Security Q&A
This document addresses questions pertaining to common security concerns.
Partner data encompasses a wide variety of information. Each device enrolled in the platform is audited, and the data gathered is kept within the platform until it is deleted by an account administrator or the account is closed. Furthermore, Datto RMM stores user information such as names and, if supplied, addresses for the purposes of billing.
Datto RMM stores its data in the cloud using Amazon AWS EC2 data centers, with credentials encrypted using the AES/CBC/PKCS5Padding Cipher. As partner data is not kept on site, there is reduced risk of credential leakage via data exfiltration. Refer to Infrastructure and security for more information about database security.
No. Datto RMM currently operates the following platforms separated by geographical region:
- EU-WEST-1 (“Pinotage”, “Merlot”) – Ireland
- US-WEST-2 (“Zinfandel”) – Oregon, USA
- US-EAST-1 (“Concord”, "Vidal") – Virginia, USA
- AP-SOUTHEAST-1, 2 (“Syrah”) – Sydney, Australia
The setup process of a Datto RMM account includes specifying which platform to use (it is preferable to use the platform geographically closest to your location), with each platform operating independently with its own data and update release schedule. Data stored on one platform is not accessible from another; as such, there is no risk of data migration between geographical regions.
In addition, for partners located in the UK, EU, and EEA, the European data centers are in Ireland and as such are not affected by Brexit. Datto currently has no plans to migrate data centers for partners located within the UK or EU, and so the product continues to function as normal.
All data transferred between Datto RMM, the users (those logging into the product), and the endpoints (the devices the product administers) is encrypted. The data centers are firewalled. The product is regularly penetration-tested by professionals outside the company, and, in the event of a discovery, a fix is prepared and generally released outside of scheduled release windows. Refer to Infrastructure and security for more on transmission security.
Datto RMM ComStore components are carefully managed and tested by the Datto RMM team, with only a select and audited group of staff given access to manage ComStore components.
Components are not automatically updated in our partners' estates; we allow partners to view and approve updates to ComStore components individually, and the contents can be inspected by copying the component. With regards to our partners’ own components, the best defense against tampering is to enforce strict access controls.
Component scripts are downloaded to C:\ProgramData\CentraStage\Packages on Windows, /usr/local/share/CentraStage/Packages on macOS, and /usr/share/CentraStage/Packages on Linux. After use, these scripts remain in this directory. We recommend using Input variables to obscure sensitive data. You may also consider using a component to clear these directories out periodically.
- Periodically rotate credentials.
- Store API credentials in a secure location.
- Review all your API integrations and remove any that aren’t providing business value.
- Ensure all accounts for all integrations have 2FA enabled.
It is also worth noting that the Datto RMM API has been designed not to permit access to actions like device deletion or component management.
Datto RMM Users: Not all Datto RMM users require full administrative rights; it is recommended to provision staff with as limited a permission set as possible in order to prevent abuse. Refer to Users for more information.
Datto RMM Agent: The Datto RMM Agent runs as NT AUTHORITY\SYSTEM (or root on *nix); this is a requirement and cannot be changed.
Different levels of security are granted to different departments of the company.
Database Access | Device Access | User Creation, Login Changes | |
---|---|---|---|
Operational Staff | |||
Metrics Service |
(Read-only, anonymized) |
||
Datto RMM Support Staff |
(via Support Access) |
||
Provisioning Staff | |||
Other Datto Staff |
Datto-managed computing assets issued to employees leverage many layers of security, including but not limited to host firewalls, disk encryption, always-on VPN, antivirus, endpoint detection and response, and managed patching.
To ensure reliable and secure working of the Datto RMM platform, automatic Agent updates cannot be disabled. During a period where this was possible, we found that it caused more issues than it solved. Security updates are regularly pushed to the Agent to keep it strong against cyber-attacks. Keeping the Agent at its latest version is the only safe way to run the software.
Currently, the Datto RMM Agent cannot communicate with the platform across networks that utilize DPI. There are not presently any plans to change this.
All attacks that have been verified as occurring on protected devices have been successfully identified by Ransomware Detection. The number of false positives has been low; however, it remains an elevated priority to bring this number down further.
As part of Datto’s crisis management plans, a third-party agency will be used to handle announcements. Communications will come through normal channels such as email, websites, Datto Partner Portal announcements, and, if necessary, a 24/7 call center.
Datto RMM top-level administrators have access to “kill switches” that can immediately shut down either an individual Datto RMM platform (for example, Syrah/APAC or Concord/US East) or the entire Datto RMM service as necessary. These would bring down the management servers, leaving Agents with no service with which to communicate.
On a smaller scale, Datto is able to work with partners on measures such as logging out all users and killing all running jobs.
The Datto RMM Agent does not run on Datto SIRIS devices, and access to SIRIS devices is only ever accomplished through Datto Partner Portal. Different Datto departments are run by different engineering groups, often in different locations. Datto Continuity information pulled into Datto RMM is done on a read-only basis.
Competing RMM products often follow an on-premises methodology, where the software is installed on devices local to the deployment and is managed directly by staff. This places a significant workload on staff, not only to configure systems but also to maintain them, ensuring that systems are performing and running the latest versions of integration plug-ins, security certificates, and so on. There have been many alerts concerning competing solutions’ on-premises RMM products involving out-of-date plug-ins causing security breaches and expiring security certificates causing software malfunctions. It is therefore a very sensible question to ask whether Datto RMM is prone to the same issues.
Datto RMM is a pure-cloud solution; the only on-premises hardware are the devices being managed. The software is sold and distributed under the Software-as-a-Service (SaaS) platform, with all configuration and data held securely in Amazon AWS data centers. Security certificates are managed by Datto; similarly, there are no plug-ins or add-ons to worry about as everything is handled by the cloud servers running the Datto RMM product. In case of a security issue, the product can be patched instantaneously without requiring local staff to update their local instance. Agent updates are delivered to endpoints as soon as possible following QA approval to ensure that devices are always running the latest iterations of the software.
The security of an endpoint can be divided up into four central principles, all of which Datto RMM helps to maintain:
- Malware Protection: Datto RMM works with many antivirus solutions out of the box to provide at-a-glance views of malware protection status. In addition to communicating natively with a selection of antivirus suites (refer to Antivirus products), Datto RMM (on a Windows device) will attempt to work with the operating system to gather data where this is not possible. The data points gathered are “is the product running” and “is the product up to date”, which can be used to draw an accurate diagram of device antivirus health.
- Windows Update Status: Datto RMM works with Windows to report issues with the Windows Update service immediately. Furthermore, Datto RMM's robust Patch Management core is fully compatible with Windows 10 and will report back any issues installing updates using the same interface. Data gathered via Datto RMM is easily parsed and understood. Datto RMM's component engine can also be used to push Windows 10 Quality Updates. Refer to Patch Management.
- Software Updates: Datto RMM's Software Management feature can be used to push a selection of programs to Windows and macOS endpoints as soon as updates are made available by the manufacturer. With Datto RMM, endpoints can be assured to always be running the latest software version. Refer to Software Management.
- Security Audit: Datto RMM offers a Security Audit component in the ComStore for Windows systems that can be run to provide an easily digested checklist showing security issues. Refer to Best practices for Security Audit.