Fortanix Data Security Manager - Sysadmin Settings - Policies

1.0 Introduction

This article describes the system-level settings and policies that are configured by the System Administrator. The settings configured here are applicable to every object of the entire cluster.

The Fortanix-Data-Security-Manager (DSM) supports policies that can be set on the cluster that restrict what kind of operations can be permitted on accounts. Policies are specified on the cluster level.

1.1 Intended Audience

This setup guide is intended to be used by technical stakeholders of Fortanix DSM who will be responsible for configuring the system administration settings.

2.0 Accounts

2.1 View and Edit Policies

• When you are not editing the policies, you are in the view mode.

• To edit the policies, click EDIT on the bottom of the page. Make the necessary updates and click the SAVE button to save the updates.

2.2 Approval for Account Creation

You can determine if System Administrator approval is required for creating a new Account. If it is enabled, then the user will not be able to create a new account. But the System Administrator will receive an approval request. If the system administrator approves, then, the user can create a new account. You can enable this option by clicking the toggle for Enabled.

Click the SAVE button at the end of the screen to save the changes.

2.3 Quorum Approval

This option defines the duration for which a pending quorum request will be active. After this duration, the quorum request cannot be approved. You can configure the quorum approval request expiry time. Default is 90 days.

Configure the Approval requests expire after parameter.

Click the SAVE button at the end of the screen to save the changes.

3.0 Log in / Sign up

3.1 Minimum Password Length

You can configure the minimum password length and the words to be avoided as passwords in this section. Every user in the system should maintain this password length. It applies to every user in every account in the cluster.

You can also configure if the user should not use dictionary words, repetitive and sequential characters, for example: ‘aaaaaa’, ‘1234abcd’, username, blacklisted, and so on, should not be allowed.

In the Fortanix DSM, navigate to System Administration > Settings > POLICIES tab. To configure the minimum password length, scroll down to the Log in/Sign up section and in the Minimum password length section click EDIT button to enter the value for password length and click the SAVE button.

• Max sequence: Select this option if you want to allow sequence in the password. To allow the sequential characters, click EDIT and enter a number greater than 2 that implies the maximum number of sequential numbers/characters allowed. For instance, if you enter 3 then you can use any number or character sequence in the password up to 3 characters only. For example: 'abc_1', 'company123', and so on.

• Max repetition: Select this option if you want to allow repetition in the password. To allow repetitive characters, click EDIT and enter a number greater than 2 that implies the maximum number of repetitive numbers/characters allowed. For instance, if you enter 3 then you can repeat any number or character sequence in the password up to 3 times only. For example: ‘bubbble’, 'senses111’, and so on.

Click the SAVE button at the end of the screen to save the changes.

3.2 Use Denylist

Use Denylist: Select this option if you do not want to allow using words from an internal list of commonly used passwords. For example: ‘blacklist’, ‘username’, and so on.

Click the SAVE button at the end of the screen to save the changes.

3.3 Sign Up Email Confirmation

In the Fortanix DSM login page, you have two options, sign in and sign up. You can select if email confirmation is required based on the following options in the System Administration Settings – Policies page.

Following are the options that you can set:

• Disabled: Select this option if you do not want the users to confirm their email address.

• Not enforced: Select this option if you want to send notifications to the users to confirm their email address; however, this will not prevent an unverified user from accessing an account in Fortanix DSM.

• All users: Select this option if you want the new users to confirm their email address before proceeding to an account. If the users fail to confirm their email address, they would be blocked from using the DSM account until they confirm their email address.

• Users since: Select this option if you want to mandate all the users who joined the account since the date mentioned to confirm their email address before proceeding to an account. For example, if you have selected the date as 01/03/2023, then all users who joined on or after this selected date must confirm their email address. If the users fail to confirm their email address, they would be blocked from using the DSM account until they confirm their email address.

Click the SAVE button at the end of the screen to save the changes.

3.4 Self Sign Up

In the Fortanix DSM login page, the user has the option to self-sign up. This option is to determine if the user can use the Self sign up option. By default, it is enabled. You can disable it by clicking the toggle for Enabled.

Click the SAVE button at the end of the screen to save the changes.

3.5 Session Expiration Time

This policy setting enables the user to configure the session expiration time parameters that will be applicable across the cluster.

1. Click EDIT and set the following:

   • Automatically log out user after: This option is used to configure the period of inactivity (idle time) after which the user is automatically logged out. This happens after the authentication. It is applicable to every user in every account in the cluster.

   • Second factor configuration mode expires after: If you have enabled second factor authentication, it will prompt you for second factor after successful verification of username and password. It is the period for which the system waits for the user to provide second factor configuration. After this period expires, the user needs to provide the first factor authentication again.

