The article has been provided by MAKE Interactive, Bitrix24 Gold Partner. Please contact them directly regarding installation or additional details.
For its large European clients, MAKE Interactive has deployed a package of data-security measures using both the powerful out-of-the-box Bitrix24 security features and some custom-built tools. This package is available only in the on premise, also called the self-hosted, edition of Bitrix24.
Starting point
It is recommended to provide true administrator access to the very minimum number of employees possible. Because User Groups in Bitrix24 are flexible, ‘power users’ and users who should have wide permissions in the Control Panel (back end), can be assigned to user groups configured very particularly, but denied full access. Additionally, back-end access can be limited by IP so that only users physically located at your office or designated locations can make administrator-type changes.
Furthermore, Google analytics can be installed to track page visits, the Bitrix24 web analytics module logs events, and there is a code integrity checker in the proactive protection module.
Gaps
But there is still the fact that an administrator can authorize as a different user. Thus, a person with access to an administrator account could potentially cause a great deal of harm while effectively remaining anonymous. Furthermore, users can edit their own posts and chat messages at practically any time in the future, creating another scenario for potentially misleading historic records.
Solution
To untangle the confusion that could be created in this ‘impersonation’ scenario, MAKE Interactive developed a set of tools to store user actions using the user session as the fundamental identifier. These tool tracks the original user, the impersonated user, the IP of user, and the session ID. Using the session ID, nearly all actions in the Bitrix24 analytics module and logs can be tracked – thus identifying the original user.
Additionally, a notification via the chat message is sent to User #1 or any other chosen user stating that User X has logged in as User Y, so immediate action can be taken if needed. It’s also just good for people to know that all actions are recorded, to prevent temptation of abuse.
Another feature added is that changes (edit of messages) in (all) posts on the Bitrix24 stream and change to all chat messages are logged. Weekly logs are saved in file form and can be emailed to a system administrator for example. These data security measures and others are available from MAKE Interactive so that you can rest easy knowing that you conform to GDPR requirements.
Do you take security serious with your confidential Bitrix24 information?
Contact MAKE Interactive for this security upgrade or visit their website for more information. Implementation of this security pack includes a free security review and consultation of your portal to make sure the great security tools that come standard with Bitrix24 are configured optimally.