Compliance Reports

Compliance Reports provide on-demand visibility of the access permissions associated with your enterprise records.

Compliance Reports

As Identity and Access Management (IAM) cybersecurity regulations increase, it is important for companies and public institutions to employ a broad set of policies and tools to ensure compliance. Access control to credentials and sensitive information is foundational to achieving this compliance. Some regulations that companies may be required to adhere to include: SOX, GDPR, PCI, HIPAA, HiTRUST, GLBA, FERPA, and New York SHIELD ACT. Each industry has a specific set of data security rules to follow, and compliance with these regulations can be complex and time-consuming.

In addition to the access controls and ARAM reports that Keeper Security already provides for compliance, Keeper offers an add-on reporting feature called Compliance Reports.

Compliance Reports

Compliance Reports provide on-demand visibility to access permissions on records and credentials in your enterprise. These reports simplify the compliance auditing process for Sarbanes Oxley (SOX) and other regulations requiring periodic access control auditing. These Keeper Administrator-defined Compliance Reports run on-demand and can be forwarded to automated compliance systems or sent directly to external auditors. Since the reports contain some non-credential encrypted record data, an administrator must have permission to run and view these reports. The encrypted record data is included in the report and can also be used as report filters.

The encrypted record data ONLY includes:

  • Record Title

  • Record Type

  • URL

Zero-knowledge remains preserved because the encrypted data is decrypted on the Keeper Administrator Console using the Enterprise Private Key, restricted to administrators that have Compliance Reporting permission.

Compliance Reports Use Cases

  • Privileged user reports for SOX auditing: Select privileged users and run a report showing all owned and shared records for these privileged users.

  • Corporate credit cards report for PCI compliance: Select all users ( if 5000 or less) then select one or more record types (i.e. payment card, database, login) and generate a report showing all user access and permissions for the selected record types.

  • Decommissioning user report: Before decommissioning users and transferring their Keeper accounts, run a report showing all the users’ owned records.

  • Report of access permissions on records containing specific URLs (i.e. financial services): Select all users (if 5000 or less) and select 1 or more URLs then run a report showing all records and access permissions for records containing the selected URLs.

Activating Compliance Reports

Visit the Subscriptions screen and click on Free Trial to activate your trial of the Compliance Reports Add On.

Once the Keeper Compliance Reports feature is activated through a trial or purchase, there will be a new administrator role permission in your Admin Permissions popup menu called “Run Compliance Reports”. Select this permission for administrator roles that will be authorized to create, view, and edit compliance reports.

If “Cascade Node Permissions” is selected, the administrator will also be able to run, view or edit reports for the sub-nodes.

No other administrator permission is required to run, view or manage Compliance Reports. The auditor does not need “Manage Users” or “Manage Nodes” permissions to run Compliance Reports.

When an administrator with permission to “Run Compliance Reports” logs in to the console, they will have access to the “Compliance Reports” left-side menu item.

When “Compliance Reports” is selected, the list of saved compliance reports will be shown. The administrator will only see those reports associated with nodes where the administrator has “run compliance reports” permission.

Creating New Compliance Reports

After selecting “New Compliance Report” from the Compliance Reports screen, you will be prompted to enter the report criteria.

User Criteria

Initially, “User Criteria” is selected. User criteria include:

  • Node

  • User names/email addresses

  • Job Titles

  • Records

The “Node” selected will determine the report association and also the users available for the report. “Job Titles” are available if manually entered in user data or imported via a CSV file. In a future release, “Job Titles” will be available via import from an IdP using SCIM provisioning. “Records” may include all owned records or only those records which are owned and also shared.

Selecting a “Node” will determine the users to be included in the report data filtering. If the root node is selected and the Administrator has “Cascading Node” permission in addition to “Compliance Reports” permission, all users in the enterprise will be selected as an initial user filter.

The user count will be displayed on the right side of the screen. As other user criteria filters are selected, the matching user count will reflect the added filters.

Data Filters

After selecting all user criteria or some subset of users through the filters, select “Get User Data” and the screen will show how many total records are available for those selected users.

