Table of Contents |
---|
Using the symmedia Hub Platform Documentation
Following this link, you will find the symmedia Hub Knowledge Base:
symmedia Hub Service Desk Knowledge Base
Use the search function to find what you are looking for:
| ||
Use the tree navigation to find help for each symmedia Hub function:
The documentation navigation mirrors the navigation within the symmedia Hub interface. | ||
Read the symmedia Hub release blog for new functions, features and bug fixes. |
Customer / End User Service Desk Portal Usage
Log In/ Sign in of customers
After verifying the email personal information are filled in. This step includes:
The registered customer will then appear in the Jira symmedia Hub Service Desk Project - Customers. |
Service Desk Landing Page - FAQ
The landing page is connected to the Service Desk Knowledge Base. Displayed are the created categories for Knowledge Base articles. These are explained when clicked on and show the collection of articles related to the category topic. These categories can function as FAQ’s for customers. |
Knowledge Base-Backed Search Mechanism
Displayed at the top of the symmedia Hub Service Desk is the search bar. It allows registered customers to search for an article before requesting help through issuing a service ticket. Knowledge Base articles can also be labeled which will respond to the search words. The article is displayed in the platform when clicking on it. | |||||
| |||||
The customer will be asked to provide feedback at the end of the displayed article. |
Service Request - Service Ticket
In case an article did not help solve an issue, the customer can file for a Service Request. The customer can find four request types on the landing page of the symmedia Hub Service Desk (shown in the picture below).
To request any type of service, report a bug, licensing questions or other questions, the customer selects the related wizard by clicking on it and is asked to fill in information for the service team in order to solve the request.
The customer receives and automated email confirmation that the service team has received his/her request. | |
Once a customer has filed for a service ticket, he or she can view their tickets under “Requests” in the top right hand corner. The customer can view the ticket status, comments by the customer or the service team. Once the ticket status changes, the customer will be notified via email. A ticket can also have the status “Waiting for customer” in case the customer, e.g., needs to approve a step in the service process. Ticket Status include:
(see also: https://symmedia.atlassian.net/wiki/spaces/OPS/pages/9425130990 ) The customer can also select several filter settings to gain a better overview or use the search option for a specific ticket. The workflow remains the same for each Service Request types. SLA’s can not be viewed in the symmedia Hub Service Desk. | |
When a ticket has been filed in the past, the Service Request type will appear at the bottom of the symmedia Hub Service Desk landing page under “Recently used forms”. |
symmedia Hub Security
Reporting security vulnerabilities found in the
Secure Servicesymmedia Hub
Starting from , customers and security researchers alike will be able to submit security vulnerabilities, discovered in the symmedia Hub, by using symmedia's existing Service Desk Portal at: https://symmedia.atlassian.net/servicedesk/customer/portal/1
symmedia follows a responsible disclosure policy, in which we aim to fix verified vulnerabilities as quickly as possible. We ask you not to share your findings publicly before symmedia releases a patch for the vulnerability. We aim to get back to you to verify the vulnerability as early as possible after submitting the report, usually within a week.
How does it work?
- Visit: https://symmedia.atlassian.net/servicedesk/customer/portal/1
- Instead of "Support" or "Technical Support" requests, select "Reporting a vulnerability"
- Please provide as much information as possible about what needs to be done in order to replicate the vulnerability and where and how you encountered it initially (i.e. include screenshots, code snippets etc. that will help us to reproduce the behavior).
- Your submission will be forwarded to our security team. In case of questions or feedback it would be very helpful for our security team to be able to contact you, so please provide a means of communication (i.e., email address)
Security Considerations
Security Context
The Security Context describes assumptions made by symmedia about the operating environment
symmedia Hub Cloud Platform
We assume that the customers' identity provider is configured securely, receives regular updates and observes current best practices.
We assume that customers train and educate their staff to observe security principles such as ‘least privilege’ when configuring remote access.
The symmedia Hub cloud platform runs in a managed cloud environment, which offers a variety of security controls.
When using the mobile app with an existing tenant, we assume the phone not to be rooted and uncompromised.
The users of the symmedia Hub cloud platform can be located anywhere and use different ways (browser, mobile, tablet etc.) to access the application.
We assume that IT/OT equipment running symmedia applications (i.e., the Tunnel Client) to be protected through endpoint security and professional administrative staff.
