Readtime:7 minutes
This resource provides an overview of recommended security best practices for Zendesk suite Subscribers to implement in their own instance. We recommend that you consider implementing these practices at the onset of adoption and routinely check your settings and company best practices to ensure that they are appropriate and correctly adhered to by employees.
Zendesk offers a wide-range of controls to help you keep your information (and that of your customers) safe and secure. We strongly recommend training agents and administrators to apply these security best practices and minimize your risk exposure— in keeping with ourShared Responsibility Model. This framework outlines the responsibilities of each Zendesk Subscriber when it comes to ensuring the security of their instance. For more information, see The Zendesk Shared Responsibility Model.
This article contains the following sections on Best Practices for Zendesk Suite:
- General
- Access Control
- Systems Access, Networks and Domains
- Data Management
- API
- Monitoring
- Disaster Recovery
Security Best Practices for Zendesk Suite
General
- Use asandboxfor testing and development to keep your production instance clean.
- RestrictMobile Appusage for Agent workflows and/or use cases.
- Enable content moderation in your Guide Help Center and forum threads toprevent spamand/or unwanted content in your Gather community.
- Review any and all automated functions that send notifications to ensure that they are notifying the correct people.
Access Control
General
- When using Zendesk Native Authentication:
- Customize the password security levelto match your company’s internal policies.
- Set thelowest session expiration necessaryfor your agents and admins.
- Disable unnecessarysocial loginsfor end-users.
- 当使用单点登录(SSO):
- Utilize eithernative in-product SSO, or your existingenterprise Single Sign-Onto centrally manage your configurations.
- Couple any MFA you operate with your SSO to cover Zendesk logins
- If you wish to still allow for password authentication viaZendesk Native Authentication你应该关注可用性在吗an SSO outage, then leave the do not disable password authentication. If however, you wish to eliminate the ability for passwords to be used once SSO has been configured, then disable password use. Note that disabling password access will terminate all open sessions where passwords were used to authenticate.
- KeepAccount Assumptiondisabled unless you require a Zendesk employee to enter your account (either when interacting with Zendesk’s Support,advocates, Professional Services, etc.).
Users
- Review connected devicesassociated with your Agent profile and remove those that are no longer in use or look suspicious. Note that only Agents, Admins and Owners have access to this functionality.
- If creating a “closed” Zendesk instance,require end-users to registerand verify their emails before they can submit tickets to cut down on potential spam.
- Applycustom rolesfor your agents to limit user access to only what is necessary for each job function.
- Consideruser segmentand/or brand-based privileged access when using Guide.
- Leverage the allowlist to define specific users, or groups of users, who haveaccess to your accountand/or the ability to submitrequests/chats.
- Suspend, reject, and/orprevent usersfrom interacting with Zendesk Services via the blocklist, when necessary.
- Review the users on your account andsuspend/demoteusers who no longer need access to your system.
Passwords
- Two-Factor Authentication (2FA)is the recommended standard for agent and Admin login to Zendesk.
- Where different populations have different security needs, consider setting one custom password security level for End Users and another for Agents and Admins when using Zendesk’s native authentication.
- Create a unique password for your Zendesk account (i.e., one not currently used to login to external systems or applications).
- Enable email alerts for logins from new devices so Agents can monitor their accounts for logins from new (and unauthorized) devices. SeeChecking devices and applications that accessed your accountin the Zendesk Agent Guide.
System, Network Access and Domains
- UseContextual Workspacesto optimize your workflows and show only applicable tools (e.g., macros. apps, forms, etc.) and ensure that Agents only have access to the system functions and workflows that are needed to complete a task.
- Restrict access based on IP addressesfor the agents and/or end users.
- Suspend, reject, and/orprevent usersfrom interacting with Zendesk Services via the blocklist, when necessary.
- Where requiring non-Zendesk URLs, generate your own SSL certificates or Zendesk-provisioned SSL certificates withhost mappingand provide secure access to your help center. Where supplying your own SSL certificate, be sure to kept up to date.
Data Management
- Data Usage
- Capture only data that is needed to complete a given use case, minimizing the exposure of sensitive customer and/or internal data.
