跳转至

Protecting identity(保护身份)

Identity Security Best Practices

When using a single sign-on identity provider (IdP) for accessing Palantir Foundry, there are security best practices you should observe.

Use Strong Multi-Factor Authentication (MFA)

Palantir strongly advocates for proof of identity beyond the traditional use of username + password. Multi-factor authentication is mandatory for our software products. If you are using your own implementation of multi-factor authentication in your identity provider, you should require strong forms of authentication.

Examples of strong forms of authentication (in approximate order of preference):

  • Connected hardware tokens, such as FIDO2-compatible USB security tokens (e.g., YubiKey, Google Titan) or CAC smartcards
  • Disconnected hardware tokens, such as one-time password (OTP) token generators (e.g., RSA SecurID, Thales SafeNet)
  • Software tokens, such as mobile device authenticator applications (e.g., Microsoft Authenticator, Google Authenticator)
  • Use of OTP generators is preferable to push notifications on mobile devices
  • Biometrics, such as fingerprint or facial recognition (e.g., Apple Touch ID and Face ID, Windows Hello)

Other forms of MFA, such as SMS-based OTPs (text message), email OTPs and two-step authentication (clicking a link), or security questions are not considered strong forms of authentication and should be disused in favor of other methods.

If you do not have mandatory multi-factor authentication on your identity provider, our products have native support for multi-factor authentication.

Require Periodic Re-Authentication

Palantir Foundry intentionally mandates a relatively short maximum session lifetime to force periodic re-authentication against the identity provider. As sessions tokens can be stolen by adversaries and potentially be abused for their duration, enforcing a relatively short lifespan for all user sessions provides some assurance that any misuse is time-restricted.

For the same reason, you should ensure that the lifetime of the session tokens generated by your identity provider is not overly permissive.

Implement Zero Trust Security Principles

If you use a modern identity provider, you should enable and use Zero Trust technologies and strategies. Such technologies may include conditional access, device health or posture assessments, strong multi-factor authentication claims, and related controls. Refer to your identity provider documentation for what features are available, and how you can implement them.

Best practices for a Zero Trust security model include:

  • Do not trust devices or users based on weak security indicators. This includes software-based machine certificates, single-factor authentication, or network location.
  • Do not exempt users or devices from mandatory security controls.
  • Require recent strong-multi factor authentication for access to sensitive resources.
  • Require device security or health attestations or assessments as a condition for access.
  • Require unusual logons or activity to require re-authentication.

Strictly Manage Service Accounts

Service accounts often have broadly-permissive access to sensitive data, and tend to be poorly secured in comparison to a standard user account. This makes them attractive targets for adversaries.

Pitfalls of service account management include:

  • Service accounts may be accessible to multiple people.
  • Service accounts may not have multi-factor authentication enabled.
  • Service accounts may not have their credentials rotated after people leave your organization.
  • Service accounts may have credentials or tokens hardcoded in scripts or applications.

If you use service accounts with Palantir Foundry, it's critical you safeguard them to protect your data.

Best practices for service account management include:

  • Ensure each service account is documented, has a named owner, and is periodically reviewed for appropriateness.
  • Configure your identity provider to only allow your service accounts to authenticate from specific IP addresses.
  • Require multi-factor authentication for service accounts, where possible.
  • Store service account credential material in a privileged access management (PAM) solution.
  • Require multi-party authentication to gain access to service account credential material.
  • Rotate service account credential material as needed based on team changes or leavers.
  • Strictly monitor service account behavior, logons, and credential material.

Monitor Audit Logs

:::callout{theme="success" title="Best practice"} Customers are strongly encouraged to capture and monitor their own audit logs. See Monitoring Security Audit Logs for additional guidance. :::

Central Auth

Central Auth is a Palantir-managed Microsoft Entra ID (Azure AD) identity provider. Central Auth is managed by the Palantir Information Security team, and is designed to be a security-first authentication solution for customers who do not have their own identity provider, or have not yet been able to integrate their identity provider with Foundry.

If you do not have an identity provider for your Foundry installation, we may be able to provide access via Central Auth for you. Contact your Palantir representative for more information.

Central Auth Security

Central Auth may be integrated with your Foundry installation as a SAML Multipass realm. When integrated, user account provisioning and deprovisioning is managed by Palantir. Groups, markings, and other Platform security features are still managed by you.

All Central Auth accounts must meet strict security controls:

  • High-strength passwords and strong multi-factor authentication are required.
  • Central Auth users may need to perform re-authentication based upon suspicious logons or behavior.
  • Accounts that remain unused for more than 30 days may be disabled without notice.

