.. Byteflies Account Security Policies .. Author: Benjamin Vandendriessche .. STATUS: production ######################### Account Security Policies ######################### This document describes a mix of mandatory and recommended security practices at Byteflies. We are dealing with systems that house or have access to protected health information\ [1]_, therefore **it is our legal responsibility to take every reasonable precaution to prevent data leaks**. Note that the data we will be dealing with under most circumstances will be so-called *de-identified data*, i.e. data from which all personally identifiable information\ [2]_ has been stripped. That does not mean this data is no longer subject to any regulations. For all intents and purposes, it should still be handled as privacy-sensitive protected information. Access to *identifiable data* will be rare as it requires regulatory approval on a person-by-person basis by an Ethical Committee (EU) or Institutional Review Board (US). Colleagues who need access to this type of data will have to complete a much more extensive certification course. .. [1] Data Protection Directive 1995/46/EC (EU) or HIPAA (US). Byteflies will apply the US regulations as they are more strict (or at least more specific) than the EU rules. .. [2] Personally identifiable information (PII), also known as protected health information (PHI), defines metadata that is regulated under EU and US information privacy laws. Any unauthorized access to PII/PHI is illegal and should be reported immediately. .. rubric:: Quick Navigation .. contents:: :local: :depth: 2 ---- ***************** Password Policies ***************** Byteflies uses **Dashlane for Business** (macOS, Windows, iOS, and Android apps are available). If you have not yet received an invitation email, ask an admin. Introductory tutorials can be found `here `_. Please review them if you are not familiar with Dashlane. .. danger:: Your Dashlane master password cannot be recovered. If lost, you will be locked out of your account with no chance of recovering any of the data. If you want to store your master password somewhere for safekeeping, use an **encrypted** archive! Mandatory policies ================== .. warning:: *Never* have your master password remembered by any of the Dashlane apps. The only exception to this rule is when you use a :ref:`2FA method <2FA>`. Please adhere to all these rules, *no exceptions* will be made: * Minimum **master** password length = 12 * Minimum password length = 10 * Use the Dashlane password generator (browser extension or mobile apps), and a mix of letters, digits and symbols * Enable :ref:`Two-Factor Authentication (2FA) <2FA>` for your Dashlane account * Store Byteflies domain passwords in your Byteflies workspace (this is enforced automatically) * Do not share passwords or (encryption) keys outside of Dashlane * Do not re-use passwords (this will be enforced by admins) * Do not use a browser credential manager to store login information, instead use the Dashlane browser extension (available for Chrome (for Android), Firefox, and Safari) * Passwords for hacked websites or services should be changed immediately (Dashlane will notify you) .. hint:: You can check your password habit statistics in the Security Dashboard tab in Dashlane. This is a quick way to identify any weaknesses. Additional guidelines ===================== The following guidelines are recommended but optional (common sense will go a long way): * Recommended **master** password length = 14+ * Recommended password length = 12+ * Configure Dashlane to request a 2FA challenge every time your device is rebooted * Remembering the master password on your personal device (laptop and/or phone) is allowed *only* if a 2FA challenge is requested on every device reboot *and* if the device automatically locks\ [3]_ after 5 minutes of inactivity or less * Dashlane is compatible with Universal 2-Factor (U2F) keys (e.g. `YubiKey `_) that can generate the access token * Certain supported websites allow you to change the password with one-click directly from Dashlane .. attention:: If you have reason to believe that your master password is compromised, change it immediately and notify an admin. If you loose a U2F key or 2FA device, immediately revoke access for that device in your account and notify an admin. .. hint:: A U2F key can also store an encrypted version of your master password (static password). This is convenient but remember this stores both your access control tokens on a single device. This scenario is **only allowed on devices that automatically lock** with a strong authentication method when not in use. .. [3] "lock" refers to either a password, PIN code, or a biometric (e.g. fingerprint) method of authentication. Spaces ====== As mentioned above, any ``@byteflies.com`` accounts will be automatically added to the Byteflies Space in Dashlane. Accounts using other domains but still related to Byteflies should be manually added to this Space. In addition, there is a Personal Space that can be used for storing any other login credentials. Sharing ======= In addition to encouraging good password practices, another important reason for using Dashlane is password sharing. For accounts that are used by multiple people, the password entry should be shared from Dashlane so that password changes propagate automatically to the appropriate Dashlane accounts. Some additional pointers: * Any other metadata associated with a password is personal and does not sync * Deleting a shared password does not delete the copy of shared users * Two sharing levels are available: ``full rights`` and ``limited rights``, the latter does not allow the receiving party to see the password in plain text (nor copy it) Secure notes ============ Dashlane can also be used to store other secure information, such as notes, personal information (for autofill on webforms), and payment card information. Secure notes can be shared as well, which is useful for e.g. account access information, encryption keys, etc. ---- .. _2FA: ************************* Two-Factor Authentication ************************* Two-factor Authentication (2FA) is an important tool to maintain account security in case your password is compromised. In most implementations, the second factor is generated by another device (e.g. a phone, a hardware USB key such as `YubiKey `_). When logging into a service protected by 2FA, in addition to the main password, the disposable password will have to be provided. When setting up 2FA: * It is highly recommended to register a phone as one of your 2FA devices so that SMS fallback is always available should you need it * Generate 2FA recovery codes and store them in a safe place in an **encrypted** archive * Many apps are available that can generate 2FA tokens: `Authenticator Plus `_ (not free) is recommended as it allows you to backup your tokens\ [4]_ in addition to some other useful features (Android and iOS (phone and watch) apps are available); Google Authenticator has less options but is free. .. [4] This is important when you switch phones as it allows you to simply restore your backup, as opposed to re-adding all your 2FA enabled accounts. The following policies should be taken into account: * 2FA *has* to be enabled for you Dashlane account * 2FA *has* to be enabled for your `Byteflies Google account (G Suite) `_ and `Github `_ accounts * Slack 2FA is optional * It is acceptable to add your devices to a *trusted device* list *if* that device automatically locks and is protected with a strong authentication method (this ensures you only need to answer a 2FA challenge when logging in from a new device) .. hint:: Both G Suite and Github are U2F compatible and can be used with a `YubiKey `_ or equivalent authentication device. ---- ******** RSA Keys ******** RSA is a public-private key encryption system. When used in conjunction with SSH (Secure SHell), it ensures secure data transmission. At Byteflies we use it: 1. As an alternative to user credentials to access git repositories (Github and Local Server) 2. To access the Byteflies Flyswatter server over SSH Setup ===== The following steps should only be performed once. If you already have an RSA key, use that one. .. _rsa_gen: Generating an RSA key --------------------- .. include:: ../snippets/rsa_gen.rst Add your key to a service ------------------------- Add your public key (``keyname.pub``) to the remote server. For Github, add it to your `Github account `_. For the Local Server, send it to an admin. Use === To use your keys with git you need your *remotes* to point to Github and git on the Local Server, respectively: * **git**\@github.com:Byteflies/documentation.git * **git**\@flyswatter.local:documentation To access the Local Server over SSH, use: ``ssh user@flyswatter.local`` ---- **************** Drive Encryption **************** *All* larger devices (laptops, desktops, external hard drives) used for Byteflies-related work **have to be encrypted** using a master key. If you are issued a Byteflies laptop, it will be properly configured by an admin. If you use your own laptop, ask an admin to set up drive encryption. Smaller devices (phones, USB drives, SD cards) can be encrypted at your own discretion. .. attention:: Any device used for storing PHI has to be encrypted by law.