Table of Contents
1 Introduction
2 Directory
2.1 Product Overview
2.2 How it Works
2.3 Modes of Operation
2.4 Architecture and Components
2.4.1 Directory cloud service
2.4.2 The Directory Agent
2.4.3 The Directory Profile Update Page
3 Data & Information
3.1 Directory cloud service
3.2 The Directory Agent
3.3 Communications and internet Requirements
3.4 Encryption
3.5 Third Party Data Sharing
4 Policies and Procedures
4.1 Development and Release Cycle
4.2 Data Center Security
4.3 Disaster Recovery
5 Legal
5.1 EULA
5.2 Privacy Policy
6 Conclusion
1 Introduction
The benefits of Software as a Service and cloud applications have been well demonstrated, and more
companies are utilizing cloud services each day. Every organization should be committed to protecting its
data assets and maintaining the security of its systems. Therefore, when adopting a new software
solution, particularly a cloud service, it is important to fully understand how data is secured.
This paper, intended to be a resource for Information Technology (IT) Professionals, discusses security
and compliance measures pertaining to LiveTiles Directory as a cloud service, and on-premises software solution.
2 Directory
2.1 Product Overview
Directory enables organizations to automatically identify and populate missing information in directories,
quickly and easily. Utilizing next generation technologies, LiveTiles Directory automates the process of keeping Active Directory and Office Profile Information fresh and relevant. Using Directory, organizations can be more effective by saving time, reducing IT Support overhead, and improving the speed of business
communications as well as enhancing already existing Microsoft investments such as Office 365,
Exchange, SharePoint, and Delve.
2.2 How it Works
Directory uses new technologies such as machine learning, advanced analytics, and bot technology to
dramatically improve directory content in two phases:
- Analyze continually monitors directories for inconsistent, invalid, aged and missing information
- Collect contacts users to request and validate information via personalized email workflow requests based on the information required and user preferences
In online deployments, LiveTiles Directory connects directly to Azure Active Directory to scan for the quality of user profile information.
For any implementation scenario utilizing an on-premises Active Directory system (on-premises or
hybrid), Directory scans for the absence of user profile information using a locally installed agent
(hereinafter referred to as the LiveTiles Directory Agent).
After directory analysis is performed, a full report can be viewed from the Directory web application,
where administrative tasks and product configuration can be accessed as well.
2.3 Modes of Operation
LiveTiles Directory can be used in three different modes:
Analyze – Directory analysis is performed and a report is generated. LiveTiles Directory does not contact users or write any changes to Active Directory in this mode.
Pilot – A group of participants can be selected to participate in a small-scale implementation of LiveTiles Directory. The participants receive profile update messages and have the option to update profile information through direct response, or by using the LiveTiles Directory profile update page.
Run – All users in the domain receive profile update messages and have the option to update profile
information through direct response, or by using the LiveTiles Directory profile update page.
In both pilot and run modes, specified profile attributes can be selected to pass specified administrator
approval before changes are committed.
2.4 Architecture and Components
Fully implemented, LiveTiles Directory is comprised of two components: Directory -- the cloud service, and the LiveTiles Directory Agent. Together, these components can analyze and update Active Directory contents regardless of how an organization’s Active Directory topology is configured.
2.4.1 LiveTiles Directory cloud service
As a hosted service, LiveTiles Directory analyzes directories in online (Microsoft Azure Active Directory), on-premises (Microsoft Active Directory), as well as hybrid environments. LiveTiles Directory is built on the Microsoft Azure platform.
Online - LiveTiles Directory connects directly to Azure Active Directory and performs an analysis. A report is generated and users are contacted to update profile information. Collected user information is written
back to Azure Active Directory.
On-premises - LiveTiles Directory generates a report based on results gathered by the on-premises Directory Agent. Once user profile information is gathered, changes are relayed to the Directory Agent and written to the local Active Directory instance.
Hybrid - LiveTiles Directory connects to the on-premises Directory Agent and performs an analysis of Active Directory. A report is generated and users are contacted to update their profile attributes. Collected user information is relayed to the on-premises Directory Agent and written to the local Active Directory instance. The update cycle is complete when Azure Active Directory is synchronized with the on-premises Active Directory instance through Azure AD Connect or Office 365 Directory Synchronization (DirSync).
2.4.2 The LiveTiles Directory Agent
LiveTiles Directory scans on-premises Active Directory information through the Directory Agent, a locally installed service.
