This document provides best practices for managing user accounts in your Thales Data Protection on Demand tenant.
We recommend that all DPoD tenants have a primary administrator and at least one secondary administrator account. Secondary administrators can support primary administrators in managing a tenant and can support the primary tenant administrator if they require a password or MFA token reset.
For security purposes Thales support is only able to:
- reset primary administrator passwords
- reset all users MFA tokens
Consult the User Management document for detailed instructions on what to do if you lose access to your password or MFA token.
DPoD implements Multifactor Authentication (MFA) using third-party authenticator (TPA) apps showing a randomly generated and constantly refreshing 6-digit "time-based one time password" (TOTP) to be presented as a second authentication factor when logging into DPoD.
The following is a short list of possible MFA clients. DPoD does not guarantee the security or integrity of any MFA client. You can use any MFA client that supports TOTP. You are not limited to the MFA clients included here:
We recommend you keep a back up of your MFA secrets. Consult the User Management document for detailed instructions on what to do if you lose access to your password or MFA token.
If your TOTP is not accepted when trying to log in to the DPoD, verify that the system time and time zone locale on the device supplying the TOTP is set correctly.
Platform Role Password Policy
Improper password management and implementation imposes risks to the security of Data Protection on Demand tenants and services.
To ensure the security and confidentiality of your DPoD user account the password requirements for a DPoD platform role are:
- Must be a minimum of 10 characters
- Cannot exceed 255 characters
All ASCII characters count as a password character.
Additionally, as per the National Institutes of Standards and Technology (NIST) guidelines the DPoD role passwords are never truncated.
DPoD accounts are temporarily disabled after 7 consecutive failed password attempts. If your DPoD account is temporarily disabled retry the login at a later time.
To increase password protection, we recommend being aware of and adhering to the following password management practices:
- We recommend using a combination of alphanumeric and special characters in your password to increase resilience to brute force attacks.
- Do not use dictionary words inside of your password.
- Passwords must not be shared with anyone. Your password is to be treated as sensitive, confidential organizational information.
- Passwords must not be inserted into any forms of electronic communication.
- Passwords must not be revealed over the phone to anyone.
- Do not share DPoD passwords with anyone, including administrative assistance, secretaries, managers, co-workers while on vacation, and family members.
- Do not write passwords and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption.
- Do not save your password into a web browser, use a password manager.
- Any user suspecting that their password may have been compromised should report the incident to their tenant administrator as soon as possible and change their password.
- The DPoD operations team will never ask you for your login details.
Whitelisting Platform Communications
DPoD announcements and communications are made over:
If you are not receiving emails from DPoD please add the following addresses to your approved senders list:
- firstname.lastname@example.org - account notifications and alerts
- email@example.com - evaluation emails
- firstname.lastname@example.org - Changelog announcements (register at Changelog)
- email@example.com - maintenance announcements (register at DPoD Status Page)
- firstname.lastname@example.org - support email address
- email@example.com - support email address