This document explains KanbanBOX technical specifications concerning security.
Firewall rules to authorize access to KanbanBOX
In order to allow network communication to the KanbanBOX infrastructure, the following domains must be whitelisted in the company firewall:
- *.kanbanbox.com (where * means all of the subdomains)
KanbanBOX IP addresses may vary over time, depending on workload and infrastructure development; so it’s very important to allow the *.kanbanbox.com domain, not just the at-the-moment associated IPs.
Optionally, the KanbanBOX team can provide access through static IP addresses when the company firewall is not able to manage DNS rules with dynamic IPs.
Access security
Type of users
A user can be defined as:
- Personal account, for individuals
- Shared workstation, for shopfloor shared workstation and devices.
User credentials
Users access to the KanbanBOX graphic interfaces is protected by a combination of username/password.
Access to the API is granted by adding an API key to each request. The API key is uniquely associated to one user, and can be changed or deleted as needed.
Password and API key have to be considered secret and, consequently, must be kept appropriately.
Multi-Factor Authentication
Multi-factor authentication (MFA) can be activated for each user, for an additional level of security.
Access log
Every authorized access, as well as every rejected access attempt, is recorded in the access log, available for inspection to all admin users inside the web interface.
Filter access based on IP
Upon request, the Client can specify the set of company gateway IPs from which users are authorized to access KanbanBOX.
The filter based on IP addresses can be enabled by user type (personal account, shared workstation).
Federated access and Single-Sign-On (SSO)
Optionally, the KanbanBOX team can configure Single-Sign-On (SSO) access connecting to the company identity management software with SAML 2.0 compatible technology.
The SSO access can be enforced based on the user type (personal account, shared workstation).
The SSO access is also supported by the KanbanBOX Android/iOS apps.
Filter access based on the environment
A user can be configured to access both production and test environment, or to access only the test environment.
Management of permissions based on roles
The set of functionality every user can access depends on the user role. Available roles in KanbanBOX are:
- admin
- plan
- prod
- read
At the following link is present the list of permissions by role: List of permissions by role.
Integration with Identity Management System
Upon request, the user management in KanbanBOX can be automated through the integration with an external Identity Management software. The Identity Management software can be configured to create/update/delete users in KanbanBOX, while local user management in KanbanBOX can be restricted or disabled.
Communication security
All communications between clients and KanbanBOX servers use HTTPS protocol and are encrypted with SSL/TSL technology.
Security of the integration from KanbanBOX to external software
Integration flows from KanbanBOX to external software require, in most of the cases, that KanbanBOX connects to the software to send messages when an event takes place in KanbanBOX.
Webhook is the tool used in KanbanBOX to send these messages. Here the full documentation: Webhook.
Communication protocols
KanbanBOX can send data to external systems over the HTTPS protocol, calling Rest or SOAP type services, or over files exchange protocols (SFTP, FTPS).
With HTTPS protocol, KanbanBOX can authenticate with:
- HTTP Basic Authentication
- API key authentication
- Oauth2 Client Credentials authentication flow
With SFTP/FTPS, KanbanBOX can authenticate with:
- username and password
- public key provided by the customer
KanbanBOX test and production environments can be configured to use different endpoints and credentials.
Filtering access based on KanbanBOX IP addresses
To communicate with external services KanbanBOX uses a static set of IPs, consequently an external system can filter the inbound requests by authorizing only requests from KanbanBOX IPs.
The KanbanBOX team can provide a link with the list of static IP addresses, always updated.
Comments
0 comments
Please sign in to leave a comment.