Establishing a privacy policy
Overview
Some concepts described in this document refer to Finder (classic)
Nexthink Finder is a Windows-only desktop application whose functionality is now available within the Nexthink web interface. Nexthink can now be used directly from a browser and most functions no longer require an additional desktop application.
Nexthink privacy is built around the following pillars:
Security of information
The information is collected via encrypted channels, and access to all databases is restricted.
User privileges
The privileges of a user define the subset of the devices or locations that the user can access (view domains), the rights of the user to change the configuration (administration privileges), the creation of content (custom dashboards), and the access to external web domains and web requests.
Anonymization
Users, devices, destinations and web domains are anonymized by default. Users need special privileges to access the identity information of these objects.
Storage policy
The full set of information is collected and stored by default. However, it is possible to remove and prevent collecting devices and other information from the dataset. There is also a special policy for Web & Cloud storage that can prevent the collection of web domains.
Audit trails
Every change in the configuration settings is audited, including the editing of users and access.
Data Encryption - Bring Your Own Key (BYOK)
Encryption at rest safeguards your stored data by encoding it on disk. Even if unauthorized individuals get hold of the storage device, they can't access the data without the proper keys. Each customer data is encrypted using a unique key. While Nexthink typically manages these keys, a bring your own key (BYOK) model allows you to manage your own encryption key. Learn more
Security of information
Overview of communication channels
The following schema describes the communication architecture from a high-level point of view.
The table describes the communication channels used to access or transport sensitive information:
Core components | Direction | Components | Protocol or encryption |
|---|---|---|---|
Collector | <--> | Nexthink web interface | TCP encrypted |
Finder (classic) | <--> | Nexthink web interface | TLS |
Optional | |||
API | <--> | Nexthink web interface | REST HTTPS |
SSO integration | <--> | Nexthink web interface | SAML (HTTPS) |
Investigation Library for Finder (classic) | <--> | Nexthink web interface | HTTP |
Nexthink customer improvement program for Finder (classic) | <--> | Nexthink web interface | HTTPS |
All the channels that transport sensitive information are encrypted. All optional channels have to be activated or configured.
Collected data
Nexthink does not collect any information about the content of files, emails, websites or any other content. Nexthink collects the following data:
Objects |
|---|
|
Activities |
|
Events |
|
User privileges
Accounts are based on profiles and permissions. Refer to the Users and Profiles pages for more information about configuring user profiles.
Profiles determine the access rights of a user:
Access to Nexthink web interface, possibly limited to a view domain, the right to create and publish dashboard content, and administration rights (management of accounts, additional content and system configuration).
Access to (classic) Finder, the rights to edit applications, object tags, categories, services and global alerts.
Access related to web domains (Web & Cloud visibility) in Finder. By default, users can only see the web domains that are configured in web-based services.
Roles define the default content that is available to a user in Finder and in the Nexthink web interface. The roles are assigned to users either indirectly through their profiles or directly through the user account. For non-administrator users, roles limit the content that can be accessed in the Nexthink web interface.
Limiting the view to a domain with Finder (classic)
The devices can be grouped along a hierarchical tree. For example, a tree with three levels:
Department
Region
Entities
View Domains
A view domain represents the set of data that a user has the right to see. It is defined by a node of the hierarchy and optionally by a limit in the depth. Based on the previous example, a view domain could limit the view to a specific department and allow the user to drill down to the underlying region but prevent the details by entities from being viewed.
Creating and publishing custom dashboards in the Nexthink web interface (classic)
Administrators can create, publish, and manage the Nexthink web interface modules, and group custom dashboards.
An administrator can see and manage the modules published by any other user, where managing means updating or deleting a published module.
Users can only see a module created by an administrator if the module is included in their roles. The creation and publication of modules are also restricted for users. Users can create and publish the Nexthink web interface modules only if they have the following options checked in their profile:
Allow the creation of personal custom dashboards.
Allow publication of custom dashboards.
Users can see the modules published by other users. A user with permission to publish custom dashboards can manage the modules created by other users but not by administrators.