   • App authentication expires after: This option is used to configure the period of inactivity (idle time) after which the app is automatically logged out. This happens after the authentication. It is applicable to every app in every account in the cluster.

2. Click the SAVE button at the end of the screen to save the changes.

3.6 User Authentication Lockout

When a user tries to log in to Fortanix DSM with the wrong password, this setting lets a system administrator set the maximum number of authentication attempts and the amount of time an account is temporarily locked to stop unauthorized access.

The following are the options to configure this setting:

1. Click the toggle for Enabled to enable the User authentication lockout.

2. Enter a value for  Maximum attempts which is the maximum number of times a user can enter a wrong password before the account is locked temporarily.

3. Enter the value for the User lockout duration which is the amount of time the account is locked.

If a user exceeds the maximum number of attempts, Fortanix DSM will lock the account for the configured duration and prevent any further attempts to authenticate during that time. After the lockout period has expired, Fortanix DSM will allow the user to attempt to authenticate again.

3.7 Recaptcha

reCAPTCHA is the system that is used by the SaaS service to allow web hosts to distinguish between access to websites by humans or automation software. Without the reCAPTCHA it is possible to write automation scripts to automatically sign up fake email addresses to Fortanix DSM. reCAPTCHA ensures that only human users can log in to Fortanix DSM. By default, it is disabled. You can enable recaptcha by clicking the toggle for Enabled.

Fortanix DSM supports the following two types of reCAPTCHa:

• Google: In this option, you can sign up with Google for a specific domain. Type the access key and the secret key in the relevant fields and click the SAVE button at the end of the screen.  

  

• Custom: In this option, provide the URL of the provider that will verify the reCAPTCHA, site key, and secret key in the relevant fields and Click the SAVE button at the end of the screen. 

  

4.0 Email Validation

In this policy, you can configure rules to define a valid email format. These rules will be enforced for new users being invited or added to an account. Note that existing users are not impacted by this policy.

1. To configure the email validation policy, click EDIT and set the following:

   1. Character restrictions: Set the character restriction by selecting either the No Restrictions or Restricted Characters radio button.

      • No Restriction: Selecting this option will remove restrictions on the characters that can be used in an email address.

      • Restricted Characters: Selecting this option will restrict the characters that can be used in an email address. By default, a set of characters including blank space, colon, comma, and so on are included in the character restrictions. Click  to add additional characters for the character restrictions.

   2. Maximum length of email address: Set the maximum character limit of an email address by selecting either the No limit or the 254 (IETF Standard) radio button.

      • No limit: Selecting this option will remove restrictions on the maximum number of characters that can be used in an email address.

      • 254 (IETF Standard): Selecting this option will limit the maximum number of characters used in the email address to 254, as per the Internet Engineering Task Force (IETF) standard.

   3. Allowed domain names: Set the allowed domain name rule by selecting either the All or Allowed specific domain radio button.

      • All: Selecting this option will allow all domain names.

      • Allow specific domains: Selecting this option will restrict the email address to specific domain names. To extend the restriction to multiple domains, click ADD ANOTHER DOMAIN.

2. Click the SAVE button at the end of the screen to save the Email validation policy. You can also click the DELETE POLICY button to remove the policy.

5.0 Security Parameters

5.1 Sysadmin Configuration - HSTS

The HTTP Strict Transport Security (HSTS) is a web security policy mechanism. It forces web browsers to interact with websites only using secure HTTPS connections (and never HTTP). This helps to prevent protocol downgrade attacks and cookie hijacking.

If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/  or even just foo.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

The Fortanix DSM allows administrators to configure the HSTS policy using the Sysadmin settings.

1. In the Fortanix DSM Sysadmin settings POLICIES page, enable the HTTP Strict Transport Security (HSTS) by clicking the toggle for Enabled. 

   

2. In the policy:

   1. Maximum age: The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.

   2. Include subdomains: If this optional parameter is specified, this rule applies to all of the site's subdomains as well.

   3. Authorize preload: If a site sends the preload directive in an HSTS header, it is requesting inclusion in the preload list.

3. Click the SAVE button at the end of the screen to save the changes.

5.2 Enable Content Security Policy

Content Security Policy is an additional layer of security that helps in identifying and mitigating certain types of attacks, such as Cross-Site Scripting (XSS) and data injection attacks. You can enable it by clicking the toggle for Enforce Content Security Policy (CSP) to Allowed.   

5.3 Per-App IP Policies

You can determine if you want to allow IP Access Policies for each App. If you select this IP filtering on the apps, only the configured IP addresses or range of IP addresses are allowed. You can enable it by clicking the toggle for Allowed.