Scroll to top of page

Our advice for staying safe with TMS

Tag Management Systems (TMSTMSA Tag Management System (TMS) is a tool designed to help manage the lifecycle of marketing tags. It can encapsulate multiple individual tags within a unique container tag and makes it possible to edit these tags remotely without having to modify the source code.Learn more) have proven their worth when it comes to implementing and managing data collection. Today, they have become the cornerstone of data strategies. There’s no shortage of advantages: TMS are more agile, more flexible, and more legible than other solutions. But not all Chief Information Officers (CIOs) consider TMS to be a perfect solution, as they see an open door to the outside, and thus as a potential site security risk.

Given these two differing perspectives, how can we be sure that a TMS is secure, without sacrificing its flexibility? Who can be trusted with managing this Trojan Horse? Do we have to closely examine each of the TMS scripts?

House keys

Would you lend your house keys to a stranger you met three minutes earlier at the supermarket? Probably not, even if he or she seems harmless. Managing TMS rights is kind of the same thing: the person (or people) who has the keys can do many things, including stealing data or modifying your site behaviour. What if, when your clients click on “Purchase”, they are redirected to a competitor’s site? What if a shady foreign group used a JavascriptJavascriptJavaScript, or JS, is a programming language which is implemented in web browsers, but also potentially in web servers. It is commonly used for tracking purposes. It is known as a www programming language (meaning that it is used on the web), and it is object-oriented (meaning that it can process unstructured data).Learn more cryptocurrency mining script?

For these reasons, those who have access to TMS must be clearly identified:

• Don’t use personal e-mail addresses: if an employee uses his or her personal e-mail address to access the TMS, he or she would still have this access even if he or she changes jobs. Professional e-mail addresses should always be used, so that if an employee leaves on bad terms his or her TMS access will be terminated when he or she leaves the company.

Note: You don’t need a Gmail account to use Google Tag Manager (GTM), you can link your address and use it.

• Avoid using aliases: they make it hard to trace modification history, as one alias could be used for multiple people. It is possible that aliases have access, but this should only be the case to give TMS access to individuals.

• Periodically review accesses and delete inactive accounts: if you are unsure, it is better to revoke someone’s access and restore it later instead of letting it collapse.

Managing rights also includes assigning “admin” rights: who is able to add new users?

The most obvious answer is to entrust this access management to the advertiser who holds the TMS contract. But often, centralising access like this is difficult for agencies, as they generally have several internal users which makes it challenging to obtain access for each person…Which is where common addresses (aliases) come into the picture!

It makes sense that the advertiser wants to keep control of its TMS, but allowing agencies to manage their teams’ access rights makes project management more fluid. Each provider is responsible for the way it uses the tool! Might as well choose decentralised management to avoid losing precious time when an urgent request for an upcoming campaign comes in…

Inside the Trojan horse

Once you have decided about how your TMS will be managed, what are some of the risks you should be aware of? How can you minimise or avoid them?

For the most critical sites (e.g. online banking), some TMS are able to authorise that only certain TMS tags be executed, via a dataLayer instruction. This “whitelist” is defined on the site, and prevents unwanted tags from being added with the TMS. It should be used carefully, because the implementation timeline is longer (it must be added to the whitelist by the CIO).

It is also possible to limit tag activation, so that only template tags are used. That is to say, you can prohibit custom Javascript tags. Nevertheless, this method means you may miss out on some KPIKPIKey Performance Indicators (KPIs) refer to the main indicators that are used to assess the success of a given campaign, in line with the chosen strategy. The generated turnover and the number of pageviews are examples of KPIs. For relevant performance measurement, it is essential to limit the number of selected KPIs (up to a dozen). The challenge for advertisers is thus to assess which indicators are truly indispensable.Learn mores which rely on non-native functions (trackingtrackingTracking refers to the tools and methodologies that measure the activity and behaviour of visitors on a website (or a mobile app), including their journey, the source of their visit, or exposure to ads... Learn more HTML5 videos, for example).

Similarly, you must know all about your tags. What is the intention behind them? What is the related business demand? How old are they? Should they be deactivated at a certain date? Doing a bit of spring cleaning never hurts, and might lead to important discoveries, like malicious tags. Certain TMS deactivate these malicious tags as they go, which is helpful but not enough if you truly want to master your data. There are more radical solutions, too, like sing Content Security Policies (CSP) which will block calls to certain third-party domains (identified via black - or whitelists).

Once the tags have been placed on the site, you just need to make sure they work before publishing. Any Javascript you’ve added to the TMS can have a big impact on how the site works (loading time, library collisions, bugs). You must be sure to do a thorough quality check before publishing. This check should include:

  • Testing content to verify that:

o The tags work properly (operational data collection).
o The site works properly (user experience is complete).

  • Re-reading and starting production using a different person than he or she who placed the tag.
  • Defining a backup plan in case of holidays or absences to ensure someone is monitoring publication.

One thing is for sure: the TMS must remain flexible, and must continue to boost your digital marketing. For this, the CIO must be involved from the beginning of the adventure to guarantee site security. Technical teams have been asking security questions for a long time. Take this opportunity to get inspired and make sure your project is successful!

Translated from French by Niamh Cloughley. 

Want to learn more? Get in touch!


close legal

À propos

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec a venenatis dolor, non ornare ligula. Nam ultricies elementum tellus, sed pulvinar libero egestas nec. Fusce facilisis nulla vestibulum, commodo neque eget, dapibus lacus. Aliquam neque felis, sagittis nec consequat sed, commodo ac ipsum. Sed neque tortor, semper quis viverra et, malesuada et eros. Donec at dui ut ligula pharetra aliquet. Etiam dapibus semper orci. Integer efficitur dolor tortor, nec mattis elit placerat vel. Ut nulla enim, lacinia in pharetra id, convallis vitae massa. Donec neque est, tincidunt non ullamcorper commodo, tincidunt non turpis. Pellentesque viverra enim a sapien placerat, ut volutpat mauris condimentum. Proin tincidunt sollicitudin dui, sit amet condimentum ante commodo a. Aenean posuere aliquam purus, sed aliquam magna sagittis finibus. Morbi molestie feugiat feugiat. Phasellus tempus in dolor vel maximus. Cras efficitur sagittis lorem porta iaculis. Maecenas sed hendrerit urna. In mattis posuere purus, sit amet placerat arcu posuere quis. Etiam nec arcu nec magna interdum maximus. Integer sit amet lacus neque. Curabitur interdum molestie magna, in scelerisque tellus iaculis sed. Sed nec metus ut purus efficitur laoreet a quis eros. Proin dui dui, dignissim eget risus sit amet, bibendum condimentum velit. Maecenas in justo eu elit eleifend consectetur. Aenean scelerisque fringilla sollicitudin. Nam sem nibh, pharetra nec lacus non, mollis interdum odio. Aliquam sollicitudin posuere nibh sed eleifend.


55 SAS, 5 — 7 rue d'Athènes

75009 Paris

+33 1 76 21 91 37



2, rue Kellermann

59100 Roubaix

+33 8 20 69 87 65


Lan Anh Vu Hong

Crédits photo

Mats Carduner, Adobe Stock & Unsplash

Vous avez aimé nos nouvelles fraîches sur l'état du marché brandtech ? Inscrivez vous à notre newsletter