|
<< Click to Display Table of Contents >> Best practices in security |
The following recommendations pertain to the secure configuration and management of the Bizagi Cloud Platform. This article covers different aspects, such as access control, authentication, encryption, secure coding, and logging. The recommendations aim to help users ensure the confidentiality, integrity, and availability of Bizagi applications and data, as well as prevent unauthorized access, misuse, or modification.
Specific security recommendations for Bizagi Studio and Bizagi Automation Service are provided.
In this section, we detail the best security practices for Bizagi Studio, focusing on the following components.
Access Control
When developing a new project in Bizagi Studio, it is crucial to identify the roles required by the project's users and configure the necessary permissions in the Administration section. Bizagi Studio has a permissive default policy, which means that if no roles are configured, users will have permission to access all sections of the application. For more detailed information, please refer to the User Administration section.
Bizagi Studio offers security management for entities. This feature allows you to control the visibility and editability of entities through global functions and expressions. Depending on your business case, configure the most secure option for your organization. Enabling this mechanism helps to control the access that Bizagi Studio developers have to different processes or elements of a model. You can find further information in the Bizagi Studio Security section.
To manage access to the information in your project, you can utilize Case Security. A case can be set as either public or private, and its security can be defined in the Expert view of Bizagi Studio. By marking a case as private, only the users assigned during the case's process will have access to the information within that specific case. For more insights into managing sensitive information in Bizagi, please refer to the Case Security section.
Monitoring and registration
To ensure effective monitoring and registration, we recommend configuring and enabling the available traces in your Bizagi Studio model. Enabling traces for Authentication, Bizagi API, Connectors, Rules, and Expressions is particularly recommended. For further information refer to Tracing configuration.
Configuration Management
When updating a running Bizagi project, it is advisable to deploy the changes to the Testing environment first and perform tests to ensure everything works as expected. Then, deploy the changes to the Production environment. We do not recommend deploying changes directly to Production environments. For further information refer to Test environment deployment.
Identity and Authentication
Proper configuration of authentication mechanisms with a trusted Identity Provider (IdP) is crucial. The IdP should manage multifactor authentication mechanisms. Please refer to the Cloud Authentication section for more information.
Malware protection
When creating a Bizagi project that requires processing or uploading files, it is recommended to add whitelist or allowed list restrictions for file extensions. This limits the types of files that can be uploaded to your Bizagi instance. For further information refer to File uploads.
API Security
Bizagi provides programmatic access to underlying business information through its API, based on RESTful and OData services. We recommend using the OData services for integration with external applications. For introductory information about the OData API, refer to Bizagi API. Additionally, for Service Oriented Architecture (SOA) integration layer services, implementing the available WS-Security authentication layer is advised. This ensures web services are supported via HTTPS. Please consult the SOA Layer and Invoking Web services (SOAP) sections for more information.
Data Protection
Bizagi Cloud Platform features data encryption, for data at rest using Transparent Data Encryption (TDE) and for data in transit using Transport Layer Security protocol (TLS). The Data encryption section provides a comprehensive understanding of data protection in Bizagi Cloud Platform.
When exporting a complete project, Bizagi offers the option to export its respective metadata. To secure this metadata, it is recommended to password-protect the exported .bex or .bdex files. Password protection encrypts the file contents, safeguarding them against unauthorized exposure. For further information, refer to Exporting the metadata of a project for support.
This section focuses on best practices in security for Bizagi Automation Service, covering the following components:
Access Control
Ensure that each user in the system is assigned a role with the minimum privileges required for their respective operations. The Work Portal Security section provides additional details.
If you intend to consume information from Bizagi using APIs such as OData, review the configuration of token expiration time and confirm that users have access to the API using roles within the system. For more information, refer to Bizagi API Authentication.
Limit the registration of external applications with OAuth to prevent unauthorized integrations with the work portal. OAuth 2.0 Applications Options provides further details.
The Management Console also has its own security configuration requirements.
Access Control
From the Management Console, configure roles and Personas to restrict access to information and prevent unauthorized actions. Note that configuring Bizagi Authentication is not allowed in the authentication section of the Management Console. Consult the Management Console Security Option section for more information.
Monitoring and registration
To ensure effective monitoring and registration, we recommend configuring and enabling the available traces in the Management Console. Enabling the "all" option is recommended. Regularly checking the event log available in the Management Console helps identify issues in your model. Configure and enable the traces available in the Management Console for Authentication, Bizagi API, Connectors, Rules, and Expressions. For further information, refer to Event log.
Last Updated 8/14/2023 4:56:02 PM