Introduction
In modern enterprise security, the traditional perimeter-based defense model is obsolete. Organizations must now adopt a Zero Trust framework, which operates on the principle of "never trust, always verify". This means no user, device, or application is inherently trusted, regardless of whether they are inside or outside the network. This approach necessitates establishing strict identity verification, strong access controls, and continuous monitoring for every access request.
This article details how the Teramind platform enables organizations to implement a comprehensive Zero Trust security posture by focusing on both logical (software) and physical (data hosting) access controls. We will explore the critical features and capabilities within Teramind, which include:
Strong Identity and Authentication: Using methods like Multi-Factor Authentication (MFA), Single Sign-On (SSO), domain integration, and strong password policies to establish initial user confidence.
Least Privilege Access: Enforcing the principle of least privilege through Role-Based Access Control (RBAC) and granular access policies.
Continuous Monitoring and Enforcement: Utilizing the Policy and Rule Engine to dynamically monitor user behavior, detect threats in real-time, and automate incident response.
Auditing Admin and Privileged User Activities: Maintaining an immutable log of all privileged actions to ensure accountability and compliance.
Limiting Access to User Data: Controlling the export and internal distribution of sensitive recorded data to prevent unauthorized disclosure.
Infrastructure & Physical Access Control Alignment: Ensuring underlying platform security, including controls over the physical IT assets where data is hosted, are rigorously aligned with compliance standards.
By leveraging these controls, Teramind provides the necessary foundation to move beyond perimeter security and effectively manage risk, especially those posed by privileged users and insider threats.
Strong Identity and Authentication (Who is accessing?)
Zero Trust begins by establishing confidence in the user's identity and the health of the device they are using. Strong authentication is the first step in the access decision-making process.
In Teramind, the authentication options are located under the Configurations > Settings > Authentication:
Zero Trust Principle | Teramind Features |
Strong Password Policy | Teramind provides granular password complexity controls under the Enable Password option. This allows administrators to mandate robust password policies, which directly enhances the security posture for the Identity pillar of Zero Trust. Administrators can mandate stringent requirements, such as minimum password length, the inclusion of mixed-case letters, numbers, and symbols, enforcing password expiry, etc. This high-entropy barrier significantly increases the effort and time required for brute-force or dictionary-based hacking, effectively limiting the attack surface. |
Multi-Factor Authentication (MFA) | These features enforce strong authentication methods to eliminate reliance on single passwords.
If you enable the Enable password + 2FA option, a user will be granted login only after successfully providing two pieces of factors/evidence to verify their authenticity. When enabled, a third-party authenticator (TPA) app such as Google Authenticator or Authy will need to be used to provide a changing random number along with the user login credentials. 2FA protects your Teramind data in case the user credential is stolen.
The Enable SSO option allows you to authenticate to the dashboard using a Single Sign-On (SSO) service such as Okta, One Login, etc. via SAML 2.0 protocol. This is especially helpful if you are already using such a service for your other applications and want to include Teramind into your centralized identity management system. |
Access Restriction | The Allowed IPs option lets you reduce intrusion by defining which IP addresses are permitted to log in to the Teramind dashboard. This ensures that administrative access is limited to trusted, known network locations. |
Identity Synchronization | Teramind lets you integrate with Active Directory to synchronize employee identities, organizational units, and security attributes. Once integrated, you can use the Enable LDAP option to provide a secure login option for the domain users. This simplifies unified access control policy implementation across the enterprise. |
Useful Resources:
Least Privilege Access (What can they do?)
After verification, access must be limited to the absolute minimum necessary. Teramind enforces this through a layered approach of role-based and policy-based controls.
Role-Based Access Control (RBAC)
Teramind utilizes built-in account roles to create foundational segregation, directly enforcing the Zero Trust Principle of Least Privilege by limiting which platform features and data users can access. This approach ensures that all users, especially those with elevated privileges, only have the minimum necessary rights.
You can set the RBAC at two distinctive levels:
1. User Level Access
Teramind comes with several built-in account types with progressive access privileges. These roles define fundamental permissions based on the user's primary function:
Administrator Highest Privilege, Closely Monitored | Grants the most powerful access level. These users can monitor all employees, other admins, and change any system settings without restrictions. Zero Trust requires their activities to be rigorously audited. |
Operational Administrator Segregated System Control | Users have access to system settings, rules, computers, and other users, and can configure the access control of other users, but often with reduced scope compared to a full Administrator. |
Infrastructure Admin System Management Only | Can access system settings but is explicitly prevented from browsing session recordings, maintaining a clear separation between technical management and employee monitoring. |
Employee Minimal Privilege | Regular users. By default, they have access only to their own tasks. An administrator can optionally allow them to access their own productivity dashboards. |
Account access level for individuals can be set from an employee's profile (under the Account tab):
Note: You can extend an employee's access level by promoting them to a Department Manager or via the Access Control (see below).
