Difference between revisions of "Security setup"

From TempusServa wiki
Jump to navigation Jump to search
 
(71 intermediate revisions by 4 users not shown)
Line 1: Line 1:
== Security features ==


=== Password policies (recommended) ===
== Security baseline ==
Password should have rules in order to prevent guessing
 
* Requirements to length and complexity
=== Security by design ===
The platform is security designed in accordance with [https://owasp.org/www-pdf-archive/OWASP_Application_Security_Verification_Standard_4.0-en.pdf OWASP version 4]:
* Level 2: Compliant
* Level 3: +90% supported
 
In addition the platform supports a wide range of security schemes and logging features, needed for support of ISO27001, ISAE3000 etc.
 
The platform is subject to periodic penetration testing. Last customer testing was july 2021.
 
===Default security ===
By default the Tempus Serva is verifiably secure to all common threat vectors, such as
* SQL injection
* Cross-Site Scripting
* Session highjacking
* Login replays
* [https://owasp.org/www-project-top-ten/ etc]
 
Protective measure includes common hardening efforts, such as
* Data sanitization
* Request throtling
* CSRF tokens
* [https://owasp.org/www-pdf-archive/OWASP_Application_Security_Verification_Standard_4.0-en.pdf etc]
 
In addition to this baseline additional features can be activated per installation.
* Built-in: Features in the product itself
* External: Measures controlled in application server or operating system
 
== Security built-in ==
 
=== Password Policies (recommended) ===
TS No-code Platform allows you to setup and enfoce the use of strong passwords through an appropriate password policy. Specify attribute requirements that control complexity and lifetime of passwords such as:
* Mimimum password length
* Special characters
* Maximum password age
* Maximum number of tries
* Maximum number of tries


'''How to:''' The polices can be changed in server configurations
The struictural restrictions will be honored when
* The user changes his password
* A new randow password is generated and sent
 
Passwords can also be set to expire after an amount of time.
 
'''How to:''' The polices can be changed in server configurations in the group ''Password policies''


'''Note:''' The password polices will have no impact on SSO authentication
'''Note:''' The password polices will have no impact on SSO authentication


=== Multifactor authentication (recommended) ===
=== Multi-factor Authentication (recommended) ===
Two different options exist (choose one)
TS No-code Platform offers native Multi-factor Authentication to protect against unauthrised access by requiring a user to provide multiple authentication factors to prove their identity. At present two different options are available:
* MFA using codes sent to the users mobile via SMS
* MFA using session-specific, one-time-passcodes sent to the users mobile phone via regular or Flash SMS
** You will need to create an account for sending SMS  
** You will need to create an account for sending SMS  
** Cost is approx. 0,30 DKK per message)
** Cost is approx. 0,30 DKK per message)
Line 22: Line 60:
SMS requires very little of the users, while App based MFA is considered (slightly) more secure.
SMS requires very little of the users, while App based MFA is considered (slightly) more secure.


'''Note:''' If using singleignon the MFA will not be used
'''Note:''' If using singlesignon (SSO) the MFA will not be used


=== Geolocation blocking (optional) ===
=== Geolocation blocking (optional) ===
Geoblocking will allow the servers to deny requests from ceratin countries.
Geoblocking will allow the servers to deny requests from certain countries.


=== Denial of service hardening (optional) ===
The geoblocking will match the clients IP against af Geo service. The county will be matched to the servers whitelist of country names.


== Compliance features ==
'''How to:''' Change the system configurations starting with ''ipBlocker''
* Activate setting '''ipBlockerActive'''
* Set allowed countries in ''' ipBlockerAllowedCountries'''


=== Logging ===
=== Request throttling (optional) ===
Each entity can support the following  
As specified in OWASP v4 system should be able to limit the mount of request a user can carry out in a system.
* Access log: User that has edited or viewed an item
 
* Status log: History of items time spent in each step
Limitations can be set on
* Change log: Copy of old data along with timestamp and user that has changed the item (see below)
* Pages hit
* WebDAV requests
* Upload (size/count)
* REST operations
 
'''How to:''' Edit server configurations starting with ''limit''
 
=== Brute force prevention (optional) ===
This protection is handled by not serving too many requests to the login page, regardless of the source in question.
This will prevent brute force attacks on distributed accounts using multiple machines. In case the detection triggers, login requests will be ignored for at set amount of time, while allready logged in users can continue their work.
 
'''How to:''' Define systems configurations starting with ''bruteforce''
 
=== Additional configurations ===
* File whitelisting (uploadWhitelist)
* OWASP compliance (owaspCompliance)
 
== Security external ==
 
=== Virus scanning ===
Scanning of uploaded fiels are left to software installed on the system.
 
The upload feature will temporarily store the files on the file system, so that detection mechanisms can quarantine the files in case they are infected.
 
=== Storage encryption ===
Storage encryption is normally supported by the underlying technologies, with the possible exception of password hashes (handled with BCrypt).
 
