MSP Toolshed understands that security is of utmost importance when providing a SaaS product. We protect your information in several ways.
MSP Toolshed stores very little Personally Identifiable Information (PII). We are able to do this because of the tools we use for authentication and billing, as well as storing Automate RMM user credentials.
MSP Toolshed utilizes Auth0 for identity management. MFA inforced, or your Microsoft AAD tenant’s security settings.
MSP Toolshed utilizes ChargeBee for billing, using it’s HostedSessions, which are very secure.
Q: If configuring MSP Toolshed to integrate with ConnectWise Automate, it is required to supply credentials. How are these credentials secured?
A: If setup based on our docs, the user for the Automate connection should only have the permissions it needs, so the credentials we store do not have Admin access.
Our OneTouch deployment files contain the Bearer token that is used to authorize OneTouches during a deployment. There is a single, unchanging Bearer token per OneTouch/WebStart, and if lost to a bad actor, could be used to capture deployment configuration and RMM credentials, start deployments or spam the logging/status endpoints. That’s why we only generate encrypted .ppkgs.
Our OneTouch packages are a Microsoft .ppkg file. These are essentially zip archives and can be encrypted. MSP Toolshed does not allow unencrypted .ppkgs (OneTouches) unless the client asks for it and can prove to support that they can manage .ppkgs securely. Support has the ability to turn on unencrypted .ppkgs. This can be useful for clients that use .ppkg provisinging within an automated environment, since the password functionality of a .ppkg only works through UI interaction from a user. Using .ppkgs in custom automation requires unencrypted .ppkgs.
As such, customers should treat OneTouches as sensitive files and create security processes around this.
If a OneTouch is compromised or lost, one simply needs to delete the OneTouch in the Portal and it will invalidate the lost OneTouch bearer token.
- All the connections are HTTPS and we use Bearer tokens for agent communications.
- After the MSP Toolshed setup has completed, we do not leave any code or Windows services on the machine that was setup, so there is no persistent agent to be compromised.
- Both deployment methods (WebStart and OneTouch) are encrypted and secured with a PIN or Password, preventing unauthorized execution of deployments.
- You can configure notifications in Teams to be made aware any time someone executes a deployment so that you can be notified of activity in the product.
We have multiple third-party security audits and code reviews per year.
Data is encrypted at rest and in transit.
In case of catastrophic damage to the MSP Toolshed databases, it is possible within Azure to recover the state of the DB and rollback the system code.