Password management

This scenario is for ISVs that provide enterprise password management and security. The purpose of such integration is to allow the management of users and their passwords, as well as monitor the overall security score and password strength in Acronis Cyber Platform.

The general scheme is the following:

../../../_images/password_management_scenario.png

Typical integration scope

Typical integration scope is built around a basic user management scenario and should include the following functionality:

Establish connection to ISV cloud - connection parameters and credentials to allow data to be transferred to Acronis Cyber Platform using the Integration settings extension point.
Customer mapping - pairing ISV customers to Acronis tenants to be able to report the list of protected users to the correct tenant.
Reporting the list of user accounts using password management functionality
Providing actions to support basic management options for reported users. For example: a. Invite a new user. #. Update the existing user details. #. Reset the master password.

Extended integration scope

To increase the integration value for MSPs, it is recommended to enhance the integration with the following additional functionality:

Provide an additional page for managing password complexity and authentication policies.
Report an alert related to password management. For example: a. A weak password is used for authentication. #. The user account for the specific resource has been compromised due to data leakage.
Create integration-specific widgets to display password management information.

Recommended Extension Points

To be able to extend Acronis Cyber Platform with Password Manager functionality, the following Extension Points should be used:

Integration settings - to provide credentials for accessing the ISV cloud and map ISV customers to Acronis customers.
Roles - to define which Platform roles will have access to password management functionality.
Main menu - to configure password policies and manage protected users.
Alerts - to display alerts on password-related security issues.
Widgets - to display password management-related statistics.

Integration settings

Password management is a customer-level application. This means that the Partner needs to configure the integration for each End Customer individually. Typically, password management applications contain the following settings:

Partner credentials and connection settings - required to authenticate in the ISV cloud and fetch the list of End Customers. These settings enable the integration for the Partner.
Customers mapping - a list of customers fetched from ISV cloud that allows specifying an existing customer mapping or creating a new corresponding customer mapping in Acronis Cyber Platform. Mapping an ISV customer to Acronis customer results in enabling the application for the specific customer.

Application configuration and mapping can be done only by Partner and cannot be done by End Customers.

Roles

It is recommended to use the following exiting roles to define access scope for Protection functionality:

Company Admin or Management Portal Administrator - required to enable the integration and perform customer mapping.
Company Admin, Protection Cyber Administrator or Protection Administrator - grants full access to all application functionality, can check and modify the configuration, work with alerts, change reports, etc.
Protection Read-only Administrator - grants read-only access to the application. Users with this role can check the password policy configuration and user statuses, but cannot change them.

Main menu

The main menu allows the application to add a new menu item dedicated to password management under the Management menu in Acronis Cyber Protection Console. This page should contain the list of the user accounts provided with Password management functionality. The list should also contain actions to support main password management scenarios: add new users, reset passwords, etc. Page content must be described in the declarative format in Vendor Portal. The user’s list and actions on this page are communicated from and to the ISV’s cloud via API Callback Gateway.

Additionally, the password management page may contain an additional tab to manage tenant-wide password policies that should be applied to all customers, for example:

Password strength settings.
Multi-factor authentication settings.
A number of allowed unsuccessful login attempts.
Etc.

Alerts

To be able to notify about password-related security issues, the application should submit alerts to Acronis Cyber Platform. Such alerts must be submitted as a new alert type. In this case, the typical alert structure would be:

Issue type (account was compromised, the password does not match security settings, etc.).
User account.
Issue description.
Timestamp.

Alert types are declared in Vendor Portal. Alert instances are reported to the platform by the Connector.

Widgets

If the application reports password management alerts to the platform, it is recommended to also add a widget that would show the latest alert of this type to the Overview dashboard.