Admin area data protection authentication steps
I think this is a fundamental concern for all companies, data protection is a very serious matter.
I believe we should be doing everything within our power to ensure that client data is protected bot from external access and also interior, this request will be dealing with on key area that i believe is currently lacking in adequate security steps to provide data protection.
The admin side client area. Understandably there are times when certain things need doing on a clients account. This is just standard business these instances are going to happen.
However, i don't believe that all system admin whether we believe they should be trusted or not, should have access to client data at any time they so choose.
In light of this, I am requesting they WHMCS implement a security measure that many if not all of the large financial institutes use. I know my mobile network provider uses it, both for automated systems and customer service agents.
Client password authentication on the admin side. This means, that to access a clients account, our support staff must first have had contact with the support staff who will ask for to characters from the password that the system asks for.
In this way, they cannot just log into a clients account and make changes, access control panels, Even "log in as client".
Whilst these areas are absolutely critical to what we do so that we can perform our duties promptly, they are most definitely one of the largest data protection concerns on our system and nothing is there address it.
I know that there are issues with what i request, what if its a one person company. Well in this instance they would be using there primary admin account which would not have these steps in force. maybe have a second security pass phrase to disable the checks until log out.
As for what gets protected, this should be decided by the website its on. However, i think certain aspects should not be optional. Any pages that contain client personal data or server login data should be locked at a minumum.