This applies to all equipment irrespective of form factor (i.e., desktop computer, laptop, mobile phone, tablet and everything in between)
symmedia Hub can not safeguard data if the customer using already compromised devices to access the application.
Edge Device
The Edge Device is connected to the operator’s shopfloor network.
The shopfloor network is itself isolated from other networks (i.e., local enterprise networks, WANs such as the internet or other network based communication channels)
The Edge Device is physically protected against harm (physical damage and access)
Physical access to the Edge Device is restricted to people working on the operators' shopfloor.
Some Edge Devices offer an optional Wifi-Network Access Point.
The Edge Device is running the latest version of the operating system image.
It is the operator’s duty to keep the Edge Device’s operating system image up to date.
The Edge Device runs third party applications inside containers.
symmedia Hub Cloud Platform
General
The symmedia Hub Cloud Platform enables user to access the symmedia Hub application in their browser. Thus, the usual security considerations regarding the secure operating systems and browsers should be observed. Such as:
Secure IT equipment
Please bear in mind that there is little on the Cloud side that can protect against a compromised computer on the client side
Please observe the usual it hygiene tasks, such as:
Keep operating systems up to date
Limit privileges of user account (“Least Privilege Principle”)
Deploy EDR solutions
Educate users about information security
Keep the browser up to date to benefit from the latest security patches
Be careful about browser extensions and their security implications
Be mindful of the information you share on the platform
Only upload files from trusted sources
Check the URL in the browser address bar
symmedia Hub will only use TLS encrypted connections
If your browser shows the connection to be unencrypted → Stop! This might be a phishing attempt :warning:
Managing Users
The symmedia Hub uses a Role Based Acces Control (RBAC) approach. Roles define what permissions a user has, while Scope defines the set of assets a user can exercise their permissions on. For a more detailed overview, please consult: https://symmedia.atlassian.net/wiki/spaces/SSH/pages/17320312870
When setting up users for your tenant, consider these security guidelines:
Apply the principle of least privilege
Only add roles and scopes for users which are required for them to do their work on the symmedia Hub
Observing this will limit the capabilities of an attacker in case a user account is compromised
Enforce Multi-Factor Authentication on your identity provider
symmedia Hub uses the customer’s identity provider to authenticate user, thus the security of the your accounts depend in part on its security settings
Delete users from the symmedia Hub if they are not longer needed
Only users who need to use the symmedia Hub should have an account
Disabling users who no longer require access helps reduce the attack surface
i.e., in case company accounts become compromised
Do not share accounts with multiple users
Every person working with the symmedia Hub should use their own account
Sharing accounts / passwords makes it hard to attribute actions and undermines account security
Only invite AD managed accounts to the platform
Avoid using microsoft accounts that are not managed by an AD and professional it staff
Do not use temporary accounts using non-AD-managed accounts
Managing Remote Connections
“With great power comes great responsibility”
Remote Connections are a powerful tool to enable remote service on machines while they are on the shopfloor. At the same time, they potentially allow attackers to bypass other established security controls.
Please consider these best practices when managing remote connections:
Do not use “always on” remote connections
Remote Connections are meant to be used to help a service technician do support work only while the technician requires access to the machine
Configure the Edge Device’s firewall
Make sure that the edge device has sensible firewall rules in place to limit access to the machine and/or the shopfloor network
Observe general security considerations on the shopfloor such as:
Segment and segregate local networks, i.e., make sure that access from the machine or shopfloor network to other internal networks is forbidden or severely limited in accordance with your security guidelines
Physical access to the shopfloor should be limited to the required personnel to limit physical access to the machines and edge devices
Edge Device
General
Edge Devices are the endpoints for symmedia Hub remote connections on the customer’s shopfloor. They also allow you to install apps from third parties to enhance their capabilities. These apps are executed locally on the edge device and thus have access to everything the edge device has access to.
OS Security
Keep the Edge Device’s operating system up to date
Check for updates regularly and consult update documentation
Firewall Security
Configure the local firewall
If Wifi-Access is not required, make sure to deny all traffic from the Wifi network (BLUE interface)
Only open required ports into the shopfloor or machine network
Review allowed ports regularly and remove if no longer required
App Security
Only install required apps to the edge devices.
Be mindful of information collected by/entered into third party applications
If the apps require backend infrastructure, information might be sent to the third party’s backend for processing
The same is true for all information the app might gather as part of its execution
Remove unused applications
Keep installed applications up-to-date
Check the “Applications” view in the symmedia Hub Cloud Platform regularly