At Verkada, we are focused on building the best software and devices for managing physical security. This requires a world-class support team who is on-call to help resolve any technical issues our customers might encounter. As you know, the primary tool that our support and engineering teams previously used was the subject to a security incident. In response to this attack, we revoked all access to this tool and on March 12th, I outlined our approach stating:
“We will review our policies and procedures and identify new ways to strengthen our existing controls and add new levels of security, while identifying new ways to better practice the principle of least privilege, manage access privileges and to secure our system.”
Why I am writing
Our work in reviewing our policies and procedures in this area continues; however, I wanted to provide an update regarding how customer support will be delivered in the immediate term.
Following the suspension of this tool, we decided that Verkada will no longer use internal administrator accounts. After the attack, I also directed additional engineering resources to finalize a tool that has been in development since December 2020.
As of today, that tool – Support Permission System (SPS) – is available, giving customers direct control and increased security around how Verkada provides technical support. SPS is the first step in the development of new tools and permissions that ensure we can continue to balance the delivery of excellent customer support while maintaining customer data privacy as our company continues to grow.
What has changed
As we have previously stated, Verkada’s training program and employee policies were clear that support staff members were required to obtain a customer’s explicit permission before accessing that customer’s video feed via the “internal administrator account” function. Any improper access by a Verkada employee would have been a violation of our policies and the employee subject to termination – we have no evidence this ever occurred.
However, Verkada has always sought to strengthen our security policies and practices, and this attack is a reminder of the need to engage in routine review and evaluation to maintain customer safety. Now, customers will have even more control over who is allowed to access their camera feeds. The new SPS will require customers to proactively request assistance from the Verkada support team and explicitly approve their access using a secure code – providing an additional layer of authorization. Read below for more on how it works:
What is SPS?
Built directly into Command, the Customer Support Permission System (SPS) requires Organization or Site administrators to explicitly grant Verkada’s support team with access to their Command account.
Screenshot of Verkada’s customer facing admin settings panel.
SPS provides a number of controls for the Organization or Site administrators:
- Enable Support Access
Organization administrators and Site administrators can allow Verkada’s support team to access their account by toggling the control. When enabled, additional controls will appear.
- Set a time window for access
When SPS is enabled, by default access will be limited to 1 hour and will auto-expire. Administrators will have the option to extend the access to up to 24 hours.
- Provide an access token
The administrator can then provide the unique token to Verkada’s support team to enable access. This token is unique to this account and troubleshooting request and is required for the Verkada Support agent to take any next steps.
- Control video, audio and image access
By default, customer support will not have access to footage, thumbnails, archives, or audio. This means that Verkada Support will not be able to view images, video or audio unless the customer explicitly grants this permission.
- Revoke Support Access
After granting Verkada Support access to access their system, customers still have the ability to revoke Verkada Support’s access at any time by simply toggling off the permission switch.
Support Access in Audit Logs
From the organization audit log, users will be able to see when SPS is enabled or modified by an admin, with the timestamp of when it will expire. Each time Verkada Support accesses an account is also logged, and the actions taken on behalf of the account by Support are logged in each camera’s audit log.
To find SPS, log into your Verkada Command account and click on Admin. From the admin page, you will now see the option “Support.”
Delivering the best possible customer technical support means balancing our access and your complete privacy, and that is why we value your input and suggestions. If you have any questions, please contact [email protected]