General security considerations
This list does not intend to show you best practices in network and system administration. Rather, it suggests a number of security mechanisms that you can expand upon.
- Keep up to date on patches
-
Security vulnerabilities are the reason why you should keep your operating systems, web and application servers, and any other application in your environment up to date. Knowledge of vulnerabilities spread fast across malicious users, who would not hesitate in trying to exploit them.
ForgeRock maintains a list of security advisories that you should follow. You should also follow similar lists from all your vendors.
- Keep up to date on cryptographic methods and algorithms
-
Different algorithms and methods are discovered and tested over time, and communities of experts decide which are the most secure for different uses. Do not use outdated algorithms such as RSA for generating your keys.
- Turn off unnecessary features
-
The more features you have turned on, the more features you need to secure, patch, and audit. If something is not being used, disable it or uninstall it.
- Limit access to the servers hosting AM
-
A large part of protecting your environment is making sure only authorized people can access your servers and applications through the appropriate network, using the appropriate ports, and presenting strong-enough credentials.
Ensure users connect through SSL / TLS to the systems and audit system access periodically.
For a list of ports used in AM by default, see Ports used.
- Enforce security
-
Do not expect your users to follow security practices on their own; enforce security when possible by requiring secure connections, password resets, and strong authentication methods.
- Audit Access and Changes
-
Audit logs record all events that have happened. Some applications store them with their engine logs, some others use specific files or send the information to a different server for archiving. Operating systems have audit logs as well, to detect unauthorized login attempts and changes to the software.
AM has its own audit logging service that adheres to the log structure common across the Ping Identity Platform.