GoodData Cloud Security Infrastructure
This article summarizes GoodData Cloud’s IP whitelistings, TLS security protocols and password policy.
IP Whitelisting
GoodData Cloud connects to your data source only from the following IP addresses based on the data center:
| Datacenter | IP Addresses | Provider | Region | Note |
|---|---|---|---|---|
| IAD1 | 3.218.100.54/32 3.228.159.139/32 54.225.71.151/32 | AWS | us-east-1 | Trial accounts are located in this datacenter. |
| DUB1 | 18.200.100.37/32 18.200.42.248/32 99.80.14.106/32 | AWS | eu-west-1 | |
| SYD2 | 13.211.99.222/32 13.239.160.54/32 3.24.22.190/32 | AWS | ap-southeast-2 |
Add the IP addresses to your firewall to enable connection between GoodData Cloud and your data source. Ensure that you add all three IP addresses for a given data center.
Supported TLS Security Protocols and Ciphers
If you are connecting to the GoodData Cloud from your tool or using our API, use the supported protocols and ciphers, or your connection will be refused during the SSL/TLS handshake.
GoodData Cloud supports TLS 1.2 and TLS 1.3.
TLS 1.2 Cipher Suites
| Priority | Suite |
|---|---|
| 1 | ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| 2 | ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| 3 | ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
TLS 1.3 Cipher Suites
| Priority | Suite |
|---|---|
| 1 | AES_256_GCM_SHA384 |
| 2 | CHACHA20_POLY1305_SHA256 |
| 3 | AES_128_GCM_SHA256 |
Password policy
This password policy is applied only when the GoodData Cloud is handling user authentication. Password is used to log in into GoodData Cloud via UI applications only. Use bearer token in case you want to authenticate your API calls (see API Authentication).
Validated rules for passwords:
- Password has length at least 8 characters
- Password includes at least 3 of the following 4 types of characters:
- Lower-case letter,
- Upper-case letter,
- Number,
- Special character (such as !@#$%^&*).
Different rules apply in case you are using your own authentication provider.
Password Security Best Practices
- Implement Single Sign-On (SSO) with Multi-Factor Authentication (MFA) Whenever possible, set up SSO through a trusted Identity Provider with MFA support. Configure it as an SSO-only solution, preventing fallback to password authentication without MFA.
- Strengthen Password Requirements
If SSO isn’t feasible, consider:
- Increasing the minimum password length to 10 characters or more. However, longer passwords are not necessarily better. Requiring long passwords can lead to undesired user behavior, such as choosing repeating patterns that are not hard to guess, writing passwords down, or reusing them.
- Removing character-composition requirements. Most people use similar patterns if they are forced to combine certain characters (i.e. capital letter in the first position, a symbol in the last, and a number in the last 2), which can be exploited by attackers.
- Eliminating mandatory periodic password resets for user accounts. Mandatory resets drive users to very predictable passwords that are closely related to each other. Such passwords can be predicted based on the previous ones.
- Prohibiting common passwords to enhance system security. GoodData includes a block list of commonly used passwords to reduce the risk of successful brute-force attacks.
- Educating users against reusing their work-related passwords for other purposes.
- Evaluate Complexity Rules Strict complexity rules may not always enhance security, but they might be necessary to meet legacy compliance standards. Encouraging longer passphrases instead of passwords can be effective.