Security Best Practices
For integration with other systems, we recommend creating a separate user for each system with a User Type of Service Account.
In most cases, service accounts have no additional permissions beyond secure file transfer protocol (SFTP) access since the sole purpose of this user account is to retrieve or place files on the SFTP area for data integration.
While having one service account user for all data integrations is possible, creating separate user accounts provides more secure user management by allowing the Security Administrators to disable individual accounts (such as when ending a contract with a third party) without impacting other data integration processes.
In addition, managing separate service accounts enables an institution to limit access to specific SFTP directories and ensure that an external system has access to only the data necessary for its specific integration. Refer to the next section on Path Restriction for additional details.
Enabling Path Restriction is recommended since it limits access to specific folders in the SFTP area.
For example, the following path restrictions permit the user to access only the two specified directories, preventing the user from picking up or dropping off files in other directories (such as /incoming/commonapp). This helps ensure that only the desired information is shared with the third party.
ImportantMake sure that the specified folder in the Path Restriction setting exists, or the user or service account will not be able to access the SFTP site. To create the folder, manually connect to the SFTP site externally (using a client that supports the SFTP protocol) or create it with the Import Path/Mask setting for a Source Format's Import Automation tab.
User Account Configurations
ImportantAuthentication is required through either a username/password pair or a username/certificate pair. With certificate-based authentication, which is considerably more secure than password-based authentication, the institution must generate an SSH2 certificate pair that will be used when authenticating. Both may be added to the configuration.
Public Key or Private Key
Generating a Certificate Key Pair
A Public/Private key pair can be generated using PuTTYgen or an SFTP client (e.g., FileZilla, WinSCP). The key pair needs to be:
- An RSA key type
- At least 2048 bits or longer
- If using PuTTYgen, the latest version should be used.
SSH2 Public Key
For extra security, a Service Account can use an SSH2 Public Key (i.e., certificate-based authentication ), which will typically begin with the comments "---- BEGIN SSH2 PUBLIC KEY ----" and end with "---- END SSH2 PUBLIC KEY ----."
SSH Private Key
An SSH Private Key should be used when setting up a Service Account (Remote). If using PuTTYgen, use the Conversions > Export OpenSSH Key to format the newly generated Private Key correctly. You will want to save the OpenSSH Key without a passphrase by ignoring PuTTYgen's warnings.
This provides an account to access only specific folders. For example, to permit access to the incoming and outgoing folders for a given third party, enter /incoming/vendor_name/ and /outgoing/third_party/, with each path entered on a separate line. If a path restriction is specified, the account can only read and write files and folders within those allowed folders and corresponding subfolders. If a path restriction is not specified, the account can read and write files and folders from all folders.
- Path restriction is a best practice for limiting access to specific folders on the SFTP server, such as granting access to a service account used by an outside user, such as an SIS system or a vendor.
- Ensure that the specified folder in the Path Restriction setting exists, or the user or service account will not be able to access the SFTP site. To create the folder, manually connect to the SFTP site externally (using a client that supports the SFTP protocol) or create the subfolder under /incoming/ with the Import Path/Mask setting for a Source Format's Import Automation tab or create the subfolder under /outgoing/ via the path setting of a Scheduled Export.
Allowed Networks (required)
Enter any IP addresses or CIDR ranges here where access should be allowed. Commas should separate multiple IP addresses or ranges. Test environments need all desired IP addresses to be allowed on a production database.
- Allowed Networks currently accepts only IPv4 addresses.
- Please allow up to 60 minutes for changes to Allowed Networks to take effect because firewall rules are refreshed once per hour.
Make sure to use the public-facing IP address rather than an internal IP address.