Accounts
Tenants
- Registering as a Subscriber Tenant
- Subscriber Tenants
- Service Provider Tenants
- Tenant Details
- Tenant Management
  - Adding a Tenant
  - Registering Tenants Automatically
  - Deleting a Tenant
  - Editing a Tenant
  - Configuring Available Services
  - Purchasing a Service Subscription
  - Reporting
  - Audit Logging
  - Customizing the Logo
Users
- Application Owners
- Tenant Administrators
- Service Provider Administrators
- Subscriber Groups
  - Subscriber Group Details
  - Subscriber Group Management
- Adding a User
- User Management
- User Details
Best Practices
Troubleshooting

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

DPoD Documentation
Accounts
Best Practices

Best Practices

This document provides best practices for managing user accounts in your Thales Data Protection on Demand tenant.

Administrator management

We recommend that all DPoD subscriber tenants have a primary administrator and at least one secondary administrator account. Secondary administrators can support primary administrators in managing a subscriber tenant and can support the primary tenant administrator if they require a password or MFA token reset.

For security purposes Thales support is only able to:

reset primary administrator passwords
reset all users MFA tokens

Consult the User Management document for detailed instructions on what to do if you lose access to your password or MFA token.

Multifactor authentication

DPoD implements Multifactor Authentication (MFA) using third-party authenticator (TPA) apps showing a randomly generated and constantly refreshing 6-digit "time-based one time password" (TOTP) to be presented as a second authentication factor when logging into DPoD.

The following is a short list of possible MFA clients. DPoD does not guarantee the security or integrity of any MFA client. You can use any MFA client that supports TOTP. You are not limited to the MFA clients included here:

Google Authenticator
Microsoft Authenticator
Authy
TypingDNA
LastPass Authenticator

We recommend you keep a back up of your MFA secrets. Consult the User Management document for detailed instructions on what to do if you lose access to your password or MFA token.

If your TOTP is not accepted when trying to log in to the DPoD, verify that the system time and time zone locale on the device supplying the TOTP is set correctly.

Platform role password policy

Improper password management and implementation imposes risks to the security of Data Protection on Demand tenants and services.

To ensure the security and confidentiality of your DPoD user account the password requirements for a DPoD platform role are:

Must be a minimum of 10 characters
Cannot exceed 255 characters

Note

All ASCII characters count as a password character.

Additionally, as per the National Institutes of Standards and Technology (NIST) guidelines the DPoD role passwords are never truncated.

DPoD accounts are temporarily disabled after 7 consecutive failed password attempts. If your DPoD account is temporarily disabled retry the login at a later time.

To increase password protection, we recommend being aware of and adhering to the following password management practices:

We recommend using a combination of alphanumeric and special characters in your password to increase resilience to brute force attacks.
Do not use dictionary words inside of your password.
Passwords must not be shared with anyone. Your password is to be treated as sensitive, confidential organizational information.
Passwords must not be inserted into any forms of electronic communication.
Passwords must not be revealed over the phone to anyone.
Do not share DPoD passwords with anyone, including administrative assistance, secretaries, managers, co-workers while on vacation, and family members.
Do not write passwords and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption.
Do not save your password into a web browser, use a password manager.
Any user suspecting that their password may have been compromised should report the incident to their tenant administrator as soon as possible and change their password.
The DPoD operations team will never ask you for your login details.

Include listing platform communications

DPoD announcements and communications are made over:

Changelog
DPoD Status Page
Email

You can subscribe to the Changelog, the DPoD Status Page, and the Customer Support Portal to receive the latest updates and news about Thales Data Protection on Demand.

If you are not receiving emails from DPoD please add the following addresses to your approved senders list:

dpondemand@thalesgroup.com - support email address
noreply@dpondemand.io - account notifications and alerts
noreply@announcekit-mail.com - Changelog announcements (register at Changelog)
noreply@statuspage.io - maintenance announcements (register at DPoD Status Page)
noreply@cplcloud.com - emails about in progress trials and testing tips
noreply@thalesgroup.com - back office communications
support_certficates@subscription.cpl.thalesgroup.com - support certificate for subscriptions
sales.order.acknowledgement@subscription.cpl.thalesgroup.com - sales order acknowledgements
technical.support.dis@apps.thalesgroup.com - emails about client and service updates

Suggest A Change

Best Practices

Administrator management

Multifactor authentication

Platform role password policy

Include listing platform communications

On this page