The Anonymizer (also known as Monitored Data Anonymization) feature allows compliance with data protection and privacy laws, standards and regulations, such as the European Union’s General Data Protection Regulation (GDPR) law in relation to protecting personally identifiable information (PII). PII means any information that can directly identify an individual person (and is hereinafter referred to as "personal data").
Protection of the personal data of endpoint users, which is recorded during monitoring of their activities by Ekran System, is achieved by the system anonymizing this data.
In Anonymized mode, no Management Tool user, including administrators and other users that have permission to open and view the sessions of endpoint users (e.g. Investigators), can view the personal data of any endpoint users unless a request by them is first approved (by a Supervisor) to temporarily de-anonymize the data of a specific endpoint user (on a specific Client computer). At the same time, Supervisors do not have permission to open and view the sessions of endpoint users.
NOTE: This feature is not available by default, and can only be activated by contacting your Ekran System vendor or the Ekran System Support Team, and is also only available with an activated serial key for the Enterprise Edition of Ekran System.
Table of Contents
1. How is User Data Anonymized?
As soon as the Anonymizer feature is enabled:
1. Ekran System actually "pseudonymizes" (rather than anonymizes) all the existing personal data of endpoint users, which means that although the data remains stored in the database (i.e. it is not deleted), access to it is restricted in Anonymization mode, so that it cannot be viewed, and endpoint users cannot therefore be identified (unless a request by a Management Tool user to de-anonymize the data of a specific endpoint user is first approved).
2. Subsequently, all new data is also anonymized by the system immediately (whenever it is generated or recorded).
Anonymization is achieved by either randomizing, hiding, or obfuscating the personal data (depending on the data type) as follows:
• Randomized data means that a randomly-generated unique value is displayed in the Management Tool instead of the original personal data (e.g. instead of the User Name “doe”, the alias “USR-123” is displayed).
• Obfuscated data means that the data is blurred so as not to be readable, and concerns the screen captures recorded of the activity of endpoint users (where the obfuscated screen captures are displayed in the Session Player).
NOTE: None of the metadata which accompanies screen captures is obfuscated, and remains displayed as normal in the Session Viewer.
• Hidden data means that the data is not displayed at all.
NOTE: Hidden data is not even displayed after an expose request to de-anonymize a user’s data is approved, and can only be displayed by disabling the Anonymizer feature.
2. Viewing User Data in Anonymized Mode
The primary page used by the Anonymizer feature is the Client Sessions tab (on the Monitoring Results page), which is affected as follows:
1. The additional Expose Request column is displayed (on the left).
2. The values in the following columns in the grid are randomized:
• User Name (while any secondary users are hidden)
• Client Name
• Remote Host Name
NOTE: Randomized values are always unique and never repeat throughout the system (e.g. "UserX" is replaced by "USR-123", then (i.e. if the data is de-anonymized and then anonymized again) "USR-765", and then "USR-1341", while "UserY" is never replaced by "USR-123" or "USR-765", or "USR-1341" since these names have already been taken by "UserX"). Furthermore, when values are randomized, they never follow a sequence (e.g. "UserX" is replaced by "USR-123", and "UserY" is replaced by "USR-579", but never by "USR-124").
3. The corresponding values in the following filters are also randomized accordingly:
• Who (i.e. the user name)
• Where (i.e. the Client name)
4. The following columns are hidden, and cannot be displayed by using the Columns Display button (and the corresponding filters are also disabled):
• IP (IPv4/IPv6)
• Remote IPv4
• Remote IPv6
• Remote Public IPv4
• Remote Public IPv6
• User’s Comments
• Client Groups
5. The Search by field can only be used to search the randomized data (and not the original personal data).
Apart from on the Client Sessions tab (on the Monitoring Results page), the anonymized data is also displayed in a similar way (i.e. randomized or hidden) throughout the system, including on the following pages:
• Alerts tab (on the Monitoring Results page).
