Upload
others
View
34
Download
0
Embed Size (px)
Citation preview
© 2019 Keeper Security, Inc. 1
Keeper MSP Technical Whitepaper
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 2
Table of Contents
Introduction 3 System Architecture 3 Zero-Knowledge Architecture 3 Master Password 4 Encrypted Vault 4
Ubiquitous access to password vaults from any device 6
Fully-Managed SaaS Platform 6
Isolation of Managed Companies 7 IndustryCertifications 8
CertifiedSOC2Compliant 9 ISO27001Certified(InformationSecurityManagementSystem) 9
GDPR Compliance 9 Key Functionality 10 Roles & Enforcements 10 Administrative Permissions 10 TwoFactorAuthentication(2FA) 11 Two Factor code generator in user’s vault 12 MSP Remote Administration & Permissions 12 Teams & Shared Folders 13 License Pool 14 Logging license transactions for Billing purposes 14 Reporting 15 SIEM Integration 16 Versatile provisioning 16 Import / Email 16 AD Bridge 16 SSO 16 Account Transfer 16
Deploying KeeperMSP 17 Full Service model 17 Reseller model 17 Hybrid model 17 Summary 17
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 3
Introduction
KeeperMSP is natural extension of Keeper’s Enterprise Password Management solution which allows an MSP to managemultipleindependenttenants(a.k.a.“ManagedCompanies”or“MC’s”)fromacentralconsole.
Keeperbeganasamobile-first,consumer-focusedproduct.Asaresult,ourapplicationiseasyandenjoyabletouse.Thisisevidencedbyour15M+downloads,veryhighrenewalrates,andpositivereviews.Keeper’ssolutionsarealsousedheavilybySmallandMediumBusinesses(SMB’s)giventhesefirmsareoftenhighlyvulnerabletocybersecuritycrimes.Itisestimatedthat39%ofSMB’suseanMSPinsomecapacityastheytypicallynotstaffedwithalltheITspecialiststheyneedtofunctionintoday’sdigitalworld.1
Keeper has also expanded into the Enterprise space and honed the product by meeting the needs of demanding administratorsinmissioncriticalenvironmentswithcomplexdeploymentsandusecases.TheenterpriseversionoftheproducthasbeenarchitectedtoscaleandhasthecorefeaturesandfunctionalitythatMSP’srequire,including:organizationalroles;robustenforcementpolicies;multipleprovisioningmechanisms,fullsupportfor2FAmethods;androbustauditingandreportingcapabilities.
TobetterservicetheMSPmarket,Keepernowoffersthishighlyscalable,purpose-builtsolutionsothatourpasswordmanagementsolutioncanbemoreeasilyofferedandmanagedbyMSP’s.
System Architecture
Zero-Knowledge Architecture
KeeperisaZeroKnowledgesecurityprovider.ZeroKnowledgeisasystemarchitecturethatguaranteesthe highestlevelsofsecurityandprivacybyadheringtothefollowingprinciples:
1. Dataisencryptedanddecryptedatthedevicelevel(notontheserver) 2. Theapplicationneverstoresplaintext(humanreadable)data 3. The server never receives data in plain text 4. NoKeeperemployeeor3rdpartycanviewtheunencrypteddata 5. Thekeystodecryptandencryptdataarederivedfromtheuser’smasterpassword 6. Multi-Layerencryptionprovidesaccesscontrolattheuser,groupandadminlevel 7. SharingofdatausesPublicKeyCryptographyforsecurekeydistribution
Dataisencryptedlocallyontheuser’sdevicebeforeitistransmittedandstoredinKeeper’sCloudSecurityVault.Whendataissynchronizedtoanotherdevice,thedataremainsencrypteduntilitisdecryptedontheotherdevice.
Keeperisthemostsecure,certified,testedandauditedpasswordsecurityplatformintheworld.WearetheonlySOC2andISO27001certifiedpasswordmanagementsolutionintheindustryandPrivacyShieldCompliantwiththeU.S.DepartmentofCommerce’sEU-U.S.PrivacyShieldprogram,meetingtheEuropeanCommission’sDirectiveonDataProtection.Notonlydoweimplementthemostsecurelevelsofencryption,wealsoadheretoverystrictinternalpractices that are continually audited by third parties to help ensure that we continue to develop secure software and providetheworld’smostsecurecybersecurityplatform.
Sources 1SherWebBlog2018
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 4
TolearnmoreabouttheKeeperzero-knowledgearchitecturepleaseseeourencryption model documentation.