For best results, the LiveTiles Directory Agent should be installed to a domain-joined server that meets or exceeds the minimum system requirements:
- Supported Operating Systems: Windows Server 2012 R2 or above
- Microsoft .NET Framework 4.5.2 (packaged with installation executable)
- Processor: 2 GHz
- Memory: 4 GB
Although the agent can run from any domain-joined machine, it is recommended to install it to a secure
and consistently available host within your organization’s networked domain.
To securely pair the host machine identity with the LiveTiles Directory cloud service, a ten-character code is generated by the cloud service, provided through the LiveTiles Directory web application interface during the setup process. This code is required during agent installation. When the code is entered during the installation instance, the agent makes an API call to the Directory service and the machine is registered in the LiveTiles Directory database. An authentication token (JSON Web Token) is generated for the agent host and placed in a secure store for future interactions with the LiveTiles Directory service. If connection between the Agent and the Service is severed, subsequent analyses will cease, but no data will be lost.
The LiveTiles Directory service is operated by a service account with read and write permissions to user accounts in Active Directory. Service account permissions should be provisioned by principle of least privilege. Providing permissions to the target AD container using the Delegation of Control Wizard is the easiest method of provisioning rights to the LiveTiles Directory service account.
2.4.3 The LiveTiles Directory Profile Update Page
After LiveTiles Directory identifies user accounts that are missing profile attribute information, a conversation is started with the end-users to collect the missing information. Although the users may choose to respond directly through the channel of communication, e.g. email, a link to a self-service profile update page is also provided.
The user can update multiple attributes at a time and submit changes in bulk using the Profile Update
Page.
The profile update page link (formatted as “https://app.hyperfish.com/self?grant=xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx,” is made unique to the user with a magic key, generated at the time of communication from Hyperbot. The key expires in 30 days from the time of delivery.
3 Data & Information
3.1 LiveTiles Directory cloud service
The results of the analysis component (completion statistics and calculated percentages for AD
properties) are stored by LiveTiles Directory for 30 days, plus the latest data from the most recent analysis. These results include:
- Which AD user property was analyzed
- Date and time when the property was analyzed
If the Profile Validation feature is used, LiveTiles Directory will store all user attribute entries in the cloud service until the Profile Validation feature is disabled. This data can be removed from LiveTiles Directory systems by request.
If a user chooses to update profile information using the LiveTiles Directory profile update page, LiveTiles Directory stores the following information for administrator approval until the change is approved or rejected:
- The name of the user making the update
- The property that was updated
- The new and old value of the updated property
For each user scanned, the LiveTiles Directory cloud service indefinitely stores the following properties:
- User Name
- User identifier (Office 365 only)
- Object GUID (On-premises only)
- User distinguished name (On-premises only)
- User email address
- User principal name (Office 365 only)
These properties are stored to contact individual users (using the user name and email address) and
produce user Profile Update Pages (using the user identifier or object GUID).
Only AD objects with a valid mail property are scanned. This omits most service accounts and allows for
more accurate analysis results. In environments with an on-premises AD instance, individual
Organizational Units (OUs) can be targeted from Directory settings to scope analysis to preferred OUs.
3.2 The LiveTiles Directory Agent
Since the LiveTiles Directory Agent passes analysis results to the LiveTiles Directory cloud service, everything that the cloud service stores (other than Office 365 properties) is processed through the LiveTiles Directory Agent:
- User Name
- Object GUID
- User email address
Additionally, updated user properties that are sent down from the LiveTiles Directory cloud service to commit to AD are passed through the LiveTiles Directory Agent.
3.3 Communications and Internet Requirements
Installation and operation of the LiveTiles Directory agent requires a constant internet connection.
The LiveTiles Directory on-premises agent utilizes the following outbound ports:
- 443 (HTTPS) -- for API calls to authenticate the installation, check licenses, download
configuration from the LiveTiles Directory cloud service. - 5671 AMQP/S (TLS) for LiveTiles Directory queue service
Domains*:
AUS | *.hyperfish.com.au |
UK-WEU | *.hyperfish.co.uk |
US | *.hyperfish.com |
*If you have a requirement to restrict egress traffic from Directory agent, using outbound network or FDQN rules.
To verify communication with the service, a heartbeat ping is sent every five minutes from the LiveTiles Directory Agent to the LiveTiles Directory Cloud Service over HTTPS.
When configuration changes and profile updates are made through the LiveTiles Directory cloud service, the change data, signed using a private certificate, is passed to a hosted message broker queue. The messages secured by Transport Layer Security (TLS), is passed to the LiveTiles Directory Agent where the signature is verified. Finally, the agent updates its settings or commits changes to Active Directory.
