1. Security
  • Overview
  • Application Guides
    • Frontend
      • Get Started - React App
      • Get Started - HTML and JS
      • Get Started - Angular JS
      • Get Started - Next JS App
    • Backend
      • Get Started - Node JS
      • Get Started - Golang
      • Get Started - ASP.NET
      • Get Started - JAVA
  • Dashboard
    • API Credentials
    • Organization
    • Social Login
    • Customize Email Template
    • Configure Custom Domain
    • IT Admin Portal
  • Authentication
    • Login Widget
    • Magic Link
    • Google Social Login
    • Multi-Factor Authentication
    • Single Sign-On Overview
    • Setup SSO Connection
  • Security
    • Overview
    • Authentication
      • Password Hashing and Storage
      • Multi-Factor Authentication Methods and Implementation
      • Session Management
    • Attack Protection
      • Bot Detection
      • Breached Password Detection
      • Brute Force Protection
      • Log Events
      • Secure JSON Web Tokens (JWT)
      • Secure OpenID Connect (OIDC)
      • Suspicious IP Throttling
    • Data Security
      • Data Encryption At Rest and In Transit
      • Secure Storage of Secrets (Keys, Credentials)
      • Sensitive Data Handling
    • Infrastructure
      • Security Considerations for Cloud Provider or Deployment Model
      • Threat Modeling
  • API References
    • Authentication
      • MagicLink
        • Email a Magic Link
        • Resend Email Magic Link
        • Verify Magic Link
        • Ping Status
      • Magic Auth Code
        • Email a Magic Auth Code
        • Resend Magic Auth Code
        • Verify Magic Auth Code
      • Phone Authentication
        • Send Magic Auth Code via SMS
        • Resend Magic Auth Code via SMS
        • Phone Magic Auth Verify
      • PassKey
        • Initiate Passkey Login
        • Passkey Registration Initialize
        • Finish Passkey Authentication
        • Complete Passkey Registration
        • Check User Passkey Authentication Status
        • List User PassKey Credentials
        • Update Passkey Name
        • Delete Associated Passkey
      • GET Auth Status
    • Token
      • Refresh Token
      • Access Token By Auth Code
    • Mutli-Factor Authentication (MFA)
      • MFA Access Token
      • List of Authenticators
      • MFA Enroll TOTP
      • Initiate MFA
      • QR Code Image API
      • Validate MFA Token
      • Get Backup Code
    • Role And Permission
      • List All Roles
      • List All Permission
      • Create New Role
      • Update Existing Role
      • Update Permission By Permission Id
      • Remove Organization Role By Role Id
      • Remove Organization Permission By Permission Id
    • User Management
      • List All Users
      • GET User By User Id
      • GET User by User Email Address
      • Create a User
      • Update User by User Id
      • Verify User Status By User Id
      • Delete User By User Id
      • Manage User Roles
      • GET Users Organizations
      • GET User Login Logs
    • Organization
      • Add New Organization
      • Get Organization
      • Get All Organization
      • Update Organization
      • Delete Organization
      • GET Configuration By Client Id
      • GET Configuration By Custom Domain
  1. Security

Overview

Introduction
SSOJet is a leading provider of Single Sign-On (SSO) solutions designed to offer seamless and secure access to multiple applications with a single set of login credentials. As part of our commitment to security, this document provides a comprehensive overview of the security measures, principles, and practices we employ to protect user data and ensure the integrity, confidentiality, and availability of our services.
Scope
This document covers the following aspects of SSOJet's security framework:
Security principles and practices
Compliance with regulations and standards
High-level description of security policies
Summary of key security measures
Security Principles
1.
Defense in Depth
Multiple Layers of Security: Implementing layered security controls to protect against various threats. These layers include network security, application security, endpoint security, and data security.
Redundancy: Ensuring that if one security control fails, additional controls are in place to continue providing protection.
2.
Least Privilege
Minimal Access: Granting users and systems only the access necessary to perform their tasks, minimizing potential attack vectors.
Role-Based Access Control (RBAC): Using RBAC to assign permissions based on the user's role within the organization, ensuring that access rights are appropriate and controlled.
3.
Zero Trust Architecture
Continuous Verification: Regularly verifying the identity of users and the integrity of devices, regardless of their location within or outside the network.
Micro-Segmentation: Dividing the network into smaller, isolated segments to minimize the potential impact of a breach.
Compliance and Regulations
SSOJet adheres to a range of regulatory standards and frameworks to ensure compliance and protect user data. These include but are not limited to:
GDPR: General Data Protection Regulation for protecting the privacy and personal data of EU citizens.
CCPA: California Consumer Privacy Act for safeguarding the personal information of California residents.
HIPAA: Health Insurance Portability and Accountability Act for protecting sensitive health information.
PCI DSS: Payment Card Industry Data Security Standard for securing credit card transactions.
Security Measures
1.
Authentication and Authorization
Multi-Factor Authentication (MFA): Implementing MFA to enhance the security of user accounts by requiring multiple forms of verification.
Password Policies: Enforcing strong password policies, including complexity requirements and regular password changes.
Secure Password Hashing: Using industry-standard hashing algorithms like bcrypt and Argon2, along with salting, to securely store passwords.
2.
Data Encryption
Encryption at Rest: Encrypting data stored in databases and file systems using AES-256 and other industry-standard encryption algorithms.
Encryption in Transit: Using TLS/SSL to encrypt data transmitted over networks, protecting it from eavesdropping and tampering.
3.
Network Security
Firewalls: Deploying web application firewalls (WAF) and network firewalls to monitor and block malicious traffic.
Intrusion Detection and Prevention Systems (IDPS): Continuously monitoring networks for suspicious activities and automatically mitigating threats.
Secure Network Configuration: Implementing best practices for network configuration, including network segmentation and secure access controls.
4.
Incident Response
Incident Response Plan: Establishing a comprehensive incident response plan to quickly identify, contain, and remediate security incidents.
Regular Drills: Conducting regular security drills and simulations to ensure preparedness and effective response to incidents.
Post-Incident Analysis: Performing thorough analysis of incidents to identify root causes and implement corrective actions.
5.
Monitoring and Logging
Continuous Monitoring: Using advanced monitoring tools to continuously monitor systems and networks for suspicious activities.
Detailed Logging: Maintaining comprehensive logs of access and actions to facilitate auditing and forensic analysis.
Alerting: Implementing real-time alerting for detected anomalies and potential security incidents.
6.
User Education and Awareness
Security Training: Conducting regular security training sessions for employees and users to raise awareness of security best practices.
Phishing Awareness: Educating users about phishing attacks and how to recognize and report suspicious emails.
Security Policies: Communicating security policies and procedures to ensure that users understand their responsibilities in maintaining security.
Conclusion
SSOJet is dedicated to maintaining a robust security posture through continuous improvement and adherence to industry best practices. Our comprehensive security measures and principles ensure that user data is protected, and our services remain secure and reliable.
For more detailed information on specific security practices, please refer to the corresponding security documents on topics such as password hashing and storage, multi-factor authentication, session management, attack protection, and more.
Contact Information
For any security-related inquiries or to report a security incident, please contact our security team at:
Email: support@ssojet.com
Modified at 2024-06-18 09:05:22
Previous
Setup SSO Connection
Next
Password Hashing and Storage
Built with