This article presents Deployment considerations for Organizations and Privileged Users.
This article enumerates deployment considerations so you can prepare your Individual Account or Organization with the right set of capabilities and foundation for engagement.
Though there is a considerable amount of information to consider, it is as a result of the capability you can leverage, not due to complications associated with those capabilities. This will become apparent as you look through each feature and decide if it applies to your plans.
Individual Accounts and Temporary Evaluation
If you wish to deploy for evaluation, you can do so with an Individual Account and at a later time migrate to an Organization, as described in the article, Migrating to an Organization Account. You can also use a, "throwaway" Account with an email address other than the one you intend to use long-term, then later act to Provision your Organization using one of the two available options described later in this article.
Privileged Users and Organizations
If you plan to administer an Organization, you will want to empower one or more Delegates. These are Privileged Users who can provision and configure other Users, and who can make almost all the same changes the one Administrator can make.
That difference is specific to Enhanced 2FA (two-factor authentication), which integrates login 2FA with Duo Security through KODiAC Cloud Services (advantageous because Duo Security authentication requests are completely isolated, outside the reach of host-specific malice). Delegates cannot administer Enhanced 2FA, but can perform all other administrative duties.
Recommended: Provision Admin and Delegate, Use Delegate
You should provision your own Delegate Account and use it for daily proceedings, leaving the Administrator Account (probably completely) idle. It's worth noting that idle Accounts maintain zero configuration data on the host - content is secured and isolated by KODiAC Cloud Services, though not available to it, after Session Logout.
If you are responsible for a large deployment, you may want to create a unique Organization for each team within your business. This isolates automatic (zero-config) data sharing to members of a single SSProtect Organization until Third Party Trust relationships are created to enable information flow between Organization Accounts. These relationships are created and enabled/ disabled on the fly by the Administrator or a Delegate, and all proceedings are backed with :Assess secure auditing and reporting. This allows you to see when data is shared, what data is shared - and when data is "released" from SSProtect (which can be used to track leaks that result in sensitive data found on YouTube, a public pastebin, or other public websites).
One Administrator, Multiple Organizations
If you choose to create multiple Organizations, you (or some other single individual) may wish to serve as the one Administrator for each Organization. You can achieve this by creating email aliases for each Account that will administer each Organization. We suggest an email name that reflects the Organization name, which is typically a combination of the team name and company. For example:
Delegate Organization Participation
Most choose to select Delegates using their, "default" email address, i.e. firstname.lastname@example.org, rather than email@example.com. We do not recommend that any one person in a company participate in more than one company Organization at a time (except in the case of the Administrator that is otherwise largely uninvolved).
Participating in more than one Organization, in the same Windows environment, using multiple email aliases (and thus SSProtect Profiles), can and likely will lead to confusion that can result in unintended data disclosure. Though sharing permissions aren't inherited or transitive, it's not hard to confuse data files and end up cross-coupling them in unintended ways. For this reason, we strong recommend that any such need be deployed using a single Windows environment (host or VM) for each company (and its' associated participating SSProtect Organizations).
Individual Participation in Multiple Organizations
It is quite common for a single user to participate in multiple Organizations as Non-Privileged Users, with or without email aliases. We recommend Non-Privileged participation, at least at first and as minimally as possible, since it's highly effective in limiting the impact of short-term context misinterpretations. We've found this approach to be suitable until context interpretation is very clear and automatic, at which point Delegate authority can be increasingly granted.
This arrangement can be extended to track sensitive data use between corporate resources and work-at-home proceedings with different equipment. The ability to recognize when information flows in and out of IT-managed resources can be critical when tracking issues associated with a breach or leak of sensitive materials, and the nature of a work-specific user and home-specific user can help illuminate issues that would otherwise require more detailed scrutiny.
Contact our Support department if you wish to discuss different use cases and common approaches, and we can apply our experience and insight to help you understand how each option impacts your priorities.
Registering with DefiniSec
Once you decide how you want to organize teams into one or more Organizations, notify your DefiniSec Representative or Support who can then provision each Organization. Though not necessary, you will benefit from providing the set of features you wish to use with each Organization at the same time, else you will have to follow-up with feature requests using the License and Components interface - which requires Support participation and review anyway. This can be done at anytime to adjust your settings, so early decisions aren't restricting.
Once each Administrator Account is provisioned, you will receive a Registration Email that can be used with the article, Using the Registration Email, as previously noted.
Independently Provisioning an Individual Account or Organization
You can alternatively use the procedure outlined in the article, Creating an Account to provision an Organization or Individual Account, which does not require you to immediately involve DefiniSec staff. However, as previously noted, you will likely need to request additional features with License and Components, which will require Support participation and review.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to firstname.lastname@example.org, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v8.5.1 of the :Foundation Client