This is the third, and final, installation of our Security Best Practices series. It provides a baseline product-level reference for how to successfully and securely manage your Zendesk Suite instance. As always, we strongly recommend that you consider implementing these product controls and recommendations at the onset of adoption and regularly review your settings and company best practices to ensure that they are both appropriate for your specific use case and correctly adhered to by your employees. Training agents and administrators on how to apply these product controls will help minimize risk exposure—in keeping with our Shared Responsibility Model.

For a high-level overview of our recommended security practices, see the General Security Best Practices document. If you need a more in-depth (but non-product specific) security resource, please take a look at our Zendesk Suite Actionable Security Guide.

This article contains the following sections on Zendesk Suite Product Controls:

  • Support
  • Guide
  • Chat
  • Talk
  • Explore
  • Messaging

Security Best Practices: Zendesk Suite Product Controls

Support

  • Account assumption. Enable (or disable) temporary or permanent ‘assume’ privileges allowing Zendesk staff to enter an account for a specific amount of time, without impact to your license or the permitted number of agents. Please note that feature enablement may be overridden by specialized Zendesk staff in case of emergency or when account or application usage is in violation of the Main Services Agreement.
  • Custom password configurations. Customize your own password security level to align with internal policies. Zendesk provides the following levels of password security: Recommended, High, Medium, and Low. See Setting the password security level for implementation steps. Note: When Zendesk authentication is enabled, you can set session expiration/inactivity timeout restrictions and/or password expiration at the agent/Admin level.
  • Two-factor authentication (‘2FA’) Implement a second authentication security layer. Available natively in the product via SMS message or from a 2-factor authentication app installed on the user’s mobile device, or your 2FA solution to be used should you couple it with Single Sign On within your environment.
  • Single Sign On (‘SSO’) (for business and social end-user accounts). Reduce the number of attack surfaces by having users login in once, with a single set of credentials.
  • Restrict IP addresses. Limit the agent interface to only those users from coming from a specific range of approved IP addresses. 
  • Secure Attachment Access. Require users to login to their account before accessing attachments by activating private attachments. 
  • Malware Scanning. Admins should follow company guidelines on how to manage attachments that have been flagged by our Malware Scanning. 
  • Redaction. Redact personal or sensitive data on demand in the agent workspace (with Admin/Agent access). 
  • Email
      • Archive customer communications for auditing/legal purposes.
      • Disable rich content in emails (i.e., non-plain text/HTML).
      • Decommission unused support email addresses.
      • Disable wildcard email address when not needed.
      • Enable email authentication with SPF, DKIM and DMARC to reduce email spoofing and Business Email Compromise.
      • Use DKIM for outbound email to verify the origin of emails (e.g., from within your organization)
      • Personalize emails to improve transparency and help build trust between customers and agents.
  • SPAM. Ensure that tickets aren’t incorrectly marked as ‘SPAM’ via Suspended Ticket notifications.
  • Device Tracking. Manage user devices and remove those no longer in use (with Agent/Admin access).
  • Sandbox. We recommend using a sandbox environment for testing and launching code before it goes into your production environment. Please note that this is only available with Enterprise plans.
  • Support Mobile app. Decide if you want to allow access for Agents via the Support Mobile app, and if not, remove the Mobile App access in Admin Center under “More Security Settings”. Please note that Password Access to the API needs to be allowed for Mobile Apps to work. 
  • Credit Card (PCI) data. Automatically redact credit card data information (limitations may apply) or add a PCI compliant credit card field 
  • Log Management.
      • Audit logs. Manage your audit logs to keep track of changes in your account. Export reports via the API or as CSV. Only available with Enterprise plans.
      • Ticket interaction/event logs. See all actions and notifications that have occurred in your account.  
      • Integration logs. Track data syncing between your Support instance and your integration via this tool in the Admin Center.  
  • End user verification. Require end users to register and verify their email address. 
  • Least privilege. Restrict user access to ensure that users only have access to task dependent products. Learn more about Support user roles. 
  • Custom Roles. Delegate access by role/job description. Please note that this feature is only available for Enterprise plans.
  • Allowlisting. Define who has access to your instance to reduce the exposure of sensitive data and unauthorized system access.
  • Blocklisting. Suspend, reject or prevent users from accessing your instance if/when you perceive a threat to your security.
  • Remove accounts/users. Regularly review the users on your account and suspend/demote users who no longer need access to your system. 
  • Custom Roles. Delegate access by role/job description. Please note that this feature is only available for Enterprise.
  • CC and Follower Blocklisting. Prevent others from being tagged on tickets and notified of customer conversations to limit access to sensitive customer information and vulnerability to a data breach.
  • Limit Team Member and End-User Inactive Session Length. Helps limit the window of time that a session can be utilized, before sign-in must occur again to reduce unauthorized access to systems and data. 
  • Disable Ability for Admins to Set Passwords for Users. Enforce least privilege and remove the ability to set a password without having a user apply 2FA and verify their email address through the normal password reset process. See this document for more information about setting password security levels. 
  • Webhooks. Use TLS/HTTPS to securely connect to third party endpoints such as applications or websites.
  • Zendesk Marketplace Only install Third Party Applications that you trust. To learn more, see here.
  • API Access
      • Disable password access to your API to limit the exposure of protected information.
      • API Tokens. Have your Admin set up least privilege access to reduce the number of people who have access to your API and sensitive customer data (e.g., PII, PHI etc.). Please see the Security Configuration Requirements for HIPAA or HDS Enabled Accounts for related information about API token management. 
  • OAuth clients. Secure access to your API (and related data). Choose the right flow type for your use case and prefer Authorization Code Grant or Implicit Grant over Password Grant if possible. Visit OWASP for a detailed list of industry best practices. 
  • Self-Build Apps and Integrations For app and integration best practices visit the Documentation portal.

