Security settings guide

This guide demonstrates how to effectively leverage Alpacon’s security features to protect your infrastructure and meet compliance requirements.

For detailed configuration instructions, see Account settings and Workspace settings.

Multi-factor authentication strategy

Role-based differentiated MFA policies

Apply differentiated MFA based on your organization’s security requirements and user roles.

Strategy 1: Role-based authentication method separation

Superuser/Staff (administrators):

Required authentication methods:
Primary: Hardware security key (YubiKey)
Secondary: Biometric authentication (TouchID/FaceID)
Backup: Recovery codes (stored in vault)

MFA retention time: 5-10 minutes

User (regular users):

Recommended authentication methods:
Primary: Biometric authentication
Secondary: OTP (Google Authenticator)
Backup: Email

MFA retention time: 15-30 minutes

Real-world application example:

# Workspace settings
Allowed MFA methods:
  - Hardware security key
  - Biometric authentication
  - OTP
 
MFA required for:
  - Websh: ✅
  - WebFTP: ✅
  - Deploy Shell: ✅

Strategy 2: Environment-based security levels

Production workspace:

• Enforce MFA: ✅ Enabled
• Allowed MFA methods: Hardware key + biometric authentication only
• Authentication retention: 5 minutes
• Invitation TTL: 24 hours

Development workspace:

• Enforce MFA: Optional
• Allowed MFA methods: All methods
• Authentication retention: 60 minutes
• Invitation TTL: 7 days

Tip: Separating workspaces by environment allows flexible security policy management.

Preparing for recovery scenarios

Prepare for situations where MFA devices are lost or unavailable.

Recovery code management strategy:

Individual users:
- Store in password manager like 1Password
- Keep printed copy in home safe

Teams/Organizations:
- Share in team password manager (1Password Teams)
- Store in sealed envelope (2+ signatures)
- Regular regeneration (quarterly) and destroy old codes

Emergency access procedure:

1. Use recovery codes when primary authentication is unavailable
2. Immediately generate new recovery codes after using old ones
3. Register new MFA authentication method
4. Report incident to security team

Login session security

Detecting abnormal access patterns

Weekly review routine:

# Review checklist
1. Account Settings → Check login history
 
Warning signs:
- IP from unusual country/city
- New device/browser
- Access outside business hours (2-6 AM)
- Access from different locations in short time
 
Actions:
→ Immediately terminate suspicious sessions
→ Change password
→ Reset MFA authentication methods
→ Report to security team

User provisioning strategy

Home directory permissions by environment

Real-world scenarios

Scenario 1: Data science team collaboration

Requirements:
  - Shared dataset access
  - Notebook file sharing
  - Protected personal experiment space

Configuration:
  Workspace: Data-Science
  User provisioning: Group sharing (750)

  Group structure:
    - ds-team (read/write)
    - ds-readonly (read only)

Result:
  /home/alice/ → alice:ds-team 750
    ├── personal/ → alice:alice 700 (personal space)
    ├── shared/ → alice:ds-team 770 (team shared)
    └── public/ → alice:ds-team 755 (public)

Scenario 2: Production security hardening

Requirements:
  - Complete user isolation
  - Log file protection
  - Configuration file security

Configuration:
  Workspace: Production
  User provisioning: Restricted access (700)

Result:
  /home/bob/ → bob:bob 700
    → Other users cannot access
    → Logs and config files protected

Scenario 3: Shared resource server

Requirements:
  - Public datasets
  - Common scripts
  - Documentation and guides

Configuration:
  Workspace: Shared-Resources
  User provisioning: Full sharing (755)

  Dedicated accounts:
    - shared-data
    - shared-scripts
    - documentation

Result:
  /home/shared-data/ → shared-data:users 755
    → All users can read
    → Only admins can write

Regular security audits

Automatable audit items

Monthly security report generation

Script example (Slack Bot integration):

# Run on 1st of each month
Monthly security checklist:
 
1. Users without MFA
   → Send DM to target users
   → Notify Staff if not set after 1 week
 
2. Users who haven't changed password in 90+ days
   → Send password change reminder email
 
3. Long-inactive accounts (no login for 30+ days)
   → Account deactivation review list
 
4. Users with excessive permissions
   → Superuser role review needed
 
5. Unresolved alert notifications
   → Summary of unresolved alerts by environment

Quarterly in-depth audits

Security audit checklist:

Q1: January - Major Access Rights Review
□ Review all user group memberships
□ Verify appropriateness of Superuser/Staff roles
□ Confirm deletion of departed employee accounts
□ Deactivate accounts of employees on leave
□ Delete long-unused servers

