In order to help prevent unauthorized access to user accounts and information, Cloud Elements has implemented a number of information security procedures and best practices.
- Cloud Elements requires that all access to any database containing sensitive and/or customer information, including our platform, use multi-factor authentication. Two-factor authentication is implemented for all remote access to our network by employees and third parties. For us, this entails Google Authenticator with virtual tokens, in addition to a password.
- Any user account that isn't used for 90 days will be disabled.
- After five failed attempts to sign in, accounts will be disabled for workstations and AWS servers. A locked account will automatically reactive after at least 30 minutes, or once an IT administrator manually does so.
- Manager approval is required before access or privileges to Cloud Elements information processing systems can be granted.
- Group or shared accounts are strictly prohibited, as is the sharing of user credentials.
- Except for password resets, all changes to user accounts—including termination, creation, or privilege modification, must be approved by the employee's manager.
- If a user is terminated, their access is immediately revoked.
- Requirements for password length and complexity are available here.
Best Practices for Users
We also recommend that your organization implement the following best practices:
- Because users are responsible for all actions performed using under the context of their identity, ensure that all users have their own respective, unique credential. Regardless of its form—a username, badge, or token—this credential must never be shared with any other person, regardless of whether or not they are also part of the same organization.
- Limit administrator privileges to the fewest staff possible to perform sensitive duties. For each person who has administrator rights to any part of the Cloud Elements platform, you must have documented justification for their inclusion.
- Removable media isn't authorized because of security concerns; ensure your users understand the risks and possible consequences of use.