Intro
As part of our standards to ensure the health and safety of your environments, we undergo rigorous routine audits, penetration testing, react quickly to new vulnerabilities, and follow industry best practices.
In pursuit of that goal, we require all credentials with customer database access to be rotated at least once per year.
How does this impact my system?
For the most part, it doesn’t. This should be relatively transparent for multi-tenant customers outside our TDX user password requirements.
Only those Private Cloud customers who have read-only database credentials need to be concerned with this. Even then, the only action item should be rotating the username and password of that account every year. These accounts could either be direct database access or through iPaaS and some organizations do have both. A handful may even have a third account. All of these must be rotated, there are no exceptions.
Your account should either look like:
- [customer name]_customer_user_ro_[year] or
- [customer name]_ipaas_user_ro_[year]
Account Owners
When your organization requested this access, you should have been sent an encrypted email with the server’s name, user name, password, and databases you will use to access the system. If you are a Private Cloud customer who doesn’t already have this and is interested in it, you can request the service here and learn more about accessing the system here and here.
When this is set up, TeamDynamix should ask you about a verified account owner(s). This person or small group should be the one who is primarily responsible for requesting that we add new IPs to the allow list, handle disseminating the credentials to anyone within your organization, and coordinate rotating the username and password each year.
We do encourage you to pick more than one account owner in case the primary owner either leaves your organization or transitions to a new job title, but we do prefer to keep that list lean so it’s easy to communicate and coordinate.
What’s the timeline for these changes?
When we create a new account, it gets appended with the current calendar year. This helps us identify accounts which will need to be rotated next year and acts as a sort of expiration date. Accounts created this year will not need to be rotated until the following calendar year.
We typically begin reaching out to customers in late Q2 or early Q3 to get this process started. It may be via ticket or secure email and typically follows a fairly standard timeline:
- Early Q3 – We reach out to verify that the account owner listed for this account is still the correct person to be working with. We verify this to ensure people who have left the organization or should not receive the passwords aren’t being given access to sensitive information.
- Once we have verified the correct owners for each account, we will work with your organization to establish a timeline that works well for your needs.
- Mid Q3 – TeamDynamix will generate the new credentials and send them to your organization.
- During this time, you should be testing out the access anywhere you use it. This might be in iPaaS, SQL Server Management Studio, SQL Agent Jobs, Linked Servers, PowerBI, Tableau, or elsewhere. Anywhere you access your system with this login will need to be updated.
- Our monitoring tools do allow us to see if the login is still being used, but does not give us much granularity before we disable the account.
- If you have trouble identifying where an account is being used, we can briefly turn on an auditing feature to capture additional info, but it will only give us the host machine name, public IP address, and a few other basic details.
- Late Q3 – Once you’ve had a few weeks to test the new account, we will agree upon a time when we can soft disable the old account. Once you’re comfortable, we will deny access to the previous year’s login and take away its ability to connect, but we will leave it on the server.
- Leaving the account on the server allows us to quickly re-enable it and re-grant access in the event any critical unforeseen work begins failing (C-Suite reports, yearly processes, etc.).
- During this period, TeamDynamix will regularly check the SQL Logs for login failures and communicate the times / public IPs of those failures.
- Late Q3 – Early Q4 – Once the previous year’s account has been soft disabled for a week or two and the SQL logs have been clean for a few days, we will confirm with you that we can permanently remove the old account from the server. At this time, the old account will be effectively unrecoverable and your portion of this is done until Q3 of the following year.
- December 15th – The absolute latest cutoff date we can allow for all the above items to be completed.
- Old accounts must be disabled and removed from the server by this point. They cannot be active past the end of the year and we choose this date as a hard cutoff so we can avoid coordination issues due to the PTO many folks take towards the end of the year.
- Q1 – Q3 of Next Year
- Please notify us if any account owners from your organization leave or need to be added.
- You may reach out to us to rotate the user / password in advance. This could be due to folks leaving the organization or just to get ahead on compliance.