Practical Security Guidance
Introduction
This page includes tips and tricks for keeping your information safe, as well as providing guidance on configuring key security settings within our application to protect your data and ensure secure usage.
Follow these steps to manage access, authentication, and user management effectively.
User Access
Avoid Using Shared/Generic User Accounts
- Users should have individual accounts with strong passwords/passphrases. This reduces risks such as former staff continuing to have access, and poor passwords.
Keep Your Credentials, such as Passwords, Safe and Secure
- Keep your password confidential - don’t share it with anyone
- Don’t reuse your passwords for multiple sites, always use unique credentials, avoid using similar passwords from other platforms, i.e Social Media
- Don’t make your passwords easy to guess or words found in the dictionary
- Avoid using the name of a pet, friend or family member
- Avoid using your company name, or any variations, in your passwords
- Avoid using dates that are easy to guess such as birthdays.
- Keep personal and work credentials separate
- Avoid repeating, or sequential credentials e.g. 1111 or abcd
- Consider using memorable passphrases e.g. tortuous-lights-oilskin-adverb
- It is recommended to use a Password Manager to create passwords so that they are randomly generated
Federated ID (Identity)
- Federated identity management integrates our platform with your existing identity provider for secure user authentication.
- Enable Single Sign-On (SSO) to streamline user access and improve security.
- Ensure periodic review of federation settings and integration logs.
- If your IdP uses phishing-resistant multi-factor authentication (MFA) – such as hardware security keys or biometric authentication – enabling this provides the strongest defence against unauthorised access
For more detailed guidance, visit Federated Identity Management
Use Two Factor Authentication (2FA)
- Two Factor Authentication allows for a code to be sent via email, SMS or an authenticator app.
Ensuring 2FA is enabled means that even if a password is compromised, only the person with access to receive the code will be able to log in.
Set Session Length Time
- The maximum session length time limits the total duration of a session, requiring users to re-authenticate after a specified period.
- Set a maximum session length time to ensure sessions are not left open indefinitely.
- Configure the platform to automatically log out users when the maximum session length time is reached.
- Regularly review and adjust the session length time based on security needs and user feedback.
- If you have the necessary permissions, you can configure session length in the Client Settings > Logging Settings page.
Provide the required level of permissions/access
- Permissions control access to specific features and data within our platform, ensuring least privilege.
- Regularly review and update permissions to align with organisational changes and least privilege principles.
Deactivate Unrequired User Accounts
- Deactivating user accounts promptly when they are no longer needed helps prevent unauthorised access.
- Regularly review active user accounts to identify and deactivate any that are no longer necessary.
Browser Support, Data Encryption and IP Allow-Listing
Browser Support
The Browser Support Policy ensures compatibility and security by defining the supported browsers for our platform.
Modern browsers provide faster, safer, and more reliable experiences.
For optimal performance, consider using supported browser versions as older versions may have limitations.
Keeping your browser updated helps you benefit from the latest security improvements.
TLS (Transport Layer Security)
TLS encrypts data transmitted between your devices and our platform to protect confidentiality and integrity.
Ensure TLS encryption is enabled for all communications with our platform.
Network EncryptionmTLS (Mutual Transport Layer Security)
mTLS provides mutual authentication by requiring both the client and server to present valid certificates during the TLS handshake.
Enable mTLS to ensure that both the client and server authenticate each other, providing an additional layer of security.
Our platform supports mTLS for mutual authentication. For setup guidance or assistance, please contact our support team.
Regularly review and update mTLS settings to align with security best practices and compliance requirements.
IP Allowlisting
IP Allowlisting restricts access to our APIs on predefined IP addresses or ranges.
- Consider implementing IP Allowlisting, if appropriate for your networking environment, to enhance access control and security.
- Specify trusted IP addresses that are allowed to access the platform.
- Regularly review and update whitelisted IPs based on operational needs.
- Implement logging and monitoring for IP whitelist changes.
Content Sharing
Secure Sharing
If you need to share files with someone, it is best to password protect the file and send the password separately to the file, preferably via an alternative method, e.g. text message.
It is also recommended to use a Password Manager to create and securely share the password so that it is randomly generated and cannot be guessed.
Remove Personally Identifiable Information
Removing personally identifiable information (such as mobile numbers, date of birth etc.) prior to sharing will ensure you keep your recipient’s data safe.
Privacy Laws
All countries have their own privacy laws in place that promote and protect the privacy of individuals so they can regulate how organisations handle personal information.
If you are ever in doubt as to whether privacy could be breached, please ensure to reach out to your organisations privacy and security teams for best practices.