中文翻译

保护身份

身份安全最佳实践

在使用单点登录身份提供商(IdP)访问Palantir Foundry时,应遵循以下安全最佳实践。

使用强多因素认证(MFA)

Palantir强烈主张在传统的用户名+密码之外进行身份验证。多因素认证是我们软件产品的强制性要求。如果您在身份提供商中使用自己的多因素认证实现,则应要求采用强形式的认证。

强形式认证的示例(按大致优先顺序排列):

  • 连接式硬件令牌,如兼容FIDO2的USB安全令牌(例如YubiKey、Google Titan)或CAC智能卡
  • 断开式硬件令牌,如一次性密码(OTP)令牌生成器(例如RSA SecurID、Thales SafeNet)
  • 软件令牌,如移动设备验证器应用程序(例如Microsoft Authenticator、Google Authenticator)
  • 使用OTP生成器优于移动设备上的推送通知
  • 生物识别技术,如指纹或面部识别(例如Apple Touch ID和Face ID、Windows Hello)

其他形式的MFA,如基于短信的OTP(文本消息)、电子邮件OTP和两步验证(点击链接)或安全问题,不被视为强形式的认证,应停止使用,转而采用其他方法。

如果您的身份提供商没有强制性的多因素认证,我们的产品原生支持多因素认证。

要求定期重新认证

Palantir Foundry有意设定了相对较短的最大会话生命周期,以强制用户定期向身份提供商重新认证。由于会话令牌可能被攻击者窃取并在其有效期内被滥用,为所有用户会话强制执行相对较短的生命周期可以确保任何滥用行为都受到时间限制。

出于同样的原因,您应确保身份提供商生成的会话令牌生命周期不会过于宽松。

实施零信任安全原则

如果您使用现代身份提供商,应启用并采用零信任技术和策略。此类技术可能包括条件访问、设备健康或状态评估、强多因素认证声明及相关控制措施。请参阅您的身份提供商文档,了解可用功能及实施方法。

零信任安全模型的最佳实践包括:

  • 不要基于弱安全指标信任设备或用户。这包括基于软件的机器证书、单因素认证或网络位置。
  • 不要豁免用户或设备免于强制性安全控制。
  • 要求使用最近的强多因素认证才能访问敏感资源。
  • 要求设备安全或健康证明或评估作为访问条件。
  • 要求异常登录或活动进行重新认证。

严格管理服务账户

服务账户通常对敏感数据拥有广泛的访问权限,且与标准用户账户相比往往安全性较差。这使得它们成为攻击者的诱人目标。

服务账户管理的常见陷阱包括:

  • 服务账户可能被多人访问。
  • 服务账户可能未启用多因素认证。
  • 人员离开组织后,服务账户的凭证可能未进行轮换。
  • 服务账户的凭证或令牌可能硬编码在脚本或应用程序中。

如果您在Palantir Foundry中使用服务账户,保护它们以保障数据安全至关重要。

服务账户管理的最佳实践包括:

  • 确保每个服务账户都有文档记录、指定所有者,并定期审查其适当性。
  • 配置您的身份提供商,仅允许服务账户从特定IP地址进行身份验证。
  • 尽可能要求服务账户使用多因素认证。
  • 将服务账户凭证材料存储在特权访问管理(PAM)解决方案中。
  • 要求多方认证才能访问服务账户凭证材料。
  • 根据团队变动或人员离职情况,按需轮换服务账户凭证材料。
  • 严格监控服务账户的行为、登录和凭证材料。

监控审计日志

:::callout{theme="success" title="最佳实践"} 强烈建议客户自行捕获并监控审计日志。更多指导请参阅监控安全审计日志。 :::

中央认证

中央认证(Central Auth) 是Palantir托管的Microsoft Entra ID(Azure AD)身份提供商。中央认证由Palantir信息安全团队管理,旨在为没有自有身份提供商或尚未能将身份提供商与Foundry集成的客户提供安全优先的认证解决方案。

如果您的Foundry安装没有身份提供商,我们可能能够通过中央认证为您提供访问权限。请联系您的Palantir代表了解更多信息。

中央认证安全

中央认证可作为SAML Multipass领域与您的Foundry安装集成。集成后,用户账户的创建和注销由Palantir管理。组、标记及其他平台安全功能仍由您自行管理。

所有中央认证账户必须满足严格的安全控制要求:

  • 要求使用高强度密码和强多因素认证。
  • 中央认证用户可能需要在可疑登录或行为后进行重新认证。
  • 超过30天未使用的账户可能会被禁用,恕不另行通知。