Fortanix Data Security Manager - Sysadmin Settings - Policies

Introduction

This article describes the system level settings and policies that are configured by the System Administrator. The settings configured here are applicable to every object of the entire cluster.

The Fortanix Data Security Manager (DSM) supports policies that can be set on the cluster that restrict what kind of operations can be permitted on accounts. Policies are specified on the cluster level.

Accounts

Approval for Account Creation

You can determine if System Administrator approval is required for creating a new Account. If it is enabled, then the user will not be able to create a new account. But the System Administrator will receive an approval request. If the system administrator approves, then, the user can create a new account. You can enable this option by clicking the toggle for Enabled.ApprovalAccountCreate.png Figure 1: Approval for Account Creation

 

Quorum Approval

This option defines the duration for which a pending quorum request will be active. After this duration, the quorum request cannot be approved. You can configure the quorum approval request expiry time. Default is 90 days.

Click Edit and configure the Approval requests expire after parameter and then click Save.

QuorumApproval.png Figure2 : Quorum Approval

Log in / Sign up

Minimum Password Length

You can configure the minimum password length in this section. Every user in the system should maintain this password length. It applies to every user in every account in the cluster.

In the Fortanix DSM Sysadmin settings, go to the POLICIES. To configure the minimum password length, click EDIT type the value for password length and the click SAVE.

MinPasswdLength.png Figure 3: Minimum Password Length

 

Sign Up Email Confirmation

In the Login page, you have two options, sign in and sign up. You can select if email confirmation is required. If this option is enabled, the new users should confirm their email before proceeding to an account.

SignupConf.png Figure 4: Sign up Email Confirmation

Self Sign Up

In the Login page, the user has the option to self-sign up. This option is to determine if the user can use the Self sign up option. By default, it is enabled. You can disable it by clicking the toggle for Enabled.

SelfSignUp.png Figure 5: Self Sign up

 

Session Expiration Time

This policy setting enables the user to configure the session expiration time parameters that will be applicable across the cluster.

SessionExpirationTime.png Figure 6: Session Expiration Time

  1. Click EDIT and set the following:
  • Automatically log out user after: This option is used to configure the period of inactivity (idle time) after which the user is automatically logged out. This happens after the authentication. It is applicable to every user in every account in the cluster.
  • Second factor configuration mode expires after: If you have enabled second factor authentication, it will prompt you for second factor after successful verification of username and password. It is the period for which the system waits for the user to provide second factor configuration. After this period expires, the user needs to provide the first factor authentication again.
  • App authentication expires after: This option is used to configure the period of inactivity (idle time) after which the app is automatically logged out. This happens after the authentication. It is applicable to every app in every account in the cluster.
  1. Click SAVE.

 

Recaptcha

reCAPTCHA is the system that is used by the SaaS service to allow web hosts to distinguish between access to websites by humans or automation software. Without the reCAPTCHA it is possible to write automation scripts to automatically sign up fake email addresses to Fortanix DSM. reCAPTCHA ensures that only human users can log in to Fortanix DSM. By default, it is disabled. You can enable recaptcha by clicking the toggle for Enabled.

Fortanix DSM supports the following two types of reCAPTCHa:

  • Google: In this option, you can sign up with Google for a specific domain. Type the access key and the secret key in the relevant fields and click SAVE CHANGES.GoogleRecaptcha.png Figure 7: Google recaptcha
  • Custom: In this option, provide the URL of the provider that will verify the reCAPTCHA, site key, and secret key in the relevant fields and click SAVE CHANGES.CustomRecaptcha.png Figure 8: Custom recaptcha

 

Security Parameters

Sysadmin Configuration - HSTS

The HTTP Strict Transport Security (HSTS) is a web security policy mechanism. It forces web browsers to interact with websites only using secure HTTPS connections (and never HTTP). This helps to prevent protocol downgrade attacks and cookie hijacking.

If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/  or even just foo.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

The Fortanix DSM allows administrators to configure the HSTS policy using the Sysadmin settings.

  1. In the Fortanix DSM Sysadmin settings POLICIES page, enable the HTTP Strict Transport Security (HSTS) by clicking the toggle for Enabled.HSTS.png Figure 9: HSTS
  1. In the policy:
    1. Maximum age: The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
    2. Include subdomains: If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
    3. Authorize preload: If a site sends the preload directive in an HSTS header, it is requesting inclusion in the preload list.
  2. Click SAVE to save the HSTS policy setting.

Per-App IP Policies

You can determine if you want to allow IP Access Policies for each App. If you select this IP filtering on the apps, only the configured IP addresses or range of IP addresses are allowed. You can enable it by clicking the toggle for Allowed.

PerIPAccesPolicie.png Figure 10: Per App IP Access Policies

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful