For self-hosted customers, to build, migrate, and support your TrackOne Studio environment, TrackOne Studio requires low-latency remote access to the servers that run the TrackOne Studio web and database services, and access to the application itself.
TrackOne Studio staff are provided with extensive training on accessing customer instances, which is backed by strict policies regarding the purpose, methodology, and scope of the remote access. These have been audited as part of our ISO 27001 compliance process. The TrackOne Studio customer database is encrypted at rest and in transit, and contains internal logging to record which staff members retrieve and use credentials to access customer sites.
If there are any changes to the access methodology or credentials, the TrackOne Studio team should be advised immediately.
Remote access is to be provided using the Microsoft Remote Desktop protocol in a manner that is compatible with the official Microsoft Remote Desktop clients for Windows and macOS. Third-party clients or other services that embed components of the Remote Desktop protocol are not acceptable. Authentication is via username and password with an account for exclusive use by TrackOne Studio. For additional security, consider the following strategies:
- Whitelisting connections to the IP addresses used by TrackOne Studio (highly recommended):
- Using a Microsoft Remote Desktop Gateway.
- Using a non-standard port (other than 3389).
- Regularly changing the password.
- Regularly installing the latest Windows security updates.
- Configuring account lockout policies to mitigate brute-force attacks.
For best performance, it is recommended to allow both TCP and UDP connections.
Full administrator access to the servers that run TrackOne Studio is required. This includes complete read/write access to the file system where TrackOne Studio is installed, and the account will require membership of the “sysadmin” Server Role on the Microsoft SQL Server instance.
The following requirements apply if a VPN is required for connection to a customer’s server or TrackOne Studio application:
- The VPN must be compatible with the latest supported versions of Windows and macOS.
- Straightforward connection instructions must be provided.
If a VPN client is required (eg it does not use the built-in VPN platform in the OS):
- A download link and installation guidance must be provided.
- It must be up to date.
The following configurations are not supported:
- VPNs using the PPTP protocol.
- VPNs that require root certificates to be installed.
Multi-Factor Authentication (MFA)
The only supported method for multi-factor authentication (sometimes known as two-factor authentication or 2FA) is TOTP codes (the same technology used by generic multi-factor authentication apps such as Google Authenticator). To enable this, contact the TrackOne Studio helpdesk, and arrange to provide the secret key (sometimes provided in the form of a QR code). Some identity providers (eg Microsoft Azure) can be configured to allow multi-factor authentication to be setup upon next user sign in, which is a secure way to provide the secret key.
Multi-factor authentication methods that require the use of a specific app, SMS messages, phone calls, or hardware tokens, are not supported.
The most efficient way to provide TrackOne Studio with access to self-hosted systems is to use a shared account that any authorised TrackOne Studio staff member can use.
TrackOne Studio understands the need to balance service delivery with security, so if it is preferred to use named accounts, the following requirements apply:
- TrackOne Studio is not able to advise customers as staff come and go. As such, the customer is required to provision access to staff members that require it upon request. These requests can come in response to support tickets logged by the customer. Customers may wish to enforce expiry dates on these accounts to prevent extended usage.
- Customers can interact with TrackOne Studio representatives via helpdesk, email or phone call.
Mobile phone numbers will not be provided by the TrackOne Studio team, so SMS exchange of details or multi-factor authentication credentials is not possible.
Response time goals are defined on the basis that remote access to systems is readily available upon receipt of the support request or authorisation to proceed with a project or service. If remote access needs to be further arranged (for example, to provision or enable accounts), this will increase the time to respond to and resolve support requests or undertake the requested project or service. TrackOne Studio is not responsible for any delays caused by the inability to access customer systems.
Supply of Credentials
When credentials are supplied to TrackOne Studio representatives (eg usernames and passwords), they should be sent through separate communication methods. For example, the username might be supplied in an email, and the password may be read over the phone.