Master Password
EachKeeperusermustchoosea“MasterPassword”whichisonlyusedforKeeperandnotusedforanyotherservice.Keeper’sZeroKnowledgearchitectureensuresthatnoone–noteventheadministrator,MSPorKeeperemployees–haveaccesstoauser’smasterpassword.
The Master Password must adhere to the guidelines enforced by the Keeper Administrator and can be applied to usersviaroleenforcementpolicies.InthecaseoflostMasterPassword,userscanrecovertheiraccountthroughazero-knowledgerecoveryprocessbyansweringasecurityquestion,emailverificationandtwo-factorverification.
Encrypted Vault
Numerousgovernmentandregulatoryguidelines,includingtheNationalInstituteofStandardsandTechnologyandthe European Union’s General Data Protection Regulations recommend encryption as the most effective form of dataprotection.Keeper’simplementationofsymmetricencryptioninthevaultrepresentsthemostadvancedandsecuresolutionavailableinthemarket.
AllpasswordsinKeeperarestoredinencryptedrecordswhichresideinadigitalvault.Theencryptionkeyto decryptthevaultisfirstderivedfromtheuser’sMasterPassword,whichthenunpacksotherprivatekeyssuchasthe“DataKey”and“RSAPrivateKey”whichareuniquetotheuser.TheDataKeyunpacksadditionalkeyscalled“RecordKeys”and“FolderKeys”whichareusedtodecrypttheuser’sstoredrecords.
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 5
Alltoptierpasswordmanagersencryptdataatsomelevel,butnotallencryptionisimplementedthesame. Keepersupports256-bitAESencryptionandPBKDF2forkeyderivation,whicharewidelyacceptedasthe strongestformsofprotectionavailable.Wealsoprovidemultiplelayersofencryptionattherecord,folderand teamlevel.Byimplementingrecord-levelencryption,recordscanbesharedamongprivilegeduserswithout riskingunauthorizedorelevatedaccess.
Protectionof“datainmotion”hasbeenanissueinthepastwithproductsthatmaybrieflydecryptdataduringtransmission,orwhilestoredoncloudserversfortheirownconvenience.ForKeeperanyDataintransitisprotectedby256-bitTLS/SSLencryptionandtheapplicationitselfisprotectedwithKeyPinningandlayersofencryptionthatcannotbedefeatedwithMITM(man-in-the-middle)attacks.
Theencryptedvaultresidesinthecloudtoensuresynchronization,butcanalsobeusedinanofflinemode. Userscanloginofflineanddecryptstoreddataonmobileanddesktopdevices.Offlineaccesscanberestricted onaroleenforcementbasisbytheKeeperAdministrator.
Keeper Encryption Model
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 6
Ubiquitous access to password vaults from any device
We live in a multi-deviceworld,butthatshouldn’tinconveniencepeoplewhoneedaccesstovaluableinformation nomatterwheretheyare.Keepersupportsthemajortypesofmobiledevices(iOSandAndroid),aswellasthemostpopularbrowsers,bothonthedesktopandthephoneortablet.Dataisautomaticallysynchronizedacrossthesedevicessoausercangainaccesswherevertheyneedto,fromanydevicetheyhaveaccessto,withoutfear oflosingtheircredentialsifanyonedeviceislost,stolen,orleftbehind.
As ofOctober,2019Keeper’snativeclientapplicationsinclude:Windows7/8/10,MacOS,Linux/Unix,iOS8+,Android4.4+,WindowsPhone8+.InadditionKeeperoffersinternetbrowseradd-ons(calledKeeperFill)forEdge,InternetExplorer,Chrome,Safari,FirefoxandOpera.Downloadhere.
For additionalinformationondeployingKeepertoend-users,go here.
Fully-Managed SaaS Platform
Keeper is a fully managed hybridSaaSsolution.Alltheencryption/decryptionofvaultrecordsoccursonthe user’sdevice.Thisencryptedvaultdataisthenstoredinthecloudforbrowseraccess,synchronizationacrossdevices,andbackup.
All ofKeeper’suser-facingapplicationscontainon-devicelocalencryptedstorage.Theapplicationscanbelockeddowntoonlyrunwithinthecustomer’snetworkenvironmentthroughrole-basedenforcementpolicies.TheMSPcanalsoenforcetheuseof2FAandothersecuritypoliciesthroughtheKeeperAdminConsole.
