Declaring the security administrator

Only in built-in key management mode, after you have declared the SDS for C&M global administrator, you must declare the security administrator. The roles of this user are the following:

  • Helpdesk: He can assign a new password to a user who has forgotten the password associated with his SDS for C&M account,
  • Recovery: He can grant access to all the protected files of one user to another user, for example if the former user has left the company.
  • Delegation of these roles: He can assign the Helpdesk and/or Recovery roles to other users. For more information, please refer to the section Assigning Helpdesk and Recovery roles.

When an account is created, the associated private key and public key are generated on the local workstation. Double encryption is then applied to confidential keys. Stormshield therefore cannot decrypt information that your coworkers have protected, or change their passwords. Only security administrators and the accounts they are allowed to manage can perform such operations. For more information, refer to the sections Main principles for internal users and Helpdesk and recovery in Architecture and security.

The security administrator is essential in order for SDS for C&M to run. If you lose the login credentials to this user's account, the account cannot be recovered or unblocked. We therefore advise that you comply with these recommendations:

  • This user must be the first to use the SDS for C&M client on a mobile device or workstation, and therefore the first to be registered on the SDMC server and to enable his account. He must then log in at least once to SDS for C&M. As long as he has not been fully configured, no other user will be able to activate his account.
  • Protect this user's account with a strong password and ensure that you never lose this password.
  • This user’s account must not contain personal or confidential information because the certificate of this account is public. Refrain from disclosing the identity of the person who manages the account by using a generic name and e-mail address when you create the account. E.g., Stormshield Recovery recovery@stormshield.eu.
  • If you are installing this account on a workstation, host it on an administration workstation because it is sensitive.
  • If you are using the portal for helpdesk and recovery operations, ensure that your internet browser does not remember the password of the account, and use a dedicated workstation.
  • Do not use this account to protect or share files. This is not a standard user account and must be reserved exclusively for security management.
  • Assign helpdesk and recovery roles to several trusted users so that there will always be at least one user to perform these operations.
  1. Go to SDS for C&M Encryption Portal and click on Create your account.
  2. Enter your first and last names and work e-mail address. This address must be dedicated to this user, so choose for example security@mydomain.com.
  3. Accept the conditions of use, then click on Next.
  4. In the Password window, enter and confirm a strong password that meets the criteria and adequately secures this account, then click on Next.
  5. You will receive an email at the email address that you have specified. Check your mailbox to confirm your e-mail address and activate your SDS for C&M account. If you did not receive the e-mail, please check your spam mailbox.

    The security administrator is now registered on the SDMC server, and the Helpdesk role and Recovery role roles have been assigned to him. He can also delegate these roles to other users.

  6. Log in with this account via the SDS for C&M client or SDS for C&M Encryption Portal to generate recovery data. This account must be enabled and must log on at least once so that other users can enable their own accounts.

    You can also create this account via the SDS for C&M application installed on an Android or iOS mobile device.

     

    The Manage users menu appears in the SDS for C&M or SDS for C&M Encryption Portal client when the security administrator account is connected. This account can be used to change passwords, grant access to other users or assign the Helpdesk and Recovery roles to other users. For more information, refer to the sections Retrieving users' passwords, Recovering user accounts and Assigning Helpdesk and Recovery roles.