Security & Authentication
Security is fundamental to 9n9s. This guide covers authentication methods, access controls, security features, and best practices to protect your monitoring infrastructure and sensitive data.
Authentication Methods
Section titled “Authentication Methods”Password Authentication
Section titled “Password Authentication”Strong Password Requirements:
- Minimum 12 characters
- Must include uppercase and lowercase letters
- Must include numbers and special characters
- Cannot reuse last 12 passwords
- Must be changed every 90 days (Enterprise plans)
Password Security Features:
password_policy: min_length: 12 require_uppercase: true require_lowercase: true require_numbers: true require_special_chars: true password_history: 12 max_age_days: 90 # Enterprise only account_lockout: failed_attempts: 5 lockout_duration: "15 minutes"Two-Factor Authentication (2FA)
Section titled “Two-Factor Authentication (2FA)”Supported 2FA Methods:
- TOTP Apps: Google Authenticator, Authy, 1Password
- SMS: Text message codes (backup method)
- Hardware Keys: FIDO2/WebAuthn compatible devices
- Backup Codes: One-time recovery codes
Enable 2FA:
# Enable TOTP-based 2FA9n9s-cli auth setup-2fa --method totp
# Generate backup codes9n9s-cli auth backup-codes --generate
# Add hardware security key9n9s-cli auth add-key --type fido22FA Configuration:
two_factor_auth: required: true # Organization policy methods: - totp - sms # Backup only - hardware_key backup_codes: count: 10 used: 2 remaining: 8 grace_period: "24 hours" # For new devicesSingle Sign-On (SSO)
Section titled “Single Sign-On (SSO)”Supported SSO Providers:
- SAML 2.0: Okta, Azure AD, Auth0, OneLogin
- OpenID Connect: Google Workspace, Microsoft 365
- LDAP/Active Directory: Enterprise plans
- Custom OIDC: Any compliant provider
SAML Configuration:
saml_config: identity_provider: "okta" entity_id: "https://dev-123456.okta.com" sso_url: "https://dev-123456.okta.com/app/9n9s/exk123/sso/saml" certificate: | -----BEGIN CERTIFICATE----- MIICmTCCAYECBgF... -----END CERTIFICATE-----
attribute_mapping: email: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" first_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" last_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" teams: "http://schemas.company.com/teams"OIDC Configuration:
oidc_config: provider: "google_workspace" client_id: "123456789.apps.googleusercontent.com" client_secret: "encrypted_secret" discovery_url: "https://accounts.google.com/.well-known/openid_configuration"
scopes: - openid - email - profile
claims: email: "email" name: "name" groups: "groups"Access Control
Section titled “Access Control”Role-Based Access Control (RBAC)
Section titled “Role-Based Access Control (RBAC)”System Roles:
system_roles: organization_admin: description: "Full access to organization settings and all resources" permissions: - manage_organization - manage_billing - manage_users - manage_teams - manage_all_monitors - manage_all_dashboards
team_admin: description: "Manage team resources and members" permissions: - manage_team_members - manage_team_monitors - manage_team_dashboards - view_team_billing
member: description: "Standard user access to team resources" permissions: - create_monitors - edit_own_monitors - view_team_monitors - create_dashboards - edit_own_dashboards
viewer: description: "Read-only access to team resources" permissions: - view_team_monitors - view_team_dashboardsPermission Matrix:
| Action | Org Admin | Team Admin | Member | Viewer |
|---|---|---|---|---|
| Manage Organization | ✅ | ❌ | ❌ | ❌ |
| Manage Billing | ✅ | View Only | ❌ | ❌ |
| Manage Users | ✅ | Team Only | ❌ | ❌ |
| Create Monitors | ✅ | ✅ | ✅ | ❌ |
| Edit Team Monitors | ✅ | ✅ | Own Only | ❌ |
| Delete Monitors | ✅ | ✅ | Own Only | ❌ |
| View Dashboards | ✅ | ✅ | ✅ | ✅ |
| Create Dashboards | ✅ | ✅ | ✅ | ❌ |
Custom Permissions
Section titled “Custom Permissions”Granular Permissions:
custom_permissions: monitor_permissions: - create_monitor - edit_monitor - delete_monitor - pause_monitor - view_monitor_data - export_monitor_data
dashboard_permissions: - create_dashboard - edit_dashboard - delete_dashboard - share_dashboard - embed_dashboard
alert_permissions: - configure_alerts - acknowledge_alerts - escalate_alerts - view_alert_history