MySQL (+8) supports multiple encryption schemes
* The whole database
* Single schema (each TS installation)
 
Read more about encryption for [https://mysqlserverteam.com/controlling-table-encryption-in-mysql-8-0/ MySQL] and [https://mariadb.com/kb/en/data-at-rest-encryption-overview/ MariaDB]
 
O/S level encryption technology includes
* Windows: BitLocker
* Linux: LUKS
 
=== Transport encryption (https) ===
Minimum requirements are SSL certificates. On Linux these can easily be obtained for free via LetsEncrypt.
 
Optionally the server can also apply to HSTS, using the following [https://www.javaprogramto.com/2018/09/adding-http-strict-transport.html guideline for Tomcat].
 
=== Denial of service attacks ===
Protection against DOS attacks are best handled using dedicated services such as Cloudflare.
 
== Compliance built-in ==
 
=== Activity and data logging (optional) ===
Activity and Data Logging includes the automatic creation of a series of log files. Logging can be set up for each entity in an application providing insight and transparency in relation to: user activity, creation, changes and status of different records in an application.
* '''Access Log''': Can be activated on an entity in an application. This automatically generates a log of which users have accessed and/or edited a given record.
* '''Status Log''': Can be activated for an entity in an application. This automatically generates a log of the history of the created records, which shows how long a record has been in each status
* '''Change Log''': Can be activated for an entity in an application. This automatically generates a log of what changes have been made to the individual records. Including who has changed what and when (timestamp).


'''How to:''' Each option is activated on the entity Advanced page.
'''How to:''' Each option is activated on the entity Advanced page.
Line 41: Line 132:
'''Pro tip:''' Especially the status log can be used for setting up performance charts on dashboards, as it can give detailed information of how much time was spent in each step.
'''Pro tip:''' Especially the status log can be used for setting up performance charts on dashboards, as it can give detailed information of how much time was spent in each step.


=== Versioning ===
=== Versioning (optional) ===
By default file versioning is supported on document fields.
By default file versioning is supported on the "Documents" and "Files" field types. In addition, data revisions can be supported on each entity. This automatically builds an audit log for each record.


In addition data revisions can be supported on each individual entity.
In addition data revisions can be supported on each individual entity.
Line 48: Line 139:
'''How to:''' Data revisions is activated on the entity Advanced page.
'''How to:''' Data revisions is activated on the entity Advanced page.


=== GDPR deletion policies ===
=== GDPR Deletion Policies (optional) ===
GDPR policies will enable automatic handling of stated deletion policies. The system will automatically remove or anonoumize data and files in the system.
For each entity in a TS Application, a GDPR Deletion Policy can be set up, enabling automatic deletion or anonymization in accordance with the specified rules. The application will thus automatically delete or anonymize data and files in the application, cf. specified criteria.


'''How to:'''  
'''How to:'''  
Line 62: Line 153:
# Check of anoumization
# Check of anoumization
# Optionally set value after change
# Optionally set value after change
=== Event and System Logging (recommended) ===
When Event and System Logging are turned on for an application, the following events are logged automatically:
* User logins
** Succesfull normal user logins are hidden
** Also contains client IP (used for MFA)
* System events
** User errors
** Scheduled services
** Administrator logins
Error events will include stacktraces if available.
The eventlog can be cleaned automatically on a regular schedule.
== Compliance external ==
=== Request logging ===
The webserver itself can be set up to do make detailed logs in file , containing for example
* Request timestamp, IP and session ID
* Stacktraces on errors
Depending on your security setup you might want to log these to a central repository
== Other optional security features ==
* [[Security/Data restrictions|Data restrictions]]
* [[Security/Encryption|SSL encryption]]
* [[Security/Bruteforce|Bruteforce countermeasures]]

Latest revision as of 13:40, 9 November 2024

Security baseline

Security by design

The platform is security designed in accordance with OWASP version 4:

  • Level 2: Compliant
  • Level 3: +90% supported

In addition the platform supports a wide range of security schemes and logging features, needed for support of ISO27001, ISAE3000 etc.

The platform is subject to periodic penetration testing. Last customer testing was july 2021.

Default security

By default the Tempus Serva is verifiably secure to all common threat vectors, such as

  • SQL injection
  • Cross-Site Scripting
  • Session highjacking
  • Login replays
  • etc

Protective measure includes common hardening efforts, such as

  • Data sanitization
  • Request throtling
  • CSRF tokens
  • etc

In addition to this baseline additional features can be activated per installation.

  • Built-in: Features in the product itself
  • External: Measures controlled in application server or operating system

Security built-in

Password Policies (recommended)

TS No-code Platform allows you to setup and enfoce the use of strong passwords through an appropriate password policy. Specify attribute requirements that control complexity and lifetime of passwords such as:

  • Mimimum password length
  • Special characters
  • Maximum password age
  • Maximum number of tries

The struictural restrictions will be honored when

  • The user changes his password
  • A new randow password is generated and sent

Passwords can also be set to expire after an amount of time.

