IDaaS CIAM (Customer Identity and Access Management) is built on enterprise-grade security controls. The following sections cover compliance certifications, password policy, risk governance controls, and data encryption.
Compliance certifications
IDaaS CIAM holds the following certifications:
Level 3 Protection — Complies with China's Classified Protection of Cybersecurity requirements at Level 3.
PCI — Passed PCI series reviews.
ISO series — Passed ISO series reviews.
Personal Information Protection Law of the People's Republic of China — Meets the relevant provisions regarding user privacy.
Password policy
IDaaS supports freely combinable password rules. Configure rules that fit your security requirements, and users have access to password reset and password recovery flows.
Risk governance
IDaaS CIAM applies risk governance controls across registration, logon, and authentication flows to protect accounts against common attacks. These include but are not limited to:
Brute-force protection
Controls that limit repeated failed attempts:
| Control | Behavior |
|---|---|
| IP failure count limit | After N consecutive failures from the same IP within a time window, CAPTCHA is triggered. |
| Account password brute-force CAPTCHA | After N consecutive password failures within a time window, CAPTCHA is triggered. |
| Account password brute-force lockout | After N consecutive password failures within a time window, the account is locked for a set period. |
| Authentication frequency limit | After N authentication attempts within a time window, the account is locked for a set period. |
IP access controls
| Control | Behavior |
|---|---|
| IP blacklist | All requests from blacklisted IPs are rejected. |
| IP whitelist | Only requests from whitelisted IPs are allowed. |
SMS and email controls
Controls that prevent abuse of verification codes sent via SMS or email:
| Control | Behavior |
|---|---|
| SMS/email brute-force CAPTCHA | After sending N verification codes within a time window, CAPTCHA is triggered. |
| SMS/email brute-force frequency limit | After sending N verification codes within a time window, the account is locked for a set period. |
| Logon brute-force SMS limit | An SMS verification code becomes invalid after N authentication attempts in the same logon flow. |
Account storage encryption
IDaaS encrypts account data using different algorithms based on field sensitivity.
Data at rest:
| Field | Algorithm |
|---|---|
| Password | SHA256 with salt |
| Email address | AES/KMS |
Data in transit:
| Protocol | Coverage |
|---|---|
| HTTPS, SSL | All network transmission |