administrative_permissions: - manage_users - manage_teams - view_audit_logs - manage_integrations - manage_billingPermission Sets:
# Create custom permission setspermission_sets: security_analyst: description: "Security team monitoring access" permissions: - view_all_monitors - view_security_dashboards - acknowledge_security_alerts - view_audit_logs
billing_manager: description: "Financial oversight of monitoring costs" permissions: - view_billing - export_usage_reports - manage_payment_methods - view_cost_allocationAPI Security
Section titled “API Security”API Key Management
Section titled “API Key Management”API Key Types:
api_key_types: personal_access_token: description: "User-specific API access" scope: "user_permissions" expiration: "configurable"
service_account: description: "Application/service API access" scope: "limited_permissions" expiration: "90_days_max"
integration_key: description: "Third-party integration access" scope: "integration_specific" expiration: "1_year_max"API Key Security:
# Create API key with limited scope9n9s-cli api-keys create \ --name "CI/CD Integration" \ --permissions "monitor:read,monitor:create" \ --expires "2024-12-31"
# Rotate API key9n9s-cli api-keys rotate key_abc123
# List active API keys9n9s-cli api-keys list --show-usageAPI Key Best Practices:
- Use service accounts for automated systems
- Implement key rotation every 90 days
- Limit permissions to minimum required scope
- Monitor API key usage for anomalies
- Revoke unused or compromised keys immediately
IP Allowlisting
Section titled “IP Allowlisting”Network Access Control:
ip_allowlist: enabled: true default_action: "deny"
rules: - name: "Office Network" cidr: "192.168.1.0/24" action: "allow" services: ["web", "api"]
- name: "VPN Users" cidr: "10.0.0.0/8" action: "allow" services: ["web", "api"]
- name: "CI/CD Pipeline" ip: "54.239.123.456" action: "allow" services: ["api"] description: "GitHub Actions runner"Geographic Restrictions:
geo_restrictions: enabled: true allowed_countries: ["US", "CA", "GB", "DE", "AU"] blocked_countries: []
exceptions: allowed_countries: ["IN"] temporary: true expires: "2024-06-30"Data Security
Section titled “Data Security”Data Encryption
Section titled “Data Encryption”Encryption Standards:
encryption: data_at_rest: algorithm: "AES-256-GCM" key_management: "AWS KMS" database: "encrypted" backups: "encrypted"
data_in_transit: protocol: "TLS 1.3" cipher_suites: ["TLS_AES_256_GCM_SHA384"] hsts_enabled: true certificate_pinning: true
key_rotation: frequency: "quarterly" automatic: true audit_trail: trueCustomer Managed Keys (Enterprise):
customer_managed_keys: supported: true # Enterprise only key_providers: ["AWS KMS", "Azure Key Vault", "Google Cloud KMS"]
configuration: key_id: "arn:aws:kms:us-east-1:123456789:key/12345678-1234-1234-1234-123456789012" rotation_schedule: "annual" access_logging: trueData Privacy
Section titled “Data Privacy”Data Handling:
- Data Minimization: Only collect necessary monitoring data
- Purpose Limitation: Use data only for monitoring purposes
- Data Retention: Automatic deletion based on plan limits
- Data Portability: Export your data at any time
- Right to Deletion: Complete data removal upon request
Privacy Controls:
privacy_settings: data_retention: monitor_data: "based_on_plan" # 90 days to 10 years audit_logs: "2_years" user_activity: "1_year"
data_sharing: analytics: "opt_in" marketing: "opt_out" third_parties: "never"
geographic_storage: primary_region: "us_east_1" backup_regions: ["us_west_2"] cross_border: "encrypted_only"Compliance and Certifications
Section titled “Compliance and Certifications”Security Certifications
Section titled “Security Certifications”Current Certifications:
- SOC 2 Type II: Annual audits for security, availability, and confidentiality
- ISO 27001: Information security management system
- PCI DSS Level 1: Payment card data security (for billing)
- GDPR Compliant: European data protection regulation
- CCPA Compliant: California consumer privacy act
Compliance Features:
compliance_features: soc2: controls: - access_controls - encryption - monitoring - incident_response - backup_recovery audit_frequency: "annual" reports_available: true