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 7
TheKeeperCloudSecurityVaultishostedwithAmazonAWSinNorthAmericaandEurope,forlocalizeddataprivacyandgeographicsegregationtohostandoperatetheKeepersolutionandarchitecture.UtilizingAmazonAWS allows Keeper to seamlessly scale resources on-demand and provide customers with the fastest and safest cloudstorageenvironment.KeeperSecurityoperatesbothmulti-zoneandmulti-regionenvironmentstomaximizeuptimeandprovidethefastestresponsetimetocustomers.
NewMSPandMCaccountsarecreatedeitherintheUSorEUregions.Oncetheregionhasbeenestablished, thedatacenterregioncannotbechangedwithoutre-creatingtheenvironment.
Isolation of Managed Companies
Keeper MSPprovidesfulldataisolationbetweeneachMC,atboththelogicalandencryptionlayer. Forpreservationofzeroknowledgesecurityarchitecture,eachMC’sdataiscompletelyseparatedand encryptedwithkeyderivationarchitecturethatisspecifictoeachMC.Therefore,noinadvertentsharingof MC-relateddatasuchasemails,admins,teams,rolesorvaultdataispossible.
MSP Technicians exist in the root level of the MSP’s system and have ability to cross-over to each MC instance foradministrativepurposes.Any“local”adminssetupintheMC’sdonothavethatrootlevelaccesstothe MSP’sconsoleoranyoftheMSP’sdata.
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 8
Industry Certifications
MSPs serve manyindustrieswhichmaintainstrictregulatorycompliance.PasswordManagementisakeycomponentofcompliancerequirementswithintheMCenvironments.AsaZero-Knowledgeplatform, Keepersolvescriticalcomplianceneedsinregardstostoreddata,passwordpoliciesandaccesscontrols.
License pool with list of Managed Companies
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 9
Certified SOC 2 Compliant
Customervaultrecordsareprotectedusingstringentandtightlymonitoredinternalcontrolpractices. KeeperiscertifiedasSOC2Type2compliantinaccordancewiththeAICPAServiceOrganizationControl framework.SOC2certificationhelpsensurethatyourvaultiskeptsecurethroughtheimplementationof standardizedcontrolsasdefinedintheAICPATrustServicePrinciplesframework.
ISO 27001 Certified (Information Security Management System)
Keeper is ISO27001certified,coveringtheKeeperSecurityInformationManagementSystemwhich supportstheKeeperEnterprisePlatform.Keeper’sISO27001certificationisscopedtoincludethe managementandoperationofthedigitalvaultandcloudservices,softwareandapplicationdevelopment, andprotectionofdigitalassetsforthedigitalvaultandcloudservices.
GDPR Compliance
Keeper is GDPR compliant and we are committed to ensuring our business processes and products continuetomaintaincomplianceforourcustomersintheEuropeanUnion.Click here to learn more about Keeper’sGDPRcomplianceanddownloaddataprocessingagreements.
TheKeeperwebsiteandcloudstoragerunsonsecureAmazonWebServices(AWS)cloudcomputing infrastructure.TheAWScloudinfrastructurewhichhostsKeeper’ssystemarchitecturehasbeencertified tomeetthefollowingthird-partyattestations,reportsandcertifications:
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 10
Key Functionality
Roles & Enforcements
Roles enableloginenforcementstobesetforuserswhoareassignedtothatrole.Arobustvarietyofenforcementsarepossible,includingthoselimitingplatforms,requiringstrongpasswords,andmore.Roleswithelevatedpermissionsarealsoassignableforadministrativestaff,andallowavarietyofactionslikemanagingteams,roles,runningreportsandmore.
Rolesaresetupinahierarchical“tree”structurewithvisibilityandinheritanceofpermissionslimitedtonodes belowthecurrentnode,butnotsidewaystosiblingnodes.
Administrative Permissions
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 11
Two Factor Authentication (2FA)
Role policies that are enforced across all devices and computers can require the use of several popular two-factorauthenticationmethodssuchasDuo,RSASecurID,TextMessage(SMS),GoogleAuthenticator andMicrosoftAuthenticator.
Usersofmobiledevicesmayrequireanextralayerofprotectionvia2FAbothtoaccesstheirKeepervault, aswellaswhenaccessingimportantsitesorapplications.Keepersupportsallthenativebiometric featuresoftheuser’spreferreddevice,includingfingerprintandfacialidentification.InadditionKeeper has the ability to generate and store Two-Factor Codes in vault records for a more convenient and secure accessmethodwhenloggingintowebsitesand/orapplications.
Keeperenablessynchronizationofafullyencryptedlocalcopyoftheuser’spasswordvaultforoffline access.Anychangestothevaultareinstantlyreplicatedacrossalldevicesforconsistencyandsecurity.