Keeper limits the number of users to 5000 for performance reasons. A Compliance Report is limited to 1000 records. Report records can be selected by filtering the data by a single filter or a combination of filters. To get more than 1000 records, run multiple reports with similar filters, as an example: One report per node, instead of one report for all nodes.

Available Filter Types:

  • Record Titles

  • Record UIDs

  • Job Titles

  • Record Types

  • Website URLs

Each set of filters added will potentially add additional records to the report. If a record matches the search criteria for multiple rows of filters, the total record count and report will reflect unique records and not duplicate records.

Once the filters have been defined, the user can select “View Data” to preview the report which reflects the current users and permissions for each of the selected records.

Viewing Report Data

The report data is displayed in layers, first showing the list of record owners and the number of records for each owner.

For each record owner, there is a “User Report” page that shows user details which includes the user’s owned records and the number of users sharing each of these records.

The record access permissions for each user can be viewed by selecting the ">" at the end of a record row.

If a user has access to the record from multiple sources, there will be a popup to view the “Effective Permissions” and all the permission sources for access to that record.

Individual User Reports can be exported in PDF, JSON, or CSV format. The administrator may want to review one or more User Reports before generating the final snapshot report containing all of the users selected.

Generate Report

After reviewing the report data and filters, the administrator can save the settings as a report template by selecting “Create Report”.

The system will generate and save a snapshot report containing the following:

  • Header with the report name

  • Date and time

  • Report criteria used to generate the report.

This header information is followed by the user records pages which contain the records and associated user access information. Creating a report will result in the system fetching the latest record data, which will reflect any permission changes that may have occurred while the report data was being viewed.

Saved reports can be viewed and rerun from the “Compliance Reports” tab. When re-running a report, the report criteria can be edited, and the new report criteria will be saved with the new report snapshot.

Creating and Saving Report Criteria Separately

An administrator with Compliance Reporting permission may want to create and save report criteria without running a report. This is useful for reports that are going to be run at a later date or run periodically (i.e. quarterly SOX report).

Select “Criteria Filters” to see the report criteria that have been saved. To create new report criteria, select “New Compliance Report”, name the criteria and then save it by selecting “Save Filters”.

Any administrator with “Run Compliance Reports” permission can create, edit, delete or run any compliance report or report criteria associated with a node where they have “Run Compliance Reports” permission.

Commander Interface

Keeper Commander CLI/SDK provides a few extra capabilities that are not available in the user interface of the Admin Console, for advanced searching and parsing of compliance reporting data.

For more information about the Keeper Commander tool visit this page:

https://docs.keeper.io/secrets-manager/commander-cli/overview

Installation

Ensure that you're using the latest version of Commander, either through binary installation or using pip3.

sudo pip3 install --upgrade keepercommander

Example Commands

For a full description of the compliance-report command capabilities, type:

compliance-report -h

Searching on a specific user:

compliance-report --username user@company.com

Searching for a partial URL match, e.g. amazon.com

compliance-report --shared --url amazon

Full command details are available at the documentation page.

Security

Keeper Compliance Reports adheres to Keeper's Zero-Knowledge encryption model. From an encryption standpoint, here's how it works. When the Enterprise end-user logs into their vault, the Type, Title and URL fields are encrypted with the Elliptic Curve Enterprise Public Key. This data, we call the "Audit Data", is encrypted locally on the user's device and stored in the Keeper cloud. The Audit Data is continuously updated by the end-user devices over time.

The Keeper Administrator logs into the Admin Console using either a Master Password or Single Sign On. After a successful login, the Admin decrypts what we call the AES 256 Enterprise Tree Key and then decrypts the Elliptic Curve Enterprise Private Key. If the Administrator has permissions to run Compliance Reports, they can run a report over any user within the node that they have been granted permissions.

The encrypted audit data is delivered to the Admin Console and the Admin is able to decrypt audit data locally on their device using the Elliptic Curve Enterprise Private Key. The report contents are then displayed locally on the user interface and available for export into CSV, JSON or PDF format. Only the designated Keeper administrator can retrieve and decrypt the compliance report data for the nodes that they have been granted admin rights over.

Last updated