This article describes the system level settings and policies that are configured by the System Administrator. The settings configured here are applicable to every object of the entire cluster.
The Fortanix Data Security Manager (DSM) supports policies that can be set on the cluster that restrict what kind of operations can be permitted on accounts. Policies are specified on the cluster level.
Approval for Account Creation
You can determine if System Administrator approval is required for creating a new Account. If it is enabled, then the user will not be able to create a new account. But the System Administrator will receive an approval request. If the system administrator approves, then, the user can create a new account. You can enable this option by clicking the toggle for Enabled. Figure 1: Approval for Account Creation
This option defines the duration for which a pending quorum request will be active. After this duration, the quorum request cannot be approved. You can configure the quorum approval request expiry time. Default is 90 days.
Click Edit and configure the Approval requests expire after parameter and then click Save.
Figure2 : Quorum Approval
Log in / Sign up
Minimum Password Length
You can configure the minimum password length in this section. Every user in the system should maintain this password length. It applies to every user in every account in the cluster.
In the Fortanix DSM Sysadmin settings, go to the POLICIES. To configure the minimum password length, click EDIT type the value for password length and the click SAVE.
Figure 3: Minimum Password Length
Sign Up Email Confirmation
In the Login page, you have two options, sign in and sign up. You can select if email confirmation is required. If this option is enabled, the new users should confirm their email before proceeding to an account.
Figure 4: Sign up Email Confirmation
Self Sign Up
In the Login page, the user has the option to self-sign up. This option is to determine if the user can use the Self sign up option. By default, it is enabled. You can disable it by clicking the toggle for Enabled.
Figure 5: Self Sign up
Session Expiration Time
This policy setting enables the user to configure the session expiration time parameters that will be applicable across the cluster.
Figure 6: Session Expiration Time
- Click EDIT and set the following:
- Automatically log out user after: This option is used to configure the period of inactivity (idle time) after which the user is automatically logged out. This happens after the authentication. It is applicable to every user in every account in the cluster.
- Second factor configuration mode expires after: If you have enabled second factor authentication, it will prompt you for second factor after successful verification of username and password. It is the period for which the system waits for the user to provide second factor configuration. After this period expires, the user needs to provide the first factor authentication again.
- App authentication expires after: This option is used to configure the period of inactivity (idle time) after which the app is automatically logged out. This happens after the authentication. It is applicable to every app in every account in the cluster.
- Click SAVE.
reCAPTCHA is the system that is used by the SaaS service to allow web hosts to distinguish between access to websites by humans or automation software. Without the reCAPTCHA it is possible to write automation scripts to automatically sign up fake email addresses to Fortanix DSM. reCAPTCHA ensures that only human users can log in to Fortanix DSM. By default, it is disabled. You can enable recaptcha by clicking the toggle for Enabled.
Fortanix DSM supports the following two types of reCAPTCHa:
- Google: In this option, you can sign up with Google for a specific domain. Type the access key and the secret key in the relevant fields and click SAVE CHANGES. Figure 7: Google recaptcha
- Custom: In this option, provide the URL of the provider that will verify the reCAPTCHA, site key, and secret key in the relevant fields and click SAVE CHANGES. Figure 8: Custom recaptcha
Sysadmin Configuration - HSTS
The HTTP Strict Transport Security (HSTS) is a web security policy mechanism. It forces web browsers to interact with websites only using secure HTTPS connections (and never HTTP). This helps to prevent protocol downgrade attacks and cookie hijacking.
If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types http://www.foo.com/ or even just foo.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.
The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.
The Fortanix DSM allows administrators to configure the HSTS policy using the Sysadmin settings.
- In the Fortanix DSM Sysadmin settings POLICIES page, enable the HTTP Strict Transport Security (HSTS) by clicking the toggle for Enabled. Figure 9: HSTS
- In the policy:
- Maximum age: The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
- Include subdomains: If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
- Authorize preload: If a site sends the preload directive in an HSTS header, it is requesting inclusion in the preload list.
- Click SAVE to save the HSTS policy setting.
Per-App IP Policies
You can determine if you want to allow IP Access Policies for each App. If you select this IP filtering on the apps, only the configured IP addresses or range of IP addresses are allowed. You can enable it by clicking the toggle for Allowed.
Figure 10: Per App IP Access Policies