Forusing2FAduringlogintositesorapplicationsKeeperhasbuiltinanauthenticatorcapabilitywhich willgenerateaTOTPcodewhenloggingin,andwhichwillfillthatcodeintotheappropriatefieldonthe sitebeingaccessed.Thisdramaticallyimprovessecurityandconvenience,soevenifauser’susername andpasswordarecompromised,accessisstilloff-limitsuntilthe2FAcodeisprovidedaswell.
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 12
Two Factor code generator in user’s vault
MSP Remote Administration & Permissions
• An MSPtechnicianwhohasthe“ManageCompanies”permissionenabledisabletolaunchintoaMC’sAdminConsolewithasingleclick.AseparatetabforthatMCwillopenandnowthetechnicianhasfulladministrativerightstosetuproles,teams,users,etc.forthatMC.
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 13
• A separate permissions exist to allow an MSP administrator to add/reduce licenses via the MSP’s central license pooltoanMC.Thispermissionprovidestheabilitytolimitwhohasthe“checkbook”forprovidinglicensestoaMC,withoutrestrictingtheirrighttoacttheiradministrator.
Teams & Shared Folders
Teams canbedefinedthatallowgroupsofuserstosharelogincredentialswhicharestoredasacollectionofrecordsinafolder.ThisfunctionalitycanbeleveragedbyMSP’stosetuppasswordsforusebytheirMCclient. Forinstance,aseriesofrecordswiththeURL,username,andaninitialpasswordcouldbesetupbytheMSPtechnicianastheinitial“owner”,andthenthatfoldercouldbesharedwithauser,orusersattheclient.Oncedone,the MSP could relinquish ownership and visibility of that folder so that it is effectively transferred to the MC user andcompletelyprivate.
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 14
License Pool
The KeeperMSP product licensing is structured as a wholesale model which enables an MSP to purchase licenses (foravarietyofplans)inbulkfromtheKeepercheckoutpage.TheselicensesentertheMSP’scentralpoolforallocationtotheMC’swhenready.Thiscentralizedpurchasingandinventorywillhelpminimize“roundtrip”purchasesbytheMSPforeveryMCtheymanage.OncelicensesareintheMSP’spool,theycanbeallocated, orre-allocated,asneededtoMC’sandthepooltotalcanbeadjustedupwardsordownwardsforbillingonamonthlybasis.LicensesintheMSP’spoolarecountedmonthlyasabasisforgenerousvolumediscountswhichisrecalculatedupwards(ordownwards)basedontheactualcountintheMSP’spool.
Adjustments,upordown,canbemadeatanytimeduringthemonth.Notethatlicensesarepre-paidforthemonthandnopro-rateadjustmentisgiveniftheyarenotused.Howevercreditwillbeheldforanylicensesthatwerepaidforduringthatmonthandthen“reduced”intheeventanewlicenseofthatsamekindisre-purchasedduringthatperiod.
A numberofserviceplanbundlesareofferedwhichcombinethemostpopularconfigurationsforbothBusinessandEnterprise-classMC’s.Thishelpsminimizethepermutationsofvariousadd-oncapabilitiestosimplifybilling,whilemakingawiderangeofoptionsavailablefortheMSPcustomerbase.
Logging license transactions for Billing purposes
Everytimealicensetoallocatedtp,orde-allocatedfrom,anMCbyanauthorizedadministratoralogentry iscreatedwhichcanthenwereportedandexported,viaa.CSVfile,toa3rdpartybillingsystem.Keeperdoes notprovideanyinvoicingsystemforchargingMC’sandthepricechargedtoMC’sissetbytheMSP,notby Keeper.Anoptionalopentextfieldisprovidedwhenchangingthelicensinglevelsinordertomanuallyrecord anypricingnotesorlevelsiftheMSPchoosesto.
Summaryreportswhichaggregatethenetchangesduringaspecifiedperiodarealsoprovided.
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 15
Reporting
Keeper’s AdvancedReportingandAlertsModule(“ARAM”)providesfilteredviewsandrealtimealertsonover 90differenttypesofeventsdrivenbyuserandadministrativeactivity.Theseeventtypeshavebeenexpanded toincludeMSP-specificoperations:
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 16
SIEM Integration
This module also supportsintegrationwith3rdpartySecurityInformationandEventManagement(SIEM) toolstosupportexternalloggingofalleventswithasimplesetupflowforSplunk,Sumo,AmazonS3,IBM QRadarandanyothersyslog-compatibleproduct.