• Session Risk Score page (which opens after clicking on the corresponding icon, e.g. in the Risk Score column on the Client Sessions tab (on the Monitoring Results page).
• Interactive Monitoring page.
• Home page (Dashboards).
• Alert Management page.
NOTE: On the Alert Management page, alerts cannot be created containing any of 3 existing alert rule parameters ("Username", "User Belonging to Domain Group", and "Computer Belonging to Domain Group"), while such alerts are disabled if they were created before the Anonymizer feature was enabled.
• Access Management page.
• Audit Log page.
3. Features Not Currently Supported in Anonymized Mode
Functionality not currently supported for use with the Anonymizer feature enabled, and which cannot therefore be used, includes the following pages/features (which are disabled/hidden):
• Client Management page (incl. User-to-User restrictions on the User Access tab when editing a user / user group).
NOTE: Although the Client Management page is not currently supported, it is not disabled/hidden for Management Tool users with the appropriate permissions (for more information, please see e.g. the Viewing Windows Clients page.
• Archived Sessions tab (on the Monitoring Results page).
• File Monitoring tab (on the Monitoring Results page).
• Forensic Export History page (and the Forensic Export feature on the Monitoring Results page).
• User Behavior Analysis page.
• Reports page,
• Sending data to SIEM systems and via APIs.
• Master Panel (stand-alone component of Ekran System).
4. Permissions for Investigators and Supervisors
If an Investigator needs to view the original personal data of any endpoint user (e.g. to investigate suspicious user activity), they can request approval by a Supervisor to de-anonymize the personal data of a specific endpoint user on a specific Client computer (for all the endpoint user’s sessions).
On approval, the personal data of the specific endpoint user is de-anonymized and temporarily (for 24 hours) displayed to the Investigator who requested it.
Investigators and Supervisor need to have the required permissions to carry out their job roles, as follows:
Description of User Role
Required Permissions / User Group
To investigate suspicious user activity.
The following permissions need to be either assigned directly, or inherited from any user group (except the Supervisors user group):
• Management Tool Access
• Viewing Monitoring results
• Viewing Monitoring results
To approve (or deny) requests to expose (i.e. de-anonymize) the personal data of a specific endpoint user (on a specific Client computer).
The required permissions should be inherited from the Supervisors user group (by adding the Supervisor user to belong to this group).
NOTE: For more information about permissions and user groups in general (i.e. not specifically for the Anonymizer feature), please refer to the User and User Group Management section.
5. Requesting De-Anonymization of User Data
A request to de-anonymize the personal data of a specific endpoint user (on a specific Client computer) is called an Expose Request. After such a request is approved, the Management Tool user who requested it will be able to view the following data of the endpoint user:
• Randomized data: The original personal data is displayed, and is no longer randomized, e.g. on the Client Session tab, on the Monitoring Results page:
- User Name (e.g. “doe” is displayed instead of the randomized alias “USR-123”)
- Client name
- Remote Host Name
• Obfuscated data: The screen captures are displayed, and are no longer blurred (in the Session Player).
• Hidden data: The hidden columns remain hidden after de-anonymizing the data, and cannot be displayed (except by disabling the Anonymizer feature).
To make a request to de-anonymize an endpoint user’s personal data (on a specific Client computer), do the following:
1. On the Client Sessions tab (of the Monitoring Results page), click the corresponding icon in the Expose Request column (on the left).
2. In the Request to Expose User pop-up window that opens, enter a reason for your request, and then click Proceed.
3. After a Supervisor approves (on the Access Requests tab of the Access Management page) the request to expose the endpoint user’s personal data, this data (for all the endpoint user’s sessions on the specific Client computer) is de-anonymized for the Management Tool user who requested it, so that the original personal data of the endpoint user is temporarily (for 24 hours) displayed to this Management Tool user only (and they can view the screen captures, which are no longer obfuscated when the session is opened in the Session Player).