N-central Security Guide

• N-central Security Guide
• Introduction
• Purpose
• Target Audience
• Significance of Security in today’s digital era
• N-able Key Security Features
• Securing Communication & Encryption
• Security Profiles
• Access Control & Identity Security
• Network & Infrastructure Security
• Disaster Recovery & Business Continuity (hosted only)
• Secure Software Development Lifecycle (SDLC)
• Compliance and Data Sovereignty
• Summary
• Appendices

Introduction

N-central, developed by N-able, is a robust Remote Monitoring and Management (RMM) platform designed to help managed service providers (MSPs) efficiently manage and secure their clients' IT environments. The platform supports both on-premises and hosted deployment options, providing flexibility to meet the unique needs of different organizations. Its architecture is built to handle diverse network infrastructures, ensuring seamless integration and scalability.

The platform supports a wide range of devices, including workstations, servers, mobile devices, and network equipment from various manufacturers like Cisco, Fortinet, and HP. This extensive device support ensures comprehensive network management and monitoring.

N-central includes detailed views of network paths and device statuses, enabling proactive monitoring and quick identification of potential issues. The platform's asset discovery feature helps MSPs keep track of all devices within a network, ensuring comprehensive coverage and management. Additionally, N-central integrates with various third-party tools and systems, enhancing its functionality and allowing for a more customized IT management experience.

The platform is designed with scalability in mind, allowing MSPs to manage multiple clients and large networks efficiently. N-central's modular design enables MSPs to add or remove features as needed, ensuring that the platform can grow and adapt to changing business requirements. This flexibility makes N-central an ideal choice for MSPs looking to streamline their operations and deliver consistent, high-quality service to their clients.

Purpose

The purpose of this document is to provide a comprehensive overview of the security architecture of N-able N-central. This document aims to inform Managed Service Providers (MSPs) about the security features, protocols, and best practices embedded within the N-able N-central solution. By understanding the security architecture, stakeholders can better appreciate how the solution safeguards client systems, ensures compliance with industry standards, and mitigates potential security risks.

Target Audience

This document is intended for MSPs who are responsible for the deployment, management, and support of remote monitoring and management solutions within their client organizations. The target audience includes:

• IT Managers and Directors: Individuals overseeing IT operations and strategy within MSPs, who need to understand the security capabilities and benefits of N-able N-central.

• System Administrators: Professionals within MSPs responsible for the day-to-day management and maintenance of client IT systems, who require detailed knowledge of the solution's security architecture to ensure system integrity and protection.

• Security and Compliance Analysts: Experts within MSPs focused on identifying and mitigating security threats, as well as ensuring that organizational practices meet regulatory requirements. They need to understand how N-able N-central addresses potential vulnerabilities, ensures robust system security, and supports compliance with data protection standards.

• Technical Support Engineers: Personnel within MSPs providing frontline support to customers, who need to be familiar with the solution's security features and troubleshooting procedures.

By addressing the needs and concerns of these key stakeholders, this document aims to facilitate informed decision-making and effective implementation of N-able N-central's security measures within diverse client IT environments.

Significance of Security in today’s digital era

Security is incredibly significant in today's digital era due to the increasing reliance on technology. A robust security framework safeguards personal information, protects against cyber threats, protects critical infrastructure thereby ensuring business continuity to prevent financial loss and maintain reputation.

N-able offers a comprehensive array of security features across all its products for MSPs. N-central, one of the compelling products of N-able, provides an extensive suite of security mechanisms for MSPs through its robust features and standards.

N-able Key Security Features

Securing Communication & Encryption

N-able ensures that customer data and communications remain private and secure.

• End-to-End Encryption

• TLS 1.2/1.3 encryption secures all communication between N-central agents and servers.

• Sensitive data stored in the N-central database is encrypted at rest using industry-standard algorithms.

• Secure Remote Access Controls

• Remote sessions use AES-256 or AES-128 encryption to prevent eavesdropping and MITM (Man-in-the-Middle) attacks.

• Role-Based Access Control (RBAC) ensures only authorized technicians can perform remote actions.

• Data Residency & Compliance

• N-able allows organizations to choose regional data centers for compliance with GDPR, and ISO 27001.