Versatile provisioning
Import / Email
Users can be invitedtothesystemmanually,eachtimetheyarecreated.Inadditiontheycanbecreated inbulkwhenimportedfromanemaillist.
AD Bridge
Keeper BridgeallowsbusinessesrunningMicrosoftActiveDirectoryorOpenLDAPtointegrateKeeper passwordmanagementsoftwarewithintheircurrentsystems,automaticallyaddinganynumberofNodes (a.k.a.OrganizationalUnits),Users,RolesandTeams.Onceconnected,Keeperenablesrole-basedaccess controlatanyNode.
These controlsincludemasterpasswordstrength,masking,rotation,2FA,IPwhitelisting,biometrics, platforms,sharingandaccounttransfers.ThosecontrolscanbecascadedtoalllowerNodesifdesired. Teamsmaybeprovisionedforsharingcredentials.Asthepeoplemovethroughouttheorganization,Keeper keepstheirrolesupdatedthroughAD.Thisincludeslockinganaccountwhenanemployeeleavesandthe abilitytotransferthosecredentialstoatrustedadmin.
SSO
Keeper’sSingleSign-Onsolutionprovidesasecurepasswordmanagerthatstoresnotonlylogincredentials andpasswords,butalsoproprietarycustomerdata,accesscredentialstorestrictedsystemsand sensitivedocuments.
KeeperSSOConnectisaSAML2.0applicationwhichleveragesKeeper’szero-knowledgesecurity architecture to securely and seamlessly authenticate users into their Keeper Vault and dynamically provision userstotheplatform.
SSOConnectworkswithpopularSSOIdPplatformssuchasOkta,Centrify,AWS,OneLogin,PingIdentity,F5 BIG-IPAPM,GSuite,MicrosoftADFS/AzureADandJumpCloudtoprovidebusinessestheutmostin authenticationflexibility.
Account Transfer
OrganizationscanenabletheAccountTransferfeature,whichprovidesabreakglassrecoveryofallrecords storedstoredinausersvaultifauserwastoleaveanMCthysupportandtheyfindthemselvesintheposition ofnotknowingthatuser’smasterpasswordforaccessingcriticaldataintheirvault(orsecurityanswerfor accountrecovery).
KeeperMSP Technical Whitepaper
© 2019 Keeper Security, Inc. 17
Deploying KeeperMSP
KeeperMSPcansupportawidespectrumofdeploymentmodels,fromfullservice(“whiteglove”)MSP’swho manageeverythingfortheirusersallthewaytopureresellerswhodolittleornoadministrationfortheirclients.
Full Service model
MSP TechnicianshaveaccesstoaMC’sadminconsoleandthushavefullrightstoprovisionendusers,setup MC-specificroles,loginenforcements,andteamsforsharingcredentials.Thesetechniciansmayalsochooseto set-upalogincredentialsforuserswhichcanbedonebysharingrecordsfromtheirpersonalvaultstothoseofanMC. ThisallowsanMSPtoofferafullyintegratedsetofservicesthatincludedasetofpre-configuredloginsthattheycankeepupdatedifneeded.
Reseller model
Resellers may simply want to act as distributors and for Keeper and sell the solution to customers who can manage themselves.InhiscasetheMCmaycandesignateauseratMCtohandleallmanagementofthesystemfor self-administration.TheresellersrolewouldbelimitedtolicensemanagementfortheMCwhichcanbehandled intheKeeperMSPconsole.
Hybrid model
Both theMSPTechnicianandtheMCAdministratorcanshareresponsibilitiestomanagethesystem.Forinstance,forfrequentlychangingorhighlyspecificsettings(e.g.whichemployeesareinateamfolder)the“local”MCadministratormaybeabletohandlethatmostefficiently.Forlargescaleinitialprovisioningandconfiguration theMSPmaybebetterequippedtofacilitatethiswithKeeper’sActiveDirectorybridge.
Summary
KeeperMSPcombinesprovenpasswordmanagementfunctionalitywithaflexiblenewcapabilitiestoenable MSP’stomanagealargeportfolioofMC’ssecureandefficiently.
keepersecurity.com [email protected]
Business Sales
Americas & APAC +13128292680
United Kingdom +442034058853
Germany & DACH +4989143772993
Support
Consumer +13129715702
Business (Americas & APAC) +13122264782
Business (EMEA) +353212296019
Ireland +353212296020
EMEA +353212296011
Netherlands +31202620932
Iberia & Italy +34919016513
Sweden & Nordics +46840304928