2. Department Level Access
This layer is specifically designed for supervisory roles, providing data visibility without granting unnecessary system control:
Department Manager Data View Only (Limited Scope) | Can view the data (e.g., reports, activities) of the employees under their direct supervision but cannot affect any system-level settings, limiting the scope of potential misuse. |
You can create departments and assign the Manager role to employees from Configurations > Departments screen:
Notes:
Access levels for department managers can be further extended and customized by utilizing the Access Control feature, allowing for the precise, granular implementation required by a Zero Trust architecture (see below).
You can also import Active Directory Organization Units (OUs) as departments into Teramind.
Useful Resources:
Granular Authorization via Access Control
The Teramind Access Control feature directly enforces the Zero Trust principle of Least Privilege by allowing administrators to define highly specific authorization policies for non-admin users and department managers. This mechanism ensures that users only receive the absolute minimum permissions necessary to perform their roles, preventing the security risk associated with granting blanket administrative rights.
Access Control allows you to tightly govern three core Zero Trust aspects:
What specific features of the Teramind platform they can access.
Whose data they are permitted to view.
What configurations/settings they are allowed to change.
In Teramind, an access control rule is composed of five tightly integrated elements designed for granular policy implementation:
Granted Privileges WHO is granted the permission? | The specified users or department managers who will 'own' the privileges granted by the policies and permissions of an access control rule. |
Policies WHAT is the rule container? | A logical container used to group related permissions, resources, and conditions, defining a complete set of access rules. |
Permissions WHAT actions can be taken? | The specific actions that can be performed by the privileged users. These are categorized into three types: View, Play, and Configure. |
Resources WHAT features are targeted? | The specific features, data, and other resources the permissions apply to (e.g., viewing Built-in Dashboards, playing Screen Recordings, configuring Shared Lists). |
Conditions WHOSE data is accessible? | The target users, departments, or computers whose corresponding data and resources the privileged users will be able to access, ensuring strict data segmentation. |
This segmented approach guarantees that even privileged users operate under strict controls, fundamentally aligning with the Zero Trust mandate of verified, minimal access.
You can create access control rules from the Configurations > Access Control screen:
Useful Resources:
Continuous Monitoring and Enforcement (What are they doing now?)
Zero Trust mandates continuous monitoring and real-time response, operating under the assumption that a threat could emerge at any moment. Teramind's rule engine and audit capabilities enforce security policies in motion.
Real-Time Policy Enforcement via Behavior Rules
The Policy and Rule Engine extends Zero Trust enforcement to the endpoint, enabling immediate access control decisions based on the user behavior:
Dynamic Access Control | Rules can be configured to detect specific high-risk activities, such as an attempt to execute a restricted command, access a confidential folder, log in with elevated privileges, or change exiting access control policies such as the Windows GPO settings on the computer. |
Versatile Targeting | Behavior policies and rules allow you to implement granular access control to individuals, department, AD groups, and computers making them highly flexible and dynamic. |
Automated Response | When a rule violation occurs, the system can instantly block the action or automatically lock out the user from the system, preventing system misuse before it can cause harm. |
You can create Behavior Policies and Rules from the Configurations > Behavior Policies screen:
There are hundreds of pre-built templates and samples that you can easily customize to create your own access control rules.
Useful Resources:
Auditing Admin and Privileged User Activities (Watch the Watcher)
The Audit dashboard records a chronological log of all activities performed by administrators and privileged users within the Teramind Dashboard itself.
This special dashboard allows you to:
Track Configuration Changes: Logs when system settings, monitoring policies, and access control rules are modified.
Monitor System Access: Records administrator logins, logouts, and actions (e.g., viewing sensitive reports).
Ensure Accountability: Establishes an immutable audit trail ("Who did What, When") for all platform management activities.
Support Compliance: Provides necessary documentation for security and regulatory requirements (e.g., HIPAA, GDPR).
In short, it monitors the activity of the people using the monitoring system to maintain integrity and compliance.
Useful Resources:
Immediate Incident Response with Remote Control
The Session Player provides authorized administrators with remote access control to fully manage a developing security incident:
Remote Intervention: Admins can take full remote control of a user’s desktop to investigate an issue.
Containment: They can immediately lock the user out of the system or disable their keyboard and mouse input to stop malicious or accidental activity in progress.
Useful Resources:
Limiting Access to User Data
Teramind has several options that allows you to control the export and internal viewing of sensitive recorded data to prevent unauthorized disclosure.
Under Configurations > Settings > Security:
The Specify a domain to allow Teramind data export option allows you to restrict all data exports to a certain domain only.
