User Security Policies
It's important to keep your Cumulus account safe. To that end, the Security Policies allow you to lock down your account, restrict IPs from which Cumulus can be accessed, and even force Two-Factor Authentication on your users.
This article applies to Administrator accounts - Quarantine Administrator accounts can view this information but cannot edit the parameters
Administrators can manage their security policies under:
My Organization → Parameters → Advanced → Security Policies
|IN THIS ARTICLE||
| Managing Password Composition
|| Managing Password History and Expiry
| Enabling Two-Factor Authentication
|| Login CIDR Range Restrictions
This section combines three functions that allow administrators to establish their own security policies with regards to:
- Password length and composition
- Password expiration period
- The login CIDR range restrictions for Cumulus
Managing Password Composition
This configuration allows a client to establish their own policies regarding the password length and composition, the frequency of password changes, and the number of successive login failures before the account is locked (to unlock it, the password must be reset). If the client does not assign any criteria, the default criteria assigned by Cumulus are:
- Minimum length of twelve characters
- Three successive login failures
Administrators can choose to impose one or several of the following password requirements:
- A minimum length ranging from 12 to 40 characters
- A minimum number of lowercase letters
- A minimum number of uppercase letters
- A minimum of digits
- A minimum number of special characters (such as @, $, %, &). An information box lists the permitted special characters.
The sum of the minimum numbers imposed for the combined criteria must add up to a number that is equal to or less than the defined maximum password length.
Managing Password History and Expiry
This function requires users to change their password in regular intervals of at least 30 days and prevents them from reusing the same password. By default, Cumulus does not impose a password lifespan and, in the resetting of a password, accepts passwords that have been used in the past.
To modify this action, the administrator first clicks on the Edit link. A screen will allow them to choose “Yes” or “No” for the “Enabled” option. If they click on “Yes,” two new fields will appear:
- Expiration (days)
- Passwords remembered
The two fields are obligatory. In the “Expiration” field, the number entered must be equal to or more than 30 but less than 1000. In the “passwords remembered” field, which indicates the number of passwords the system has saved in its memory for each user so that they are not reused, a number equal to or more than 10 must be entered.
Enabling Two-Factor Authentication
You may activate Two-Factor Authentication (2FA) to increase account security. The second authentication factor can either be created via a linked app or by code sent via SMS.
Before you activate: You may wish to add a cellphone number to your user account before activating 2FA. In the event that you have lost your authentication app, Cumulus can fallback to sending your 2FA code via SMS.
If you activate 2FA on your user account and lose access to your authentication device, we will not be able to deactivate the authentication. If you are unable to access your user account secured with 2FA, the only recourse will be to delete your user account.
How to activate 2FA
Method 1: on your own account
If you would like to activate 2FA for your account, click the My Profile tab (found under the Home tab). Scroll down to the Two-factor authentication section and click the Enable two factor authentication link. You will then be prompted to link your Cumulus account to your authentication app. You can do this either by scanning the QR code or by entering the Key string into your app.
Once the app has been linked, you will have to enter the generated Code into Cumulus to confirm activation of 2FA.
From this point on, every time you log into Cumulus, you will need to provide the authentication code from your app.
Method 2: administrator prompt
Administrators can activate an option which prompts their Cumulus users to activate 2FA. Every time a user will log into Cumulus, they will receive a prompt to activate 2FA (see Method 1).
To activate 2FA prompting, you should click the following tabs: My Organization → Parameters → Advanced. You should now be in the Security Policies sub-tab. In the Two-factor authentication section, click the Edit link to select which users receive the 2FA activation prompt when logging in. You can choose to activate the prompt only for administrators or for all users.
How to deactivate
2FA may only be deactivated by the user that activated it.
In order to deactivate 2FA, log in to your account and enter your 2FA code from your app (or the 2FA code sent via SMS). Once logged in, click the My Profile tab (found under the Home tab). Scroll down to the Two-factor authentication section and click the Disable two factor authentication link. Once you receive a confirmation from Cumulus that 2FA has been deactivated on your account, it is now safe to remove the entry from your authentication app.
Login CIDR Range Restrictions
This function allows administrators to restrict Cumulus access to certain IP addresses or certain CIDR ranges. This could be, for example, to prevent users from accessing Cumulus from a home computer. Multiple entries can be carried out in different lines or on the same line if they are separated by spaces, commas, or semicolons.