Readtime: 7 minutes

This resource provides an overview of recommended security best practices for Zendesk suite Subscribers to implement in their own instance. We recommend that you consider implementing these practices at the onset of adoption and routinely check your settings and company best practices to ensure that they are appropriate and correctly adhered to by employees.

Zendesk offers a wide-range of controls to help you keep your information (and that of your customers) safe and secure. We strongly recommend training agents and administrators to apply these security best practices and minimize your risk exposure— in keeping with our Shared Responsibility Model. This framework outlines the responsibilities of each Zendesk Subscriber when it comes to ensuring the security of their instance. For more information about specific product controls and recommendations, see The Zendesk Suite Product Controls and Recommendations Guide. 

 

This article contains the following sections on Best Practices for Zendesk Suite:

  • General 
  • Access Control
  • Systems Access, Networks and Domains
  • Data Management
  • Email
  • API
  • Monitoring
  • Disaster Recovery

 

Security Best Practices for Zendesk Suite

General

  • Use a sandbox for testing and development to keep your production instance clean.
  • Restrict Mobile App usage for Agent workflows and/or use cases. 
  • Enable content moderation in your Guide Help Center and forum threads to prevent spam and/or unwanted content in your Gather community.
  • Review any and all automated functions that send notifications to ensure that they are notifying the correct people.

 

Access Control 

General

  • When using Zendesk Native Authentication: 
    • Customize the password security level to match your company’s internal policies. 
    • Set the lowest session expiration necessary for your agents and admins. 
    • Disable unnecessary social logins for end-users.
  • When using Single Sign-On (SSO): 
    • Utilize either native in-product SSO, or your existing enterprise Single Sign-On to centrally manage your configurations. 
    • Couple any MFA you operate with your SSO to cover Zendesk logins
    • If you wish to still allow for password authentication via Zendesk Native Authentication should you be concerned about availability during an SSO outage, then leave the do not disable password authentication.  If however, you wish to eliminate the ability for passwords to be used once SSO has been configured, then disable password use.  Note that disabling password access will terminate all open sessions where passwords were used to authenticate.
  • Keep Account Assumption disabled unless you require a Zendesk employee to enter your account (either when interacting with Zendesk’s Support, advocates, Professional Services, etc.).

Users

  • Review connected devices associated with your Agent profile and remove those that are no longer in use or look suspicious. Note that only Agents, Admins and Owners have access to this functionality. 
  • If creating a “closed” Zendesk instance, require end-users to register and verify their emails before they can submit tickets to cut down on potential spam. 
  • Apply custom roles for your agents to limit user access to only what is necessary for each job function.
  • Consider user segment and/or brand-based privileged access when using Guide.
  • Leverage the allowlist to define specific users, or groups of users, who have access to your account and/or the ability to submit requests / chats.
  • Suspend, reject, and/or prevent users from interacting with Zendesk Services via the blocklist, when necessary.
  • Review the users on your account and suspend/demote users who no longer need access to your system. 

Passwords

  • Zendesk provides the following levels of password security: Recommended, High, Medium, and Low. Zendesk suggests the Recommended password security level for both team members and end users. See Setting the password security level for implementation steps.
  • Two-Factor Authentication (2FA) is the recommended standard for agent and Admin login to Zendesk.
  • Where different populations have different security needs, consider setting one custom password security level for End Users and another for Agents and Admins when using Zendesk’s native authentication.
  • Create a unique password for your Zendesk account  (i.e., one not currently used to login to external systems or applications).
  • Enable email alerts for logins from new devices so Agents can monitor their accounts for logins from new (and unauthorized) devices. See Checking devices and applications that accessed your account in the Zendesk Agent Guide.

 

System, Network Access and Domains

  • Use Contextual Workspaces to optimize your workflows and show only applicable tools (e.g., macros. apps, forms, etc.) and ensure that Agents only have access to the system functions and workflows that are needed to complete a task.
  • Restrict access based on IP addresses for the agents and/or end users.
  • Suspend, reject, and/or prevent users from interacting with Zendesk Services via the blocklist, when necessary.
  • Where requiring non-Zendesk URLs, generate your own SSL certificates or Zendesk-provisioned SSL certificates with host mapping and provide secure access to your help center.  Where supplying your own SSL certificate, be sure to kept up to date.

