Because of Pandemic and remote work, User Activity Monitoring and Time-Tracking solutions start being used more intensively by the corporate customers to manage a remote workforce. As a result, the most popular Time-Tracking SaaS solutions may be targeted by Malware, Cybercriminals, or Insider threats. As a response, we would like to announce the end-to-end encryption feature soon will become available for all StaffCounter customers. With “end to end” Encryption enabled, the data will be encrypted by StaffCounter Agents before upload to the staffcounter.net cloud and then decrypted in your web browser right in a moment when you are looking at the reports or employee productivity data. This provides the highest privacy level since data delivered to the cloud storage in encrypted form. By using this principle employed in our cloud storage, technically we will not be able to read and understand productivity data received from computers by any means, on any level. This will enable safe usage of Employee Monitoring (User Behavior Analysis) solutions in any environment, even with the most strict compliance and security policies and requirements. After this feature will be enabled by the customer, StaffCounter.net or StaffCounter On-premise server will store only encrypted data blocks for each computer or employee.
Further details will be added to this announcement soon.
For this feature, we have employed Public Key Encryption protocols that allow to securely transfer the master key across all the connected computers without exposing it to the StaffCounter server.
How end-to-end encryption will work in StaffCounter
After the E2E Encryption feature will enable for a user account, the updated Agent application will use Public Key Encryption protocols (Fig 1) to receive a unique Master encryption key for the user account right from the Web browser of the respective account owner. Start from that moment Agent application encrypt Device name (Employee name) and other sensitive data inside productivity log by using AES-256 algorithm (and unique encryption key) and then transfer it to Staffcounter server. Sensitive data includes company name, Application names, window titles, Website names and addresses, file names, system events data, Windows account name (username), screenshots, audio data.
Next picture represents how encrypted data will be stored in Staffcounter.net server (with JavaScript decryption code disabled in web browser app)
The following picture shows a “Web Sites” report with encrypted URL data encoded with base64 standard:
As shown, the Staffcounter server will be able to continue to deliver reports, notification alerts, and other employee’s analytic data by using the same principle: processing and sorting strings, allowing you to define productivity rules by using text data in encrypted form.
The benefits of “end to end” encryption in Employee Monitoring and Time-Tracking solutions
Currently, there are a dozen of Time-tracking solutions available on the market, that work by the Software As a Service model. SaaS model means that you have entrusted your confidential data to 3-rd party vendor. We know that by design, cloud-based “User Time-Tracking”, “Employee Monitoring”, as well as “Asset Management” solutions uses clear text data to be able to deliver value-added services such as reporting, Productivity measurement, Categorization, Filtering, Alerts, Notifications, and other smart features with the help of machine learning. In most cases, your data is being protected by the well-defined production process outlined in security standards like ISO-27001. Many vendors use only low-level encryption tools that physically store data in encrypted form (data encryption at rest). But these security measures are still vulnerable to Insider threats, Supply Chain attacks, and APT/Malware and Ransomware. StaffCounter.net will be the first solution with an “end-to-end” encryption feature, that protects your data by Design on-the-fly on running instances.
Your benefits with “end to end” encryption :
- The higher data confidentiality and protection level for SaaS/On-premise customers by Design, GDPR compatible.
- Insider threat prevention. SQL Database dump or running instance contains encrypted data. Encryption keys are not stored in the SaaS production/test/backup back-end.
- Secure backup: since the database contains encrypted data in a running instance, the backup now contains the most sensitive data encrypted by default.
- Supply chain attacks mitigation. Customer attribution is encrypted and cannot be used to identify corporate identity for targeting during the containment phase of a successful attack.
- APT/Malware protection. Productivity data stored on a local computer in encrypted form, thus protected from malware/APT (advanced persistent threats) tools that target popular User Monitoring application (especially screenshots and keystroke log).
- Secure disposal conformance. By default, Staffcounter will store productivity data and screenshots on the local computer in encrypted form. Computers returned for disposal will not contain confidential data about user productivity in plain form.
