Security and compliance is a shared responsibility between Kaseya and the customer:
Kaseya Responsibility
Kaseya provides the underlying infrastructure for customers to manage and monitor their endpoints. Specifically, Kaseya provides the following security functionality which is configured, controlled, managed and monitored by the Kaseya Team:
- All customer data/traffic from users and agents is encrypted in transit and passes through Kaseya’s Web-Application Firewall (WAF) and Content Distribution Network (CDN) so no data/traffic accesses the VSA SaaS infrastructure directly without undergoing security analysis in the WAF/CDN.
- Additionally, Kaseya utilizes a stateful firewall to inspect all data/traffic prior to connecting to the VSA SaaS Servers.
- Kaseya maintains patching and vulnerability management of the Kaseya VSA SaaS Product and the underlying systems/server infrastructure. Kaseya ensures that risks posed by security vulnerabilities are assessed, prioritized, and remediated in accordance with our risk appetite.
- SOC monitoring is performed to alert Kaseya of potential security events associated with Kaseya’s VSA SaaS production environment.
Customer Responsibilities and Best Practices
- MFA is required and enabled by default. Customers should review their system configuration to confirm administrative user accounts leverage MFA.
- Customers should ensure that access to their VSA SaaS instance adheres to their corporate user access policy.
- Customers are responsible for ensuring that administrative access to their VSA SaaS instance is restricted to authorized users based on the principle of least privilege.
- Customers are responsible for configuring administrative user access using the product’s Roles (what functions a user has the right to access) and Scopes (What devices/agents/organizations a user has access to).
- Customers are responsible for ensuring that processes and procedures are in place for user access requests, user account modifications and user account terminations.
- Customers are responsible for ensuring that access of terminated employee is removed on a timely basis.
- Customers are responsible for ensuring that periodic review of user access is performed.
- Customers are responsible for performing periodic reviews of the VSA SaaS product audit logs which include System Logs (e.g. user access) and Remote Control/Live Connect logs (e.g. what agents were accessed by admin users).