gdpr: features: - data_portability - right_to_deletion - consent_management - data_breach_notification - privacy_by_design
hipaa: available: true # Enterprise only features: - business_associate_agreement - encryption_at_rest - access_logging - user_authenticationAudit and Monitoring
Section titled “Audit and Monitoring”Security Monitoring:
security_monitoring: login_monitoring: failed_attempts: "tracked" suspicious_locations: "flagged" impossible_travel: "detected"
activity_monitoring: api_usage: "logged" permission_changes: "tracked" data_exports: "logged" configuration_changes: "audited"
threat_detection: brute_force: "automatic_blocking" credential_stuffing: "rate_limiting" privilege_escalation: "alerting"Audit Logs:
{ "timestamp": "2024-01-15T10:30:00Z", "event_type": "monitor_created", "user_id": "user_123", "ip_address": "192.168.1.100", "user_agent": "Mozilla/5.0...", "resource": { "type": "monitor", "id": "mon_abc123", "name": "API Health Check" }, "changes": { "url": "https://api.example.com/health", "frequency": "1m" }}Incident Response
Section titled “Incident Response”Security Incident Process
Section titled “Security Incident Process”Incident Classification:
incident_types: data_breach: severity: "critical" notification: "immediate" escalation: "c_level"
unauthorized_access: severity: "high" notification: "1_hour" escalation: "security_team"
service_disruption: severity: "medium" notification: "4_hours" escalation: "operations_team"Response Procedures:
- Detection: Automated monitoring and alerting
- Analysis: Security team investigation
- Containment: Isolate affected systems
- Eradication: Remove threats and vulnerabilities
- Recovery: Restore normal operations
- Lessons Learned: Post-incident review and improvements
Breach Notification
Section titled “Breach Notification”Notification Timelines:
- Internal Notification: Within 1 hour of detection
- Customer Notification: Within 24 hours (if customer data affected)
- Regulatory Notification: As required by applicable laws
- Public Disclosure: If legally required or significant impact
Security Best Practices
Section titled “Security Best Practices”Account Security
Section titled “Account Security”User Guidelines:
user_security_practices: authentication: - use_strong_passwords - enable_2fa - avoid_password_reuse - secure_password_manager
access_management: - regular_permission_reviews - remove_unused_accounts - principle_of_least_privilege - separate_admin_accounts
operational_security: - secure_api_key_storage - regular_key_rotation - monitor_unusual_activity - report_security_incidentsIntegration Security
Section titled “Integration Security”Third-Party Integrations:
integration_security: webhook_security: - use_https_only - verify_signatures - implement_rate_limiting - monitor_webhook_failures
api_integrations: - use_service_accounts - limit_scope_permissions - implement_retry_logic - secure_credential_storage
notification_channels: - verify_channel_ownership - use_secure_protocols - avoid_sensitive_data - regular_access_reviewsEmergency Procedures
Section titled “Emergency Procedures”Account Recovery
Section titled “Account Recovery”Lost Access Recovery:
# Initiate account recovery
# Use backup 2FA codes9n9s-cli auth login --backup-code
# Contact emergency support# Email: [email protected]# Include: account email, last known access, verification detailsEmergency Contacts:
- Security Incidents: [email protected]
- Account Lockouts: [email protected]
- Data Breaches: [email protected]
- 24/7 Emergency: Available for Enterprise customers
Business Continuity
Section titled “Business Continuity”Disaster Recovery:
- Data Backups: Multiple geographic regions
- Service Redundancy: Multi-region deployment
- Recovery Time Objective (RTO): 4 hours
- Recovery Point Objective (RPO): 1 hour
Security Contact
Section titled “Security Contact”Report Security Issues
Section titled “Report Security Issues”Security Contact Information:
- Email: [email protected]
- PGP Key: Available on security page
- Bug Bounty: Coordinated disclosure program
- Response Time: 24 hours for critical issues
Vulnerability Disclosure:
- Report via [email protected]
- Provide detailed reproduction steps
- Allow reasonable time for fix
- Coordinate public disclosure timing
- Credit available for responsible disclosure