 

Data Management

  • Data Usage 
    • Capture only data that is needed to complete a given use case, minimizing the exposure of sensitive customer and/or internal data.
  • Deletion/Redaction 
    • Refer to the "Complying with privacy and data protection law" guides for deletion and redaction recommendations, in accordance with privacy regulations.
    • Consider not recording calls, and/or automatic deletion of recordings when using Talk functionality, where such recordings could be challenging for your compliance with industry or legal regulations. 
    • Enable automatic redaction to protect sensitive customer data in tickets and chats. Note: This feature leverages a Luhn check which will redact most, but not all, credit card numbers.
    • Manually redact credit card information from the Zendesk Agent Workspace, where permissions allow. Note that even after deletion data may still persist in logs for up to 30 days. 
  • Compliance 
    • Should your use case involve Protected Health Information (“PHI”), enter into a Business Associate Agreement (BAA) with Zendesk and implement the required security configurations forHealth Insurance Portability and Accountability Act (HIPAA) related Personal Health Information (PHI) and electronic personal health information (ePHI) data management, as necessary for you as a healthcare provider or healthcare data manager.s
    • Should you use credit card numbers for identification purposes, add a credit card field to your ticket form to meet Payment Card Industry Data Security Standard (PCI DSS) compliance requirements (note this field does not store or surface the full credit card number and cannot be used for payments or transactions).
    • For those who need to be in scope for PHI, ePHI, HIPAA and/or PCI DSS compliance: 
  • Privacy 
    • Consult the "Complying with privacy and data protection law" section of the Help Center for product-specific privacy considerations. 
    • Access the Trust Center to learn how our Global Privacy Program helps you stay compliant, no matter where you’re located or who you do business with.

 

Email 

  • Apply email archiving when there’s a business need to maintain archives of customer communications outside of Zendesk Services for policy, regulatory, or legal purposes. 
  • Disable Chat email piping unless required when using Chat.
  • Use rich content in incoming emails only when necessary for your workflow.  
  • Enable email authentication with SPF, DKIM, and DMARC to reduce spoofed email and spam your account receives. 
  • Digitally sign outbound emails from Zendesk to verify that they originated within your organization. 
  • Leverage personalized email replies and agent aliases to provide transparency to end-users who are communicating with agents via ticketing. 
  • Decommission unused or unnecessary Support addresses to minimize spoofing risk.

 

API

  • Make use of tokens instead of passwords to prevent unauthorized password access to the API. 
  • Deploy OAuth to authenticate and limit the amount of access granted to tokens in the API. Disable where unneeded.
  • Safeguard API tokens in a secure location outside of the application. Where possible, OAuth tokens are recommended over API tokens.

 

Monitoring

  • Regularly review and monitor account audit logs that show changes to your account. Helpful tip: Your API can also be leveraged to export audit logs as needed.

 

Disaster Recovery

Zendesk maintains a Global Business Resilience Program to ensure we have the ability to rapidly adapt and respond to business disruptions, safeguard people and assets, while maintaining continuous business operations.’ Outside of this, there are several steps that you can take to additionally secure the continuity of your business. 

  • Opt in to Enhanced Disaster Recovery for security redundancy that includes real-time data replication, traffic prioritization, zone availability redundancy and priority recovery planning.
  • If using Voice functionality, enable a Talk failover number for business continuity purposes.
  • If you desire to have password access in the event of external SSO system outages, consider not disabling Zendesk native authentication (SSO can be set up as strict, or allowing password bypass). 
  • Apply an incremental export API and/or bulk downloads of your Service Data if you require non-editable data stores to be preserved within your own environment.
  • Enable automated email forwarding from your personal third-party email address to Zendesk Support to retain a copy of the email outside of Zendesk.
  • Opt in to Enhanced Disaster Recovery for security redundancy that includes real-time data replication, traffic prioritization, zone availability redundancy and priority recovery planning. 
  • Use the incremental export API to retrieve Zendesk Support items that have been changed since the last API call request. See the API Reference for more information. 


If you suspect that a security incident within your Zendesk instance was directly caused by our Service itself, you should submit a ticket to security@zendesk.com. For clarification on when to contact Zendesk about security-related responsibilities, consult the Shared Responsibility Model.

Powered by Zendesk