- Deletion/Redaction
- Refer to the"Complying with privacy and data protection law"guides for deletion and redaction recommendations, in accordance with privacy regulations.
- Consider not recording calls, and/orautomatic deletion of recordingswhen using Talk functionality, where such recordings could be challenging for your compliance with industry or legal regulations.
- Enable automatic redaction to protect sensitive customer data inticketsandchats. Note: This feature leverages a Luhn check which will redact most, but not all, credit card numbers.
- Manually redact credit card informationfrom the Zendesk Agent Workspace, where permissions allow. Note that even after deletion data may still persist in logs for up to 30 days.
- Compliance
- Should your use case involve Protected Health Information (“PHI”), enter into a Business Associate Agreement (BAA) with Zendesk and implement therequired security configurationsfor健康保险可移植性和责任Act (HIPAA)related Personal Health Information (PHI) and electronic personal health information (ePHI) data management, as necessary for you as a healthcare provider or healthcare data manager.s
- Should you use credit card numbers for identification purposes, add acredit card field to your ticketform to meet Payment Card Industry Data Security Standard (PCI DSS) compliance requirements (note this field does not store or surface the full credit card number and cannot be used for payments or transactions).
- For those who need to be in scope for PHI, ePHI, HIPAA and/or PCI DSS compliance:
- Privacy
- Consult the"Complying with privacy and data protection law"section of the Help Center for product-specific privacy considerations.
- Access the Trust Center to learn how ourGlobal Privacy Programhelps you stay compliant, no matter where you’re located or who you do business with.
- Applyemail archivingwhen there’s a business need to maintain archives of customer communications outside of Zendesk Services for policy, regulatory, or legal purposes.
- DisableChat email pipingunless required when using Chat.
- Userich content in incoming emailsonly when necessary for your workflow.
- Enable email authentication with SPF, DKIM, and DMARCto reduce spoofed email and spam your account receives.
- Digitally sign outbound emailsfrom Zendesk to verify that they originated within your organization.
- Leveragepersonalized email replies and agent aliasesto provide transparency to end-users who are communicating with agents via ticketing.
- Decommission unused or unnecessary Support addressesto minimize spoofing risk.
API
- Make use of tokens instead of passwords to prevent unauthorizedpassword access to the API.
- DeployOAuthto authenticate and limit the amount of access granted to tokens in the API. Disable where unneeded.
- SafeguardAPI tokensin a secure location outside of the application. Where possible, OAuth tokens are recommended over API tokens.
Monitoring
- Regularly review and monitoraccount audit logsthat show changes to your account.Helpful tip: YourAPIcan also be leveraged to export audit logs as needed.
Disaster Recovery
Zendesk maintains a Global Business Resilience Program to ensure we have the ability to rapidly adapt and respond to business disruptions, safeguard people and assets, while maintaining continuous business operations.’ Outside of this, there are several steps that you can take to additionally secure the continuity of your business.
- Opt in toEnhanced Disaster Recoveryfor security redundancy that includes real-time data replication, traffic prioritization, zone availability redundancy and priority recovery planning.
- If using Voice functionality, enable aTalk failover numberfor business continuity purposes.
- If you desire to have password access in the event of external SSO system outages, consider notdisabling Zendesk native authentication(SSO can be set up as strict, or allowing password bypass).
- Apply anincremental export APIand/orbulk downloadsof your Service Data if you require non-editable data stores to be preserved within your own environment.
- Enable automated email forwardingfrom your personal third-party email address to Zendesk Support to retain a copy of the email outside of Zendesk.
- Opt in toEnhanced Disaster Recoveryfor security redundancy that includes real-time data replication, traffic prioritization, zone availability redundancy and priority recovery planning.
- Use the incremental export API to retrieve Zendesk Support items that have been changed since the last API call request. See theAPI Referencefor more information.
If you suspect that a security incident within your Zendesk instance was directly caused by our Service itself, you should submit a ticket tosecurity@zendesk.com. For clarification on when to contact Zendesk about security-related responsibilities, consult theShared Responsibility Model.
0 Comments
Pleasesign into leave a comment.