LogicMonitor Security Best Practices
At LogicMonitorwe take the protection of customer data and cybersecurity very seriously. Security is a team effort and partnership between LogicMonitor and our valued customers. Below we have provided our recommended guidance on security best practices, and how to keep your LogicMonitor portals secure, including the 2FA authentication enablement. General Security LogicMonitor Security Corporate site: LogicMonitor’s Security corporate site provides resources for our customers who are interested in reviewing our security white papers or accessing SOC2 Type 2 and SOC3 reports. Security Best Practices: This comprehensive document offers invaluable security guidance and best practices which LogicMonitor strongly recommends be diligently followed. It also provides critical insights into how LogicMonitorsecures customer accounts, such as regular updates to strong, unique passwords and not sharingaccount information. Configuring Multi & Single Sign On Single Sign-On Integration Setup Guide: Single Sign-On (SSO) is a powerful mechanism for enforcing robust authentication measures, including 2FA, while simultaneously mitigating the risk of password-related issues. This guide outlines the prerequisites and initial setup steps for SSO, including how to restrict account access to SSO user accounts. Multi Sign-On Integration Setup Guide: Multi-sign on augments security by requiring multiple authentication factors. This document empowers administrators to add multiple tenants (Identity Providers), and manage users directly from their Identity Provider (IdP). Microsoft Azure Active Directory (AD) IdP for Single Sign-On (SSO) Setup Guide: Customers interested in utilizing Microsoft Azure Active Directory (AD) IdP for SSO will find this guide invaluable. It provides step-by-step instructions for integrating Azure with LogicMonitor. Additional Tools to Increase Security Account IP Whitelisting: Customers looking to restrict access to their accounts, based on specific IP addresses or subnets, can refer to point five (5) in the "Configuring the Portal Settings" section document for detailed guidance. Role Based Access Control settings: Role-Based Access Controls offer a powerful means of restricting access to security features or entire product sections for specific user groups. This document explains the numerous configurations available at the role level, ensuring that your security posture aligns seamlessly with your business requirements. Preparing for two-factor authentication (2FA) Remote Session Access Control: In preparation of implementing 2FA, this document comprehensively explains the Access Controls available for the Remote Session feature, allowing for enhanced security through customizable access restrictions or feature disabling. 2FA Setup Guide: This guide provides step-by-step instructions on configuring 2FA at various levels. LogicMonitor strongly recommends customers who are not currently using 2FA or employing Single Sign-On (SSO), without enabling the "Restrict to SSO" option, proactively enable 2FA for their non-SSO user accounts. User Reporting for 2FA: The User Report serves as a vital tool in securing your account with 2FA. It facilitates the identification of user accounts that do not currently utilize 2FA or lack associated phone numbers, which could potentially disrupt user access, if not addressed before 2FA is activated. See also 2FA FAQ’s&User Reports.LogicMonitor Two Factor Authentication FAQ's
Two Factor Authentication 2FA FAQ’s 1. Will my access be affected if I use Single Sign-On (SSO)? No, SSO users will not be impacted by 2FA. 2. What happens if I have an incorrect phone number associated with my account? If your phone number is incorrect, you won't receive the code to log in. Please reach out to your Local Admin, and ask them to update your phone number in your user profile. If your Local Admin(s) are unable to log in, please contact LM Support. 3. What occurs when 2FAis activated, and there's no phone number associated with my user account? When 2FAis activated users without a phone number linked to their account will be prompted to enter one, and sign up for 2FA during their next login. 4. Does enabling "restrict to single sign-on" act as an alternative to 2FA, and will customers lose the ability to uncheck this option? After 2FAis activated, customers will not be able to disable 2FA for local users. "Restrict Single Sign-On" and 2FAwill work together. There will be no change or impact on SSO users; they will continue to function as usual. 5. How does the 2FAactivationaffect shared accounts? Sharing accounts is not a recommended security best practice, and with2FA, user accounts can no longer be shared. A new account and profile should be created for each user. 6. What if I am unable to login? If you cannot login, please contact your Local Admin, and request that they update your phone number and email address in your user profile. If your Local Admin(s) are unable to log in, please reach out to LM Customer support. 7. Will integrations be impacted? No, integrations using API keys will continue to function as they are, provided Basic Authentication is not in use. 8. Will the API be affected? No, the API will not be affected. 9. Does the 2FA activation impact API-only users? There is no impact on API-only users. However, we recommend that customers periodically audit API token usage, and recreate any API tokens previously created with administrator permissions. 10. Will Integration IDs, such as ServiceNow (ID/Pass and API ID/Key) and AWS (ARN), be affected by the 2FA Activation? API ID/Keys and ARNs will not be impacted. SSO users are also not affected. Only local accounts without pre-enabled 2FA will be impacted. API keys will not be affected. If you add API keys to a local user, you will need to set up 2FA for that local user. 11. If a user is initially created as a LOCAL user, and later integrated with SSO, will there be any impact? There is no impact in this scenario. 12. What should I do if the user's email address is invalid and the phone number is empty? Reach out to the local admin of your account for assistance in updating the email and phone number. If you are a local admin, and are locked out of your account, click here to contact LM Customer support. 13. Will there be any impact for customers using external SSO with 2FA to authenticate for the LM portal? There is no impact for customers using external SSO with 2FA for LM portal authentication. See Also LogicMonitor Security Best Practices & User Reports.LogicMonitor User Reports for 2FA
Identifying User Accounts Requiring Priority Attentionfor two-factor authentication (2FA) Readiness Using Our User Report Guide The subsequent steps are designed to offer guidance on utilizing the User Report to assist customers in their 2FA preparation process." Step 1: Create a new Report by going to Reports -> Add Report Step 2: From the available report types, select User Report Step 3: (Optional): Under User Report Settings, additional filters can be added by clicking the “More” dropdown to help limit the returned results to user accounts that need to be prioritized for updates, prior to the 2FA activation. For this example, we have added filters for Role Assignment and the Enable 2FA flag to help identify administrators’ user accounts which do not have 2FA enabled, and may get impacted once 2FAis activated. We chose to filter to the Administrator role, and for user accounts that are set to “No” for Enable 2FA. Step 4: Ensure appropriate columns are checked for the report outputs. Customers can include as many of the columns as needed, but we recommend including the following columns, highlighted in red, which will help identify user accounts with2FA not enabled. Users with no phone numbers Potential duplicate phone number entries User Accounts with the highest set of privileges which have the pre-mentioned considerations We also recommend sorting results by Phone Number, which will organize the results with user accounts with no phone numbers set. Step 5: Once the Report configuration is completed, click the Next button and the report will be generated, in which the results can be audited for where action would need to be taken, prior to the 2FA activation. An example of the output is included below, where we identified several administrator users that had no phone numbers, and 2FA was not enabled. Our next steps internally were to update contact information for the active accounts, delete suspended users, and enable 2FA for the users. See also 2FA FAQ’s and LogicMonitor Security Best Practices
