Best Practices: Preventing Compromising a CTERA Portal

Security is a top priority for organizations leveraging the CTERA Portal for cloud storage and file services. Implementing robust authentication and password management practices can significantly mitigate the risk of unauthorized access.

In addition to antivirus and ransomware protection built-in to CTERA products, following the SAML and password best practices detailed below can substantially strengthen the security posture of your CTERA Portal environment. The following best practices will help to prevent compromise of the CTERA Portal.

Firewall Configuration

Why: Protect the portal from unauthorized access and cyber threats from the Internet.
How: Only expose required ports. Follow the port table for your version. For more details, see CTERA Portal Ports Diagram.
Impact: Blocks malicious or unwanted connections while allowing legitimate traffic to pass through. This helps prevent data breaches, malware infections, and other security incidents.

Use SAML Authentication with Multi-factor Authentication (MFA)

For Global Administrators

Why: Prevent unauthorized access to the global administrator account.
How: Configure SAML (Security Assertion Markup Language) authentication and enable MFA.
Impact: Increases the difficulty for attackers to gain control over the global administrator account.

SAML can be set in the SSO setting accessed from the Control Panel (Settings > Control Panel > SSO in the global administration user interface).

For Team Portal Users

Why: To secure individual customer tenant accounts.
How: Implement SAML with MFA for each tenant.
Impact: Mitigates the risk associated with compromised passwords for tenant accounts.

SAML can be set per team portal in the SSO setting accessed from the Control Panel (Settings > Control Panel > SSO in the team portal user interface).

Use a Strong Password Policy

Why: To guard against weak password guessing.
How: Set robust password policies.
- At least 8 characters long.
- It should not contain any of your personal information — specifically, your real name, username or your company name.
- It must be unique from your previously used passwords.
- It should not contain any word spelled completely.
- It contain different types of characters, including uppercase letters, lowercase letters, numbers and special characters, such as !@#?.
Impact: Reduces the chance of password cracking attempts being successful.

The password policy can be set globally or per team portal in the Virtual Portal settings accessed from the Control Panel (Settings > Control Panel > Virtual Portal in either the team portal or global administration user interface).

Configure Mandatory Password Rotation

Why: To ensure ongoing security for tenants not using SAML.
How: Require password rotation at regular intervals.
Impact: Makes it challenging for attackers to misuse long-standing passwords.

Train Customers on Password Best Practices

Why: To ensure security discipline among customers not using SAML.
How: Educate users to use unique administration passwords for the CTERA Portal and their local systems.
Impact: Eliminates the risk of a compromised local system password being used to access the CTERA Portal.

Certificate Policy

Only use valid HTTPS certificates (from a trusted CA).
Rotate certificates as needed.

Administrative Practices

Disable unused administrator accounts.
Limit administration access to trusted IP ranges (if possible) using the IP range configuration feature: in the IP-Based Access Control List accessed from the Control Panel (Settings > Control Panel > Global Administrators Access Control, under USERS, in the global administration user interface).
Keep audit logging enabled and monitored.

Note

From CTERA Portal version 8.2.x, CTERA Insight can also be used for monitoring.
Regularly review administation activity logs.