In an effort to enhance the security of our ClientTools website, we will soon be releasing an option to allow clients to specify specific IP addresses from which their users may access the portal. This is commonly referred to as ‘whitelisting.’ The process will be quite simple: We will define a group of IP’s that will be associated with a user; these are typically the IP’s associated with the company’s known outbound internet traffic. When that user attempts to connect to our portal with their credentials, a check will be made to ensure they are connecting from one of the registered IP’s. If an IP that is not previously registered is detected, the attempt will be logged and the user will be denied access.
Essentially what this means is users will only be able to access our site and client data from networks approved by the client and as defined by the clients business needs. For instance, a user would not be able to access our portal from their homes or anywhere else other than the office location. This measure could help data loss prevention from users that are legitimately registered but want to access the data from a non-secure location.
We will be formally announcing this feature in the near future with details on how to opt in to the program. We will not be enforcing this, but will highly encourage participation for the added security it provides.
One other future feature being developed and tested is the use of one time passwords sent to a known device like a cellphone (SMS) or an email address, associated with the user, which must be used in conjunction with existing username and passwords. This is a form of dual factor authentication and helps prevent access to our site and client data from usernames and passwords that may have been compromised. In order to successfully access the ClientTools portal, users would also have to have access to the email account and or cell phone related to the user. This technique would significantly lessen the risk of a stolen password and username being used to access confidential client data on the ClientTools website.
MRIoA is always looking to provide more security in all of our processes and with great attention to our outward facing websites that can access client data. We always welcome your thoughts and comments on these matters.
Don Murphy Jr. MS, CISSP
Vice President, Information Technology