The Only authorized users can download files option allows you to limit access to scheduled reports to validated Teramind users only. This is useful for the privacy and security of your data. For example, if a Teramind user accidentally or intentionally forwards a Teramind-generated report link to a non-Teramind user, the recipient will be unable to access or download the data because their identity cannot be verified against the system's list of authorized accounts. This critical control protects the privacy and security of monitored data outside the core application.
The Allow department managers to see and execute report option allows you to show/hide the export option on the Dashboard Actions Menu. If disabled, this option effectively disables the export of any reports by the department managers.
Under Configurations > Settings > Alerts:
By default, only admins get the daily digest/snapshot report via email. The Send daily snapshot emails to department managers option lets you enable the emails for department managers too. The email looks exactly the same as the one received by the admins except that the data is shown only for the users the department manager is assigned to. You can also configure what specific sections of the email will be visible to the department managers.
Useful Resources:
Infrastructure & Physical Access Control Alignment
The Zero Trust approach mandates that the principle of "never trust, always verify" must extend to the underlying infrastructure, treating the hosting environment itself as a critical Protect Surface. By securing the physical and virtual assets hosting the data, Teramind ensures that logical access controls are not undermined by a security failure at the base layer. Teramind's operational and infrastructure security policies are rigorously aligned with global standards to maintain this continuous verification across all deployment models.
Cloud Deployments
Teramind's Cloud deployment is hosted on Tier-3 data centers designed to meet the strictest access control requirements of mission-critical industries. The adherence to Zero Trust principles begins with the environment hosting the data:
Physical Access Control: Beyond logical security, Teramind relies on the data centers' physical protection measures, including video surveillance, biometric access controls, sensor-equipped fences, and 24/7 onsite Network Operations Center (NOC) staff. These controls ensure that unauthorized physical access is prevented, serving as a non-trusting perimeter for the server assets themselves.
Compliance Verification: Teramind's own security posture is validated through adherence to ISO 27001:2022 certified Information Security Management System (ISMS) and SOC 2 Type 2 attestation. These compliance mandates rigorously audit both the physical security and the server-level access controls.
Teramind implements rigorous server-level and operational access controls that align with key ISMS and compliance mandates, as detailed below:
Policy Area | Compliance Standard & Reference | Description |
Administrative Entitlements & Provisioning | ISO 27001:2022 A.8.3 & A.8.2; SOC 2 CC6 | Strict access control for all administrators and privileged users is maintained. Access rights and compliance monitoring are consistently screened and audited, confirming adherence to security protocols. |
Privileged User Access to Client Data | ISO 27001:2022 A.8.2 & A.8.3; SOC 2 CC6 | Privileged user credential use is controlled through internal IT Security Policies. Access is enforced via mandatory two-factor authentication (2FA) and is governed by strict, least-privilege principles. |
Third-Party Risk Management (TPRM) | ISO 27001:2022 A.5.21; SOC 2 CC9 | The data center host is bound by confidentially and privacy agreements under a CSP model. All client data is protected by strong encryption both in transit and at rest. |
IT Asset Management & Access Removal | ISO 27001:2022 A.5.9 & A.8.2.3; SOC 2 CC6 | Ensures proper control over IT assets and includes an immediate, formalized process for the removal or adjustment of access rights upon employee termination or transfer. |
Applications Access Control | ISO 27001:2022 A.8.3; SOC 2 CC6 | Access to information and systems is granted only to authenticated users. PKI keys for authentication are issued and managed according to the Teramind Cryptographic Key Management policy. |
Password Security & Credentials | ISO 27001:2022 A.8.5; SOC 2 CC6 | Password strength, storage, escrow, reuse, and expiry are strictly controlled. All customer account credentials in persistent storage are protected by strong AES 256-bit encryption. |
Employee Remote Access | ISO 27001:2022 A.8.2 & A.8.3; SOC 2 CC6 | Remote access to Teramind internal network resources is granted only over an individually authenticated and encrypted VPN connection. |
Server Roles & Segregation | ISO 27001:2022 A.8.3 & A.5.14; SOC 2 CC6 | Server roles are strictly defined, and networks are securely segmented as required by ISO 27001 and PCI DSS. |
Access Control Policy Testing | SOC 2 Type 2 Audits; SOC 2 CC4 | Access control policies are formally tested and audited quarterly and annually as part of ongoing compliance maintenance. |
On-Premises / Private Cloud Deployments
For On-Premises or Private Cloud deployments (e.g., AWS, Azure, GCP), customers are responsible for implementing their own network and server-level access control and security policies.
These platforms offer robust native tools that you can leverage to implement facilitate Zero Trust practices:
VMware supports Role-Based Access Control (RBAC) for ESX/ESXi and vCenter Servers.
AWS uses Identity and Access Management (IAM) profiles.
Azure uses Management, Subscription, and Resource groups to manage access.
You should consult your specific virtualization or cloud environment's documentation to set up appropriate access control policies.