Recording User Session Activities — Or Not?

Numerous tools in the marketplace can monitor user activity within virtualized applications. Although tracking user activity may seem beneficial, especially within highly regulated industries, there are some pros and cons that should be considered.

Let’s step back to 2007, when Citrix released SmartAuditor as part of Citrix Presentation Server 4.5 Feature Pack 1. It was touted as a way to monitor user activity and assure regulatory and corporate compliance. SmartAuditor would record user activity in a video-like form so that sessions could be replayed and reviewed, primarily for training and compliance. Authorized individuals could search for and access specific recordings in order to review the contents.

Despite its being touted as a Platinum feature, only a small percentage of Citrix customers implemented SmartAuditor. From a storage perspective alone, the requirements were massive and expensive in those days.

Even though SmartAuditor was only available through XenApp 6.5, third-party vendors have since increased their offerings in this space. There are now a handful of Citrix Ready vendors that offer full user-session activity captures. From a basic standpoint, each records user-session screen actions and provides a replay mechanism.

Pros and Cons of Recording Application Activity

On the positive side, if users know that their every keystroke and mouse movement is being recorded, they are far less likely to perform any tasks outside of their job requirements. Further, tracking application activity for temporary workers and external vendors increases security and makes excellent use cases. For example, if some contractors are hired during a busy season to perform order entry within an ERP application, the ability to search and monitor specific data types may prevent a downstream order fulfillment issue. Or, if you allow a third-party vendor access to your systems without supervision, recording exactly what this user clicked and modified provides a detailed tracking system.

When application activity captures are in place, if a user performs an inappropriate or suspicious transaction, the recordings clearly reveal exactly which actions were undertaken during the user session. In this instance, a recording would be beneficial for the purpose of clearly determining whether any improprieties had occurred.

On the other hand, these “screen scrape”–type recordings may contain a large amount of confidential data. For example, a health care provider or retail call center agent may type in social security numbers, credit card numbers, health care information, and other personal data, all of which could be replayed with full view of these data fields. While some applications immediately replace confidential entries such as credit card and social security number fields with asterisks, some allow the numbers to appear momentarily, while others show the numbers until the field no longer has focus or until screen is saved.

Although newer technologies minimize space requirements, storage of these recordings is still a consideration. Questions related to storage focus on how and where the data will be stored and at what point will the data be erased and/or destroyed.

More importantly, access to these stored recordings should be a concern. These digitized screen recordings of confidential information also place an additional burden on the IT staff in terms of security. Who can view the recordings? What permissions and/or access rights are required in order to view the recordings? How are rights to view the screen recordings assigned and maintained?

Of course, the intention of all IT organizations is to secure the confidentiality of critical data. However, when an organization chooses user session activity recording for industry compliance, could the recordings themselves breach regulatory compliance?

Posted in End User ComputingTagged , ,