Security Profiles

Sometimes you have to work with older operating systems that use older security protocols. Security Profiles in N-able N-central enable you to select between modern security protocols, or legacy ones. The Modern security profile is enabled by default to block TLS 1.0 and 1.1. You can switch the network security profile to the Legacy Security Profile to use older TLS versions. To change Security Profiles, at the System level, click Administration > Mail and Network Settings > Network Security.

Because the Modern security profile is enabled by default, you need to ensure that Agents and Probes are at version 12.1 SP1 or higher. Version 12.1 SP1 and higher leverage TLS 1.2 properly and communicate with N-able N-central 12.2 and higher. This also applies to ReportManager; you need to upgrade it to version 5.0 SP5.

The differences between the profiles are:

Compatibility Security Profile

• The Compatibility security profile sits between the Legacy and Modern security profiles. It allows you to support older operating systems, such as Windows Server 2012 R2, but without allowing TLS 1.1 or 1.0.

• Does not support TLS 1.0 and 1.1.

• Disables weak SSH Ciphers, MACs and KEX Algorithms.

• Supports Modern Operating Systems (Windows 7/Server 2008 R2 and newer).

• Meets PCI requirements for TLS and ciphers.

• Support for only 2048 bit keys

N-able strongly recommends that you choose between either the Compatibility or Modern security profile as we plan to deprecate the Legacy security profile in a future release of N-central.

Modern Security Profile

• Configures N-central's UI so that it does not support TLS 1.0, 1.1, SHA1 and all weak ciphers and non-PFS ciphers.

• Supports TLS 1.3 on all UI, API, and Agent ports. The Web UI ports have further been enhanced with TLS ciphers that offer improved performance on mobile devices.

• Disables weak SSH Ciphers, MACs and KEX Algorithms.

• Will work with Modern Operating Systems (Windows 10/Server 2016 and newer).

• Meets PCI requirements for TLS and ciphers.

• Support for only 2048 bit keys

Legacy Security Profile

• Configures N-central's UI to support TLS 1.0 and 1.1

• Not PCI/HIPPA/NIST compliant.

• Supports legacy operating systems (i.e. Windows Vista/Server 2008).

Access Control & Identity Security

Strong Identity and Access Management (IAM) Practices are essential to ensure that only authorized users can access N-central. These practices include enforcing Multi-Factor Authentication (MFA) for all technicians, significantly reducing the risk of compromised accounts. Administrators can mandate the use of MFA, which adds an extra layer of security by requiring a second form of verification in addition to passwords. N-central supports MFA through various authentication apps, such as Google Authenticator and Microsoft Authenticator, providing flexibility and enhanced security for user access.

Role-Based Access Control (RBAC) is a security framework that limits user permissions based on their job roles and responsibilities. By assigning permissions to roles rather than individual users, RBAC simplifies access management and ensures that users only have access to the data and tools necessary for their work. This approach follows the principle of least privilege (PoLP), which minimizes the risk of unauthorized actions by restricting access to the minimum level required for job functions. Implementing RBAC helps prevent accidental data breaches and insider threats, enhancing overall security

Single Sign-On (SSO) & Secure Password Policies are integral to N-central's security framework. The system integrates seamlessly with Active Directory (AD) and SAML-based SSO providers, offering a unified login experience that reduces password fatigue and strengthens security. Administrators can enforce strong password policies, ensuring that passwords meet complexity requirements and are changed regularly. Additionally, automatic session timeouts help protect against unauthorized access by logging users out after a period of inactivity. N-able Login and Entra ID provide federated SSO capabilities, allowing users to authenticate once and gain access to multiple applications without needing to re-enter credentials. This setup enhances security while simplifying the user experience.

Network & Infrastructure Security

Firewall & Intrusion Detection Systems (IDS/IPS) are vital for securing N-central servers. Firewalls act as the first line of defence, blocking unauthorized access by filtering incoming and outgoing network traffic based on predefined security rules. They ensure that only legitimate traffic is allowed through, protecting the network from external threats. Intrusion Detection and Prevention Systems (IDS/IPS) complement firewalls by monitoring network traffic for anomalies and potential security breaches. IDS passively observes and alerts administrators to suspicious activities, while IPS actively blocks identified threats, preventing them from compromising the network. Together, these systems provide a robust security framework that safeguards N-central servers from a wide range of cyber threats.