Users with the right to create custom dashboards can manage their own personal modules. That is the modules that they have created or that they have copied to their personal content.
Privileges for users of Finder (classic)
For users of Finder, select their privileges when creating the user profiles.
The privileges are related to the edition and application of object tags, the modification of the system configuration (categories, metrics, campaigns, remote actions, etc), and other features for system management.
Anonymization
Access rights to data
There are four levels of data privacy defined in the profile of the account, that specify the access rights of each account to particular pieces of information.
Access rights | Description |
|---|---|
Anonymous users, devices, destinations, and web domains | The names of users, devices, destinations, and web domains are not visible to the account. |
Anonymous users and devices | The names of users and devices are not visible to the account. |
Anonymous users | Only the names of users are not visible to the account. |
None (full access) | No restrictions: all names are visible. |
The following table enumerates the visible attributes of users, devices, destinations and domains for each data privacy level.
Data Privacy Level | Users | Devices | Destinations | Domains |
|---|---|---|---|---|
None (full access) | Username Distinguished Name Full Name Nexthink UID | Computer name Windows SID IP address Nexthink UID | Destination name IP address Nexthink UID | Domain name Nexthink UID |
Anonymous users | Anonymized | Computer name Windows SID IP address Nexthink UID | Destination name IP address Nexthink UID | Domain name Nexthink UID |
Anonymous users and devices | Anonymized | Anonymized | Destination name IP address Nexthink UID | Domain name Nexthink UID |
Anonymous users, devices, destinations and domains | Anonymized | Anonymized | Anonymized | Anonymized |
Display of anonymized UIDs in Finder (classic)
When the data privacy level enforces anonymous users, devices, destinations or domains, their UIDs are hidden from the results of an investigation as follows.
The UID is displayed in the form anonymized object, where the object is the type of retrieved object under anonymization.
Investigations using the name of the object are not possible. However, if an authorized Finder user provides the UID of an object, any user may refer to the object in an investigation through its UID.
Categories with Finder (classic)
Categories also support data privacy. A level can be set for a category so only accounts with the same or a higher data privacy level can see and use a given category. For example, if a category is created with a data privacy level set to none (full access), only Finder user accounts having a none (full access) level will be able to see and use this category. The privacy setting on categories applies only to Finder.
Examples of user profiles
These are some examples of user profiles that can be configured with the current privacy features of Nexthink.
Nexthink administrator | |
|---|---|
This is the account of the administrator of Nexthink web interface within the enterprise and therefore full access rights have been granted. | |
User privileges The Nexthink web interface
Finder
| Anonymization The Nexthink web interface and Finder
|
CIO | |
It is necessary to have access to high level information. Therefore, the Nexthink web interface as a reader will be primarily used. | |
User privileges The Nexthink web interface
Finder
| Anonymization The Nexthink web interface and Finder
|
Privacy officer | |
Full access is granted regarding data anonymization and the User UID can be provided to other co-workers when needed. | |
User privileges The Nexthink web interface
Finder
| Anonymization The Nexthink web interface & Finder
|
Security engineer | |
Full access to all data is necessary so that any issues can be investigated. | |
User privileges The Nexthink web interface
Finder
| Anonymization The Nexthink web interface & Finder
|
Network and system engineer | |
Access regarding connection and destination is necessary, but access to user information is not necessary. | |
User privileges The Nexthink web interface
Finder
| Anonymization The Nexthink web interface and Finder
|
Support engineer | |
Access to user information is necessary when required and will need permission from the privacy officer for User UID. | |
User privileges The Nexthink web interface
Finder
| Anonymization The Nexthink web interface and Finder
|
IT project manager (transformation) | |
Access to information related to a specific project is necessary and only anonymous information is necessary. | |
User privileges The Nexthink web interface
Finder
| Anonymization The Nexthink web interface and Finder
|
Storage policy
Database
The following databases are used in the Nexthink web interface:
Engine | The Nexthink web interface |
|---|---|
Database (in memory) Database backup
| Database Database backup
|
Ignoring fields
In addition to the anonymization of data, it is possible to configure the system to ignore certain data that is delivered by Collector. In this case, data is not recorded at all:
ignore_username | If this is set to true, Nexthink web interface will no longer store the user names and Finder will show Unknown for all usernames. |
user_interaction | If set to false, user interaction information will no longer be recorded (it will not be displayed in the device view and the interaction time aggregate will always be 0%). |
ignore_windows_license | If set to true, windows license key is no longer stored. |
ignore_external_ip | If set to true, destination IP address outside the specified internal networks are set to 0.0.0.0 in connections. |
ignore_external_domains | If set to true, domains which are not part of the internal domains are not recorded. Except for domains that are explicitly included in the definition of a web-based service. |
Retention time
By default, a device is removed automatically from the Engine database after 3 months of inactivity. The retention time can be configured.
