Appendix: Data processing in the Milestone XProtect VMS environment

The Milestone System Architecture Document describes the components of the system and the way how they interact with each other and with system components of the environment. For each of the relevant use cases of the product, you find a diagram that illustrates the communication flow between the components that are involved in the use cases. These diagrams give a general overview of the transferred data. For information about how the components of the Milestone XProtect VMS interact, see the Milestone document describing the system architecture.

This section lists the default XProtect installation processes of personal data, authentication and configuration data that are relevant for privacy and security settings.

Personal data from the VMS

The main data type is the video data from video cameras. This data is stored by the Recording Server service. Video data can be either streamed live or in playback modus to the XProtect Smart Client. The other piece of data is the master data of VMS users which is stored in the SQL Server database.

Personal data from the environment

Personal data about the VMS users comes from the environment in two circumstances:

  • From the Windows environment where Active Direct (AD) is used for user authentication and as a source for group memberships. The Milestone XProtect Management Server service queries the AD through the LDAP protocol to get information about the users who are logging on to the system.

  • From third-party external IDP services, where Basic Users are managed in this service.

Personal data from the system

This personal data encompasses all kinds of data that is needed to secure, configure, operate, maintain, or otherwise support the system. Types of personal data include:

  • Log data

    IT systems usually log user and system data into audit and debug log files in order to help operate and maintain the systems. XProtect Corporate does so, as well. The VMS logs information about user actions and saves it in the Log Server (SQL Server). This audit log is used to comprehend the accountability for past actions and system behavior and to track misuse of the system. Debug log files are used to identify defects and flaws in the system. Debug data does not contain personal data.

    Log entries may reveal detailed information about the operators and administrator’s usage of the system and may be suitable to monitor employee behavior and performance.

  • Authentication logging

    The Duende OAuth authorization server and Identity Provider (IDP) create audit log files. These files are saved in the Log Server (SQL Server), and all debug logs have had personal data and identity markers removed. These audit logs can be seen from the XProtect Management Client.

Authentication and authorization data

  • User authentication at the VMS

    There are three options to authenticate VMS users of XProtect Management Client and XProtect Smart Client. You can either use the Windows logon mechanisms, the VMS native authentication, or use an external IDP.

    In a Windows Active Directory environment, you can configure to use the built-in Windows logon mechanism. Authentication with Windows logon is based by default on the Kerberos protocol. This is the most secure option. In legacy environments, domain controllers might not support Kerberos. In this case, Windows logon automatically falls back to the NT LAN Manager protocol (NTLMv2), which is deemed to be less secure than Kerberos.

    In environments without a Windows domain controller, you can use the XProtect native authentication method, which is basic authentication with user ID and password against the local Identity Provider or the Windows for workgroups authentication, if this is available.

    Alternatively, you can use an external IDP. An external IDP is an external application and service in which you can store and manage user identity information and provide user authentication services to other systems. You can associate an external IDP with the XProtect VMS.

    To ensure data protection, do not use third-party IDPs from the internet. If you use an external IDP, it must be locally installed and managed by the same organization or company that runs the VMS.

    There are three types of authentication credentials:

    • Windows logon tokens (either Kerberos or NTLM tokens)
    • Basic Authentication credentials
    • Windows for Workgroups authentication

    After successful authentication, the user is logged on at the VMS and a user session is created by the Management Server service, where the logon happens. The client can now access the Management Server service functionality in the context of this user session. When the user wants to access functionality in the Recording Server service, the XProtect Smart Client needs a user session with this server service as well.

  • User authorization in the Recording Server service

    Since the user session between the XProtect Smart Client / XProtect Management Client and the Management Server service cannot be reused to access the Recording Server, the Recording Server needs to authorize the user as well. In order to authorize at the Recording Server service, the Management Server service provides the client with an authorization token, which the client needs to present to the Recording Server service. At the same time, the Management Server service sends the authorization token to all Recording Server services in the VMS installation. These in turn can be used to authorize users afterward.

    XProtect VMS uses a simple GUID as such an authorization token, which the client sends to the Recording Server service. The GUIDs are created and managed by the Management Server service, which renews these tokens after a specified period. The GUID is simply an identifier for the user in the SQL Server database.

  • Authorization data

    The authorization data for VMS users is stored in the SQL Server database on SQL Server. At the start-up time, the Management Server and Recording Server services pull the relevant authorization data, including authentication tokens for all users from the SQL Server database in order to be prepared for subsequent user access to the servers. When an administrator changes permissions or roles or anything else that affects user authorization, this update is stored by the Management Server service in the SQL Server database on SQL Server and also actively propagated to all Recording Server services. The Recording Server services store user authorization data and all authentication tokens locally and thus can immediately authenticate client users presenting their authentication token.

  • Configuration data

    Apart from view data, which is set by the XProtect Smart Client, all configuration data for the VMS system is configured through the XProtect Management Client of the VMS and stored in the SQL Server database. There are different types of configuration data:

    • User settings and preferences
    • User permissions
    • Server configuration
    • System settings
    • Camera and device configuration

    While configuration data may not contain personal data, it may affect the way how the VMS processes personal data. For evaluation only, the authorization information and security and privacy settings among the configuration data listed above are relevant.

Personal data and registered mobile devices

When you uninstall the XProtect Mobile app or disable the device, the device data may still be kept in the VMS database.

The VMS removes the device registration data when:

  • You remove a user from the system.

  • Milestone Care Plus has not been renewed for more than 180 days.

However, there are scenarios when the device registration data is not automatically removed.

You must manually remove one or all registered devices when:

  • A user has lost his phone.

  • You want to uninstall the mobile server completely and remove its data.

  • A user has stopped using the XProtect Mobile client app or notifications.

  • You have added an Active Directory (AD) group to a VMS role and the permissions for a user have changed. When you add an AD group, the VMS does not see the users in that role. If you remove a user from an AD group or restrict the user from using the mobile server, you must also manually remove the user's device from the list.