Audit Logging & Incident Response are crucial for maintaining security and compliance. N-central keeps detailed audit logs of all user activities, login attempts, and configuration changes, providing a comprehensive record of system interactions. These logs help track actions, identify anomalies, and ensure accountability. Additionally, N-central allows administrators to set up notifications for monitored devices that are protected by our integrated antivirus and EDR products. This offers an additional layer of protection for those devices by leveraging the N-central notification and PSA features which can promptly alert the needed resources to respond to incidents.

Regular Security Updates & Advisory Notices are essential for maintaining system security and protecting against new threats. N-able releases regular security patches that address vulnerabilities and enhance the overall security of the system. These updates are crucial for preventing exploits and ensuring that the software remains resilient against emerging threats. Additionally, N-able publishes security advisories to inform users of potential risks and best practices. These advisories provide valuable information on how to mitigate risks and maintain a secure environment, helping users stay informed and proactive in their security efforts.

Disaster Recovery & Business Continuity (hosted only)

N-able ensures N-central remains resilient against cyberattacks, hardware failures, or natural disasters.

Automated Backups & Redundancy are essential for ensuring data integrity and availability in N-central. Data is backed up in multiple locations to prevent data loss, providing a robust safety net against potential failures. For cloud-based deployments, N-central utilizes geographically redundant servers, which means that data is replicated across different geographic regions. This setup ensures that in the event of a regional outage or disaster, the system can failover to another location, maintaining continuous uptime and access to critical data. These automated backups and redundancy measures are designed to protect against data corruption, deletion, and hardware failures, ensuring that your IT management operations remain resilient and reliable.

On-Prem MSPs can set up their own disaster recovery following the same principles by using N-central to create automated backups and sending them to an offsite FTP.

Secure Software Development Lifecycle (SDLC)

N-able follows a Secure Development Lifecycle (SDLC) to ensure security is built into N-central from the ground up.

• Code Reviews & Secure Coding Practices: Developers follow OWASP Secure Coding Guidelines to prevent SQL injection, cross-site scripting (XSS), and remote code execution (RCE) attacks. Peer code reviews and static code analysis are performed to detect vulnerabilities early.

• Penetration Testing & Security Audits: Independent security firms conduct penetration tests to simulate attacks and find weaknesses. Regular internal security audits ensure compliance with industry standards.

• Vulnerability Management & Patching: N-able uses continuous vulnerability scanning and bug bounty programs to identify risks. Frequent security patches and automated updates help fix known vulnerabilities quickly.

Compliance and Data Sovereignty

N-able adheres to implementing policies, controls, and best practices to protect sensitive data and meet regulatory requirements. N-able complies with various security frameworks to prevent data breaches, mitigate risks, and sustain MSPs trust. N-able uses secure cloud storage of backups in a private, worldwide network of data centers located in 17 countries across five continents to keep the backups local. Physical security and power continuity are maintained through partnerships with leading data center providers, featuring rigorous security measures and redundant systems. Data Center certifications include the following compliances to demonstrate adherence to:

• HIPAA: Strict privacy and security standards for Data Protection

• ISO27001: Best practices and comprehensive security controls

• ISO9001: Framework for Quality Management System (QMS)

• NIST 800-53: Comprehensive catalogue of security and privacy controls for information systems and organizations

• PCI-DSS: Robust security measures reducing the risk of data breaches and cyber attacks

• SOC 1 Type II and Soc 2 Type II: Stringent information security controls across its services

• Mandatory 2FA: Powerful security measure with an additional verification step

Summary

In conclusion, security is an ongoing process, a multi-layered approach combining technologies, policies, and user awareness. N-able’s N-central Security framework outlines best standards for securing applications, infrastructure, and data against evolving cyber threats covering authentication and authorization mechanisms, encryption process, incident response planning, network security controls, cyber resilience, and compliance requirements. By implementing the Cove strong security measure, MSPs can protect sensitive data, prevent breaches, and maintain compliance with industry standards.

Appendices

• Security and privacy - N-able

• N-central Security Whitepaper

  • Security Manager

  • Architecture (including Ports)

  • Physical Security

  • Security Implications

  • Remote Control

• Port Access Requirements

• Architecture Guide

We'd love to hear your thoughts! If there's any additional information you'd like to see in this guide, please let us know through the feedback form below. Select No for "Did this topic help you?" and then choose Other reason not listed here to share your suggestions. Your input helps us improve. If you'd like us to follow up with an update, please provide your email address.