Ignoring specific devices
For each device, it is possible to restrain the collected information at the level of Engine. The possible settings are:
Web requests, connections, and executions (by default, everything is stored)
Connections and executions
Executions only
None
Remove
For the latter case, the device is removed from the Engine database if there is no activity for more than one day. For example, Collector was uninstalled.
In Finder, right-click a particular device in the list view results of an investigation or in the top-left icon of its own device view and select Edit...
Ignoring specific applications, executables, binaries and domains
The same is possible for applications, executables and binaries. The only difference is that it is not possible to remove them, but only to stop storing the related information.
Web & Cloud
Because Web & Cloud data has a significant impact on the data retention of Engine, there are three different settings for the storage policy of domains and web requests that let you control how they are stored.
Web & Cloud storage policy | Use cases | Result | |
|---|---|---|---|
1 | none | I don't want to store any information related to web domains. | Domains and web requests are discarded. |
2 | services only | + I want to monitor internal or external web services like salesforce.com or office365.com | Storage is discarded unless related to a configured web-based service. (*) |
3 | all | + I want to discover all web applications used in my company. + I want to see if there are any security breaches in my company | Every domain and web request is stored. But the visibility can be restricted and depends on user privileges. (*) (**) |
(*) When a web-based service is created, its underlying web requests and domains are stored with their visibility unrestricted.
(**) If a web request does not belong to a defined service, its access is restricted.
Contact Nexthink Support for more information or change these settings.
Visibility for metrics
In the same way, the Finder users need special privileges to view web domains and web requests that are not part of a web-based service, metrics have a similar setting that limits the web domains and web requests that are visible in the dashboards of Nexthink web interface.
Pick the visibility for metrics from the list:
full
To enable metrics for the use of web data from any stored web request or domain (in accordance with the storage policy).restricted
To prevent metrics from using any web data unrelated to a web-based service.
Contact Nexthink Support for more information or to change these settings.
Internal domains
To identify internal domains, the following rules apply:
Domains with non-official TLD (top level domain)
Domains with names corresponding to IP addresses belonging to the Engine internal network.
Domains with names matching custom rules (for example, *.nexthink.com).
Contact Nexthink Support for more information or to change these settings.
Excluded domains
For privacy reasons, you may want to avoid storing web requests to particular domains. For instance, a web application that collects opinions and complaints of employees about their peers and superiors requires the anonymity of the participants. However, with the right level of permissions, a user of Finder can easily discover who connected to the application and when just by investigating the web requests that are addressed to the domain of the web application. To make the system ignore web requests to specific domains, add the domains to the excluded domains list.
Contact Nexthink Support for more information or to change these settings.
Audit trails
Auditing Nexthink is performed using the Syslog framework. It captures actions performed with administrator rights that may impact the system. It is not a logging facility. Only the action and who performs it are audited. The values that are set are not logged.
For more information, visit the Audit trail codes documentation.
Data sent to Nexthink
Nexthink collects non-personal data for Nexthink SA, to provide value-added services to Nexthink customers. Learn how to enable or disable these services in order to select which data you send to Nexthink in the article about Operational Analytics Information sent to Nexthink.
RELATED TOPIC