Q2: April - Authentication and Security Policy Hardening
□ Check MFA setup status
□ Regenerate recovery codes
□ Review allowed MFA methods
□ Review password policy hardening
□ Verify session timeout appropriateness

Q3: July - Monitoring and Alert Optimization
□ Adjust alert rule thresholds
□ Evaluate alert fatigue
□ Check webhook integration status
□ Delete unused alert rules
□ Review addition of new metrics

Q4: October - Compliance Preparation
□ Archive audit logs
□ Prepare annual security report
□ Analyze security incident history
□ Establish next year's security policies
□ Reflect regulatory changes

Real-world threat response

Incident-specific response

Incident 1: Suspected account compromise

Indicators:

• Abnormal login during late night hours
• Unusual IP address
• Consecutive access to multiple servers

Immediate response (within 5 minutes):

1. Account Settings → Login history
   → Terminate all suspicious sessions

2. Immediately change password

3. Reset MFA authentication methods
   → Delete existing OTP and re-register

4. Check activity logs from last 7 days
   → User detail → Activity tab

Follow-up actions (within 1 hour):

5. Check list of accessed servers
   → Server detail → Access tab

6. Review executed commands
   → Server detail → Activity tab → Command History

7. Check file changes
   → Log files, config file integrity check

8. Report to security team/admin
   → Slack #security-incident

Incident 2: Privilege escalation attempt

Indicators:

• Regular user attempting sudo
• Unauthorized file access attempts
• Configuration file tampering attempts

Detection and response:

User detail → Activity tab:
  - Repeated HTTP 403/401 errors
  - Permission change attempt records

Server detail → Activity tab:
  - sudo failure logs
  - Permission denied logs

Immediate actions:
  1. Temporarily deactivate user account
  2. Convene admin meeting
  3. Interview user
  4. Process termination if necessary

Team size-based recommendations

Small team (5-10 people)

Initial setup:

Workspace: 1 (Development + Production combined)

Group structure:
  - Developers (all developers)
  - Admins (2-3 people)

Security settings:
  - MFA: Recommended (not required)
  - Allowed MFA methods: All methods
  - Websh session: 4 hours
  - User provisioning: Group sharing

Alert rules: Default settings only

Advantages: Simple management, fast collaboration Disadvantages: Lower security level

Medium team (10-50 people)

Recommended setup:

Workspaces: 2 (Development, Production separated)

Group structure:
  Development WS:
    - Backend-Team
    - Frontend-Team
    - Data-Team
    - DevOps

  Production WS:
    - Production-Access (Senior + DevOps only)
    - Database-Admins
    - Read-Only-Access

Security settings:
  Production:
    - MFA: Required
    - Allowed MFA methods: Hardware key, biometric, OTP
    - Websh session: 1 hour
    - User provisioning: Restricted access
    - MFA required for all root operations

  Development:
    - MFA: Optional
    - Websh session: 4 hours
    - User provisioning: Group sharing

Alert rules:
  - Production: Strict thresholds + Slack
  - Development: Flexible thresholds

Large organization (50+ people)

Enterprise setup:

Workspaces: By environment + team separation
  - production-critical
  - production-standard
  - staging
  - development-backend
  - development-frontend
  - development-data

Security policies:
  - SSO integration (Azure AD, Okta)
  - MFA required (all workspaces)
  - Hardware key required (production)
  - IP allowlist (VPN Only)
  - Record all sessions (compliance)

Automation:
  - Manage workspaces with Terraform
  - CI/CD pipeline integration
  - SIEM integration (Splunk, ELK)
  - Automated compliance reports

Essential checklist

Immediate application (Priority 1)

• Limit Superuser role to 2-3 people
• Require hardware key or biometric authentication for Staff and above
• Back up recovery codes in safe location
• Separate production servers into dedicated groups
• Check login history weekly

Apply within 1 month (Priority 2)

• Separate workspaces by environment (Production/Development)
• Set MFA policies per workspace
• Configure alert rules (CPU, memory, disk)
• Integrate Slack webhook
• Optimize Websh session timeout

Build within 3 months (Priority 3)

• Write security incident response runbook
• Automate monthly security reports
• Establish quarterly security audit process
• Conduct team security training
• Map compliance requirements

Related documentation

Configuration methods:

• Account settings - Personal MFA and password settings
• Workspace settings - Security policies and alert rules

Strategy guides:

• Permission management best practices - Group and role strategies
• Monitoring best practices - Alert and log utilization

Security theory:

• Authentication and access control - MFA, SSO, additional authentication
• Data security - Encryption and compliance