Some features of IAM have been especially built to be used from untrusted environments, some have been built to be used from "internal networks" only.
Use sandboxing to separate modules.
Some features of IAM have been especially built to be used from untrusted environments, some have been built to be used from "internal networks" only.
Use sandboxing to separate modules.
Consider the following tips regarding access to the IAM Adminapp, Adminapp REST API, and Transaction Approval REST API:
Do not expose the IAM Adminapp / Adminapp REST API or the Transaction Approval to untrusted environments.
Avoid Privilege Escalation in Adminapp.
Use Airlock Gateway to protect the interfaces also for internal access.
The IAM Loginapp as well as the Loginapp REST API are designed to be used from untrusted environments. The hints below help in maximizing security for these critical services:
Use HTTPS (SSL/TLS) to access the Loginapp / Loginapp REST API.
Never embed the login form in a page delivered to the browser via HTTP (the client may not verify where secret credentials are sent to).
To better separate the Loginapp / Loginapp REST API from the other IAM modules (Adminapp, ...) use Sandboxing with profiles:
Make use of Airlock Gateway staging techniques to regularly update Airlock IAM mappings to the newest version.
Use the OpenAPI specification to secure the Loginapp REST API.