3.4 Encryption
In Transit Encryption
HTTPS (HTTP over TLS) – LiveTiles Directory secures all API communications over HTTPS, a TCP/IP protocol used by Web servers to transfer web content securely. The data transferred is encrypted so that
it cannot be read by anyone other than the recipient.
The LiveTiles Directory API earns an ‘A+’ rating from Qualys SSL Labs’ SSL Server Test, which assesses and
provides a score for an endpoint’s protocol support, key exchange, and cipher strength.
AMQPS (AMQP TLS) – LiveTiles Directory uses message queuing with AMQPS – or AMQP with TLS, a
protocol that provides privacy and data integrity between two communicating applications. TLS is
a widely-deployed security protocol, used for any application that requires data to be securely
interchanged over a network.
Encryption At-rest
Database service instances use full-volume encryption using the Linux Unified Key Setup (LUKS)
specification.
Database backup file encryption is performed using AES-256 in CTR mode with HMAC-SHA256
key algorithms.
3.5 Third Party Data Sharing
Well-implemented managed services add the benefit of dedicated efforts on product reliability such as
availability, and more importantly, security. LiveTiles Directory uses hosted services when practical. These services include:
- Message queuing - hosted by CloudAMQP in Microsoft Azure
- Database - hosted by Aiven in Microsoft Azure
LiveTiles Directory also utilizes Raygun (Mindscape) for real-time error reporting on on-premises and browser errors.
- When on-premises errors occur, the agent passes the time of the error, environment information
(machine host name and amount of RAM), user ID (Directory internal), context ID, and stack
traces to LiveTiles Directory over HTTPS. - For browser errors, Raygun captures the time of the error, context ID, user ID, browser (e.g.
Chrome, Firefox, Edge), and browser version.
4 Policies and Procedures
4.1 Development and Release Cycle
LiveTiles Directory is hosted software, developed by LiveTiles using Agile methodology. As such, the product is updated on a weekly basis. LiveTiles Directory executes automated tests as well as manual testing for these weekly software updates.
The feature roadmap is managed solely by LiveTiles Directory , but is populated with new features and capabilities primarily from customer and partner requests based on their business needs.
Product functionality tests are conducted by LiveTiles development and product management teams for
any product enhancements being implemented, as well as for each weekly update. Testing verifies
functional requirements, use cases, and that performance goals have been met.
All software development pertaining to LiveTiles Directory is performed securely on-premises at LiveTiles product team locations in the United States and Australia. Only the LiveTiles development team have access to the production environment.
4.2 Data Center Security
Dedicated security efforts are one of the many reasons to leverage a cloud platform. The LiveTiles Directory cloud service is built on the Microsoft Azure platform and shares the security benefits of hosting in Azure. For more information about Azure security, please refer to the Microsoft Azure Security documentation:
https://www.microsoft.com/en-us/trustcenter/Security/AzureSecurity
4.3 Disaster Recovery
All LiveTiles Directory systems and data are made fully redundant. Daily backups are performed, and point-in-time recovery is available.
5 Legal
5.1 EULA
By accessing or using LiveTiles Directory, you agree to be bound by the LiveTiles EULA.
5.2 Privacy Policy
There are a number of US federal laws that protect personal privacy in electronic communications. The LiveTiles Privacy Policy informs you of LiveTiles Directory policies regarding the collection, use, and disclosure of Personal Information when you use the Service. LiveTiles Directory will not use or share your information with anyone except as described in our Privacy Policy and Data Processing Agreement.
LiveTiles Directory for Active Directory adds value to an organization’s investment in Microsoft products by helping to keep Microsoft Active Directory (AD) and Azure Active Directory (AAD) content fresh and up-to-date.
The LiveTiles Directory Analyzer provides a secure directory analysis method using the HTTPS protocol for connecting the LiveTiles Directory Agent to the Analyzer’s corresponding LiveTiles Directory service. By using HTTPS, an industry standard, LiveTiles Directory keeps with best practice in ensuring that communication is secured and that no Personally Identifiable Information is exposed.
Additionally, LiveTiles Directory manages the storage of directory statistics efficiently, only holding the data necessary for basic product functionality. On-premises analysis data is transactionally stored in memory and removed once data is no longer required.
If you have questions about LiveTiles Directory security, please email support@livetiles.nyc
Comments
0 comments
Please sign in to leave a comment.