MSP Best Practices
Keeper MSP Best Practices and General Recommendations
Overview
This document provides best practice information regarding the setup and configuration of your Keeper MSP tenant.
Administrative access
MSP
It is very important to maintain at least two users within the root node with full administrative access to the Keeper Administration Console. If an admin gets locked out of the admin interface due to forgotten password, SSO service failure, enforcement policy settings, etc., the second account will be needed to assist in recovery. Due to the zero knowledge encryption model, Keeper's support staff members have no way of correcting a situation in which all MSP root administrators are unable to login.
Client (Managed Company)
Certain configurations require an administrative account within the MC tenant. For example, SSO Connect Cloud and Keeper Bridge services require an account with administrative permission within a Managed Company. The account is needed to bind the provisioning method to the MC instance.
Roles
Naming
It's a good practice to only create as many roles as necessary and to name them for their functionality. For example, you have a team of traveling sales people who require offline access. It’s far better to name the role “Enable offline access” than “Traveling sales people”. This way, when you have an access issue six months down the road, you can easily tell what each role does as opposed to who it’s for.
Stacking Roles
Stacking of multiple roles against the same user and/or team is a common practice. Please keep in mind you will always get the least permissive / most restrictive outcome of the sum of the rules.
Default Role
It’s a good practice to create a default role to host newly provisioned users. This is especially helpful when using a Just-In-Time advanced provisioning method. This way you know exactly what enforcement setting will be applied when new users are provisioned. Common default settings include master password complexity and 2FA requirements. This way you are insured that all user vaults are secured at first login.
Role Templating
As your managed company (MC) and user count increases, so does the overhead of managing access control. For this reason it's a good practice to develop a set of standardized roles to use across the entire client base. This way, no matter which MC you are administering, you are ensured access control is consistent across the enterprise.
Account Transfer
Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure. Therefore, the Account Transfer setup must be configured prior to the user's account being transferred.
A successful transfer requires that the users had logged in at least once prior to the transfer action. When a user leaves the organization, an administrator with the proper Administrative Permissions can transfer a user's vault to another user within the organization. This account transfer functionality is an important and powerful way to take ownership of the content within the user's vault while retaining a secure role-based hierarchy in the organization.
Learn More about the Account Transfer policy.
Team Sharing & Share Folders
Prior to Vault version 16.8, MSP users could only share records and folders to individuals within the Managed Companies. Vault version 16.8 and newer provides MSPs with the ability to share folders directly from the MSP vault to entire Teams within the managed company.
From the MSP vault, it is recommended to create a Private Folder at the root level, for example "Clients". Within the private folder, add a Shared Folder for every managed company that you wish to share with. Within each Shared Folder, create subfolders that break down and categorize the information.
An example of this structure in the MSP Vault can be seen below:
From the Shared Folder "Edit" screen, click on the "Users" tab to share the folder with MSP users or directly with the Managed Company (if desired). In the "Email or team name" field, you can select a team from your MSP tenant, or from the managed company tenant.
Enforcement Policies
Below is a list of recommended Enforcement Policies. The following is applicable to your MSP technicians and managed company end-users.
Two-Factor Authentication
Require the use of Two-Factor Authentication
Enable (Toggle On)
-
Vault Features (bottom of page)
Under "Retention of Deleted Records" Day(s) before records can be cleared permanently Day(s) before deleted records automatically purge
Enable both settings
Set retention to 365 days (recommended)
Import and Export
Can export from vault
Disable (Unchecked)
Prevents users from taking passwords when they leave
Transfer Account
Enable Account Transfer
Enable (Toggle On)
Very important; recommended for every user regardless of role
For more details regarding role-based enforcement policies, see this page.
As an MSP, it is critical that the vault transfer policy is enabled. Otherwise, you run the risk of users getting locked out of the platform and losing access to their vault if they forget their master password and account recovery questions.
Advanced Reporting and Alerts (ARAM)
Below is a list of recommended Reports and Alerts to build within the MSP Admin Console.
Managed Company Changes (Report)
Under "Event Types" → "MSP" Select all events
Admin Activity (Report)
Under "Event Types" → "Security"
Disabled Two-Factor Auth; Created User; Invited User; Transferred Vault; Added User to Role Under "Event Types" → "Policy Change"
Created Node; Deleted Node; Created Team; Deleted Team; Created Report; Deleted Report; Created Alert; Deleted Alert Under "Event Types" → "General Usage" Emptied Trash Bin; Imported Records; Exported Records Under "Event Types" → "MSP" Increased Number of Seats; Decreased Number of Seats; Changed MC Plan; Paused Managed Company; Removed Managed Company; Deleted Managed Company Under "Users" Select all admins
BreachWatch (Alert)
Under "Event Types" → "BreachWatch"
BreachWatch detected high-risk record password; User ignored detected high-risk record password Under "Attributes"
Email Addresses → Select all
Alert Frequency → Every occurrence (recommended)
Brute Force Attack Watch (Alert)
Under "Event Types" → “Security”
Failed Console Login Under "Event Types" → “Login”
Failed Login Under "Attributes"
Email Addresses → Select all Alert Frequency → Every 5 occurrences
Paused Companies (Alert)
Under "Event Types" → “MSP” Paused Managed Company Under “Attributes” Email Addresses → Select all Alert Frequency → Every occurrence (recommended)
For more information about Keeper event reporting and alerts, see this page.
These same reports and alerts can be set at the Managed Company level, if desired, as long as the MC is part of a plan that includes ARAM (Business Plus and Enterprise Plus licenses only).
Last updated
Was this helpful?