How to: The polices can be changed in server configurations in the group Password policies

Note: The password polices will have no impact on SSO authentication

Multi-factor Authentication (recommended)

TS No-code Platform offers native Multi-factor Authentication to protect against unauthrised access by requiring a user to provide multiple authentication factors to prove their identity. At present two different options are available:

  • MFA using session-specific, one-time-passcodes sent to the users mobile phone via regular or Flash SMS
    • You will need to create an account for sending SMS
    • Cost is approx. 0,30 DKK per message)
  • MFA using af dedicated app from
    • Apple
    • Google
    • Microsoft

SMS requires very little of the users, while App based MFA is considered (slightly) more secure.

Note: If using singlesignon (SSO) the MFA will not be used

Geolocation blocking (optional)

Geoblocking will allow the servers to deny requests from certain countries.

The geoblocking will match the clients IP against af Geo service. The county will be matched to the servers whitelist of country names.

How to: Change the system configurations starting with ipBlocker

  • Activate setting ipBlockerActive
  • Set allowed countries in ipBlockerAllowedCountries

Request throttling (optional)

As specified in OWASP v4 system should be able to limit the mount of request a user can carry out in a system.

Limitations can be set on

  • Pages hit
  • WebDAV requests
  • Upload (size/count)
  • REST operations

How to: Edit server configurations starting with limit

Brute force prevention (optional)

This protection is handled by not serving too many requests to the login page, regardless of the source in question. This will prevent brute force attacks on distributed accounts using multiple machines. In case the detection triggers, login requests will be ignored for at set amount of time, while allready logged in users can continue their work.

How to: Define systems configurations starting with bruteforce

Additional configurations

  • File whitelisting (uploadWhitelist)
  • OWASP compliance (owaspCompliance)

Security external

Virus scanning

Scanning of uploaded fiels are left to software installed on the system.

The upload feature will temporarily store the files on the file system, so that detection mechanisms can quarantine the files in case they are infected.

Storage encryption

Storage encryption is normally supported by the underlying technologies, with the possible exception of password hashes (handled with BCrypt).

MySQL (+8) supports multiple encryption schemes

  • The whole database
  • Single schema (each TS installation)

Read more about encryption for MySQL and MariaDB

O/S level encryption technology includes

  • Windows: BitLocker
  • Linux: LUKS

Transport encryption (https)

Minimum requirements are SSL certificates. On Linux these can easily be obtained for free via LetsEncrypt.

Optionally the server can also apply to HSTS, using the following guideline for Tomcat.

Denial of service attacks

Protection against DOS attacks are best handled using dedicated services such as Cloudflare.

Compliance built-in

Activity and data logging (optional)

Activity and Data Logging includes the automatic creation of a series of log files. Logging can be set up for each entity in an application providing insight and transparency in relation to: user activity, creation, changes and status of different records in an application.

  • Access Log: Can be activated on an entity in an application. This automatically generates a log of which users have accessed and/or edited a given record.
  • Status Log: Can be activated for an entity in an application. This automatically generates a log of the history of the created records, which shows how long a record has been in each status
  • Change Log: Can be activated for an entity in an application. This automatically generates a log of what changes have been made to the individual records. Including who has changed what and when (timestamp).

How to: Each option is activated on the entity Advanced page.

Pro tip: Especially the status log can be used for setting up performance charts on dashboards, as it can give detailed information of how much time was spent in each step.

Versioning (optional)

By default file versioning is supported on the "Documents" and "Files" field types. In addition, data revisions can be supported on each entity. This automatically builds an audit log for each record.

In addition data revisions can be supported on each individual entity.

How to: Data revisions is activated on the entity Advanced page.

GDPR Deletion Policies (optional)

For each entity in a TS Application, a GDPR Deletion Policy can be set up, enabling automatic deletion or anonymization in accordance with the specified rules. The application will thus automatically delete or anonymize data and files in the application, cf. specified criteria.

How to:

  1. Set up an action on a entity status
  2. Check of deletion policy
  3. Choose between anonoumization or deletion
  4. Optionally select log data to also be deleted

In case you choose "anonoumization" you should define how each field should be handled

  1. Click on a field
  2. Click on Assignment
  3. Check of anoumization
  4. Optionally set value after change

Event and System Logging (recommended)

When Event and System Logging are turned on for an application, the following events are logged automatically:

  • User logins
    • Succesfull normal user logins are hidden
    • Also contains client IP (used for MFA)
  • System events
    • User errors
    • Scheduled services
    • Administrator logins

Error events will include stacktraces if available.

The eventlog can be cleaned automatically on a regular schedule.

Compliance external

Request logging

The webserver itself can be set up to do make detailed logs in file , containing for example

  • Request timestamp, IP and session ID
  • Stacktraces on errors

Depending on your security setup you might want to log these to a central repository


Other optional security features