This article addresses common questions about authentication and security mechanisms in Cloud Migration/CloudScape. It covers encryption methods, login security, authentication controls, monitoring practices, and credential management.

Authentication and security questions

Do we utilize in-flight encryption for authentication requests?

Yes.

• All communication through the portal and APIs uses TLS 1.2.
• Appliances use TLS 1.3 for enhanced security.

How are login requests secured?

• Login requests are protected with TLS encryption.
• Passwords are hashed using argon2id, a secure hashing algorithm.

What controls are in place for authentication?

• Maximum allowed password failures: 5 attempts
• Maximum allowed MFA failures: 10 attempts
• Accounts are blocked after exceeding the failure thresholds
• Enforced password complexity and password reuse restrictions
• Passwords expire every 90 days

Is authentication part of an AD deployment, or is it local?

All authentication is managed through a central database in the cloud environment.

Monitoring and logging

Do we log security events such as failed login attempts or suspicious activity?

Yes. The system logs:

• Failed login attempts
• Account lockouts
• All user-initiated and M2M (machine-to-machine) API calls

Admins can also generate user API activity reports through the portal.

Are AV, EDR, DLP, and SIEM solutions used for monitoring authentication activity?

Yes.

• Security agents are deployed across all infrastructure.
• Upon request (via support escalation), audit logs from RN150 can be forwarded to a remote syslog server.

Credential management

How is shared access or generic account usage handled?

• Credentials added by end-users are encrypted and stored on the RN150.
• Integration with a remote CyberArk vault is also supported for credential management.