactions with your account. Furthermore, all operations activities of any kind by Insightcentr employees are mediated through a secure tunnel and toolset that ensure detailed auditable records (such as system restart or software updates).
Authentication and User Controls
Insightcentr currently provides two factor authentication along with the requirement to understand the tenant content (i.e. typically the company name). For your company you can also configure your own password complexity policy with the following parameters:
- minimum password length
- maximum password length
- require numbers in password
- required upper case letters in password
- use lower case letters in password
- use punctuation in password
Insightcentr provides a solution to lock accounts based on failed login attempts. You can configure the maximum number of failed logic attempt count before locking the account and the account locking duration in seconds.