Physical access and security
Identity Manager servers should be physically protected, since logical security measures can often be bypassed by an intruder with physical access to the console:
- Restrict physical access
Put Identity Manager server(s) in a locked and secured room. Restrict access to authorized personnel only. Product administrators should install and configure the server(s) and then only access it remotely via HTTPS to its web portal or RDP to the OS.
- Connect a UPS
Ensure that server power is protected, that graceful shutdowns occur when power is interrupted and that there is surge protection at least on incoming power connections.
- Prevent boot from removable media
Configure the server to boot from an internal drive and not from removable media.
Where the Identity Manager server is virtualized, apply the above controls to the hypervisor.
Security policies are only as effective as user awareness and compliance. Security awareness training should include:
- Building security including authorization for visitors and ID badges.
- Password policies, regarding complexity, regular changes, non-reuse and not sharing passwords.
- Social engineering and phishing attacks, to help users recognize when a person, malicious web site or e-mail tries to trick them into disclosing access or other information.
- The consequences of a security breach, including consequences to users who may have supported the breach through action or inaction.
- Effective security practices relating to mobile devices, such as laptops, smart phones and tablets.
- Not leaving endpoints signed on, unlocked and unattended.