Our identity and access management (IAM) practices ensure that user identities are adequately managed and access to corporate resources is controlled.
Access to systems
We have an Access Management Policy in place, ensuring that access to the corporate systems and development portal is documented securely, and the approval paths are clearly mapped. A documented procedure covers different account types and an account lifecycle—from a new account request to its deactivation.
Access to systems and data is based on the need-to-know-principle and depends on the account type, meaning that users are granted access rights necessary to perform their tasks. Access controls such as user authentication and authorization, verification, and monitoring identity status are implemented.
Authentication
Our access management and authentication are handled with IAM (Identity and Access Management) and CIAM (Customer Identity and Access Management) services.
IAM is used for managing employee identities, granting them access necessary to carry out their duties within the bounds of corporate policies. Access rights require approval from our internal IAM system, including the 4-eyes principle, segregation of duties, and re-certification procedures.
CIAM is used to manage access to our products for customers, based on Azure B2C. Users can sign in to the applications and authenticate through single-factor authentication (SFA) and single sign-on (SSO). Multi-factor authentication (MFA) is mandatory for client admins.
Privileged access
Privileged Access Management (PAM) is a cybersecurity approach that focuses on controlling and monitoring access to powerful accounts within an organization's IT infrastructure. It restricts access to authorized personnel only, reducing the risk of insider threats and safeguarding sensitive data and systems from potential breaches. PAM includes access controls, credential management, session monitoring, and privileged user behavior analytics, ensuring a more secure environment and regulatory compliance.
Access to production systems is not granted to anyone by default. It is granted temporarily to privileged accounts only with a given reason (for instance, customer incident).
Multi-factor authentication
We use MFA (multi-factor authentication) as an extra layer of protection. MFA is a security mechanism that requires users to provide multiple forms of identification to access an account or system, enhancing protection against unauthorized access.
MFA is used internally to protect access to all internal services and access the internal network, via either a VPN connection from corporate laptops or a virtual client to the internal network. When using PAM, MFA is also mandatory.
External users benefit from MFA if they are customer administrators and want to sign in to the Self-Service User Management. The API services are also protected by MFA.
Password management
Our Password Policy outlines the main principles of secure creation, storage, and usage of passwords. It sets requirements for:
- Password length and complexity: Secure passwords must be eight characters minimum and contain a combination of alphanumeric and special characters.
- Password change: Employees must change their passwords per criticality of their applications.
- Password reset: Employees who have forgotten their password can request a password change on the sign-in page.
- Account lockout: In case of multiple failures during sign-in attempts, the employee's account gets temporarily inactivated.
- Password history: Employees cannot reuse the last 10 passwords already applied.
Additionally, in the scope of the security awareness program, our employees are educated about secure password management practices.
Logging and tracking access
Each instance of privileged access to the production environment (for example, firefighting activities like restoration of a service performance and diagnosis after an incident, non-automated infrastructure modification, or subscription maintenance) is automatically logged, and the entire working session is recorded.
The service manager of the respective service is eligible for granting privileged access under the following rules:
- The service manager can temporarily assign or revoke firefighting rights to individuals from the development teams. The service manager approves the PAM access request in IAM.
- The service managers are not allowed to assign themselves firefighting rights under the separation of interest policy. This is assured by the IAM approval workflows.
Technical logs are available on request. The log data contains all steps taken during the activity, namely, access to data, copying of data to local storage for investigation, and changes to the production environment.
Review of access rights
In the scope of access management, access rights are regularly reviewed depending on their criticality (annually or twice a year). Each review is properly documented, and deviations are managed accordingly.