Security Best Practices
Recommended standards for hardening EGKits tenants, designing roles, managing API keys, and maintaining audit-ready security controls.
Security Best Practices
EGKits SaaS V10 provides enterprise-grade identity, authorization, and audit capabilities — but effective security depends on how each tenant configures policies, roles, and integrations. This guide defines recommended standards for administrators and security officers.
#Security principles
| Principle | Application in EGKits |
|---|---|
| Least privilege | Grant minimum permissions required for each role |
| Defense in depth | Combine MFA, RBAC, network controls, and audit |
| Separation of duties | Split admin, finance approval, and audit access |
| Zero trust for APIs | Scope keys narrowly; rotate regularly |
| Auditability | Retain audit trail; review privileged actions |
#Identity and authentication
#Multi-factor authentication (MFA)
- Require MFA for all administrative roles without exception.
- Require MFA for finance roles with posting, approval, or export permissions.
- Prefer authenticator apps (TOTP) over SMS where possible.
- Document MFA reset procedure requiring out-of-band identity verification.
- Review MFA enrollment status monthly from Administration > Users.
#Password and session policy
Configure under Administration > Security Policies:
| Setting | Recommended value |
|---|---|
| Minimum password length | 12+ characters |
| Password complexity | Upper, lower, number, symbol |
| Password history | Prevent reuse of last 5 passwords |
| Session idle timeout | 30–60 minutes for standard users |
| Admin session timeout | 15–30 minutes |
| Concurrent sessions | Limit for privileged accounts |
#Single sign-on (SSO)
- Use SSO for enterprises with centralized identity (Azure AD, Okta, etc.).
- Maintain at least one break-glass local admin account stored in a secure vault.
- Map IdP groups to EGKits roles explicitly — avoid default super-admin mapping.
- Monitor IdP certificate expiry; renew 30 days before expiration.
#Role-based access control (RBAC)
#Role design standards
- Start from seeded roles — customize rather than creating redundant roles.
- Name roles by function —
Finance Clerk,Sales Manager, notUser Type 3. - Avoid permission sