Accounts and authentication
Using two-step verification with Kaspersky Security Center Cloud Console
Kaspersky Security Center Cloud Console provides two-step verification for users.
Two-step verification can help you increase the security of your account in Kaspersky Security Center Cloud Console. When this feature is enabled, every time you sign in to Kaspersky Security Center Cloud Console with your email address and password, you enter an additional one-time security code. You can receive a one-time security code by SMS or by generating this code in your authenticator app (depending on the two-step verification method that you set up).
We strongly do not recommend installing the authenticator app on the same device from which the connection to Kaspersky Security Center Cloud Console is established. You can install an authenticator app on your mobile device.
Prohibition on saving the administrator password
If you use Kaspersky Security Center Cloud Console, we strongly do not recommend saving the administrator password in the browser installed on the user device.
If the browser is compromised, an intruder can gain access to the saved passwords. Also, if a user device with saved passwords is stolen or lost, an intruder can gain access to protected data.
Restricting the Main Administrator role membership
We recommend restricting the Main Administrator role membership.
By default, after a user creates a workspace, the Main Administrator role is assigned to this user. It is useful for management, but it is critical from a security point of view, because the Main Administrator role has an extensive range of privileges. The assignment of this role to users should be strictly regulated.
You can use the predefined user roles with a preconfigured set of rights to administer Kaspersky Security Center Cloud Console.
Configuring access rights to application features
We recommend using flexible configuration of access rights to the features of Kaspersky Security Center Cloud Console for each user or group of users.
Role-based access control allows the creation of standard user roles with a predefined set of rights and the assignment of those roles to users depending on their scope of duties.
The main advantages of the role-based access control model:
- Ease of administration
- Role hierarchy
- Least privilege approach
- Segregation of duties
You can assign built-in roles to certain employees based on their positions, or create completely new roles.
While configuring roles, pay attention to the privileges associated with changing the protection state of the Administration Server device and remote installation of third-party software:
- Managing administration groups.
- Operations with Administration Server.
- Remote installation.
- Changing the parameters for storing events and sending notifications.
This privilege allows you to set notifications that run a script or an executable module on the Administration Server device when an event occurs.
Separate account for remote installation of applications
In addition to the basic differentiation of access rights, we recommend restricting the remote installation of applications for all accounts (except for the Main Administrator or another specialized account).
We recommend using a separate account for remote installation of applications. You can assign a role or permissions to the separate account.