Guide

  • Moderate Content. Review Guide content to ensure that SPAM isn’t being posted to your Help Center. 
  • API. Disable password access to your API to minimize the exposure of sensitive data.
  • API Tokens. Have your Admin set up least privilege access to reduce the number of people who have access to your API and opportunities for data compromise.
  • Restrict Help Center Access. Apply IP address restrictions to limit user access based on authentication and segmentation. 
  • Article Interaction/event Logs. See all actions taken by agents on an article to ensure adherence to company best practices.
  • Agent/Alias Display Name. Allow agents to personalize their signatures, increasing trust between agents and customers, as well as, the online safety of your agents.
  • Unsafe Content. Prevent unsafe content from being displayed in your Help Center. 

Chat

  • Chat API. Have your Admin set up least privilege access to reduce the number of people who have access to sensitive data. Be sure to acknowledge the following restrictions. 
  • Native File Attachment Allow Listing. Restrict file sharing to only those extensions needed for specific job tasks.
  • Gating via Support. Apply cascading security configurations across products (only applicable for Suite plans).
  • Credit Card (PCI) data. Automatically redact credit card data information in chats and chat history (limitations may apply) to reduce data compromise.
  • Agent/Alias Display Name. Allow agents to personalize their signatures, increasing trust between agents and customers, as well as, the online safety of your agents. (Chat standalone)
  • Visitor Authentication. Enable visitor authentication via token or shared secret to ensure that only authorized users have access.
  • Authentication controls. Send private chat attachments with authentication controls (only available with the Agent Workspace).
  • Blocklisting. Suspend, reject or prevent users from accessing your account if/when they pose a risk to your security or violate company policy.
  • Restrict Chat Widget by location (e.g., country or domain) to reduce your exposure to bad actors and or malicious nation state actors.
  • Custom Roles. Delegate access to Chat by role/job description. Please note that this feature is only available with Enterprise plans.

Talk

  • Call Recording. Opt-in or opt-out of call recording based on the number, caller or end user.
  • Delete Recordings. Automatic deletion of recordings—enable automatic deletion of talk recordings.
  • Talk API Delete Recording Feature. Use this endpoint feature to programmatically delete recordings from tickets, where applicable. Manual deletion can also be applied for erasure obligation, right to be forgotten as well as industry privacy and compliance requirements. Note: Automatic Redaction is a separate feature that can’t currently be used to redact credit card information from Voicemail transcripts.

Explore

  • Manage Explore Permissions. Enable Explore access based on least privilege access (with Admin access).
  • Set up Dataset Permissions. Set dataset permissions using least privilege access (with Admin access).

Messaging (Native)

  • End User Authentication. Enable end user authentication for Web Widget and Mobile SDK. 
  • Allowlisting. Only allow the Web Widget to be loaded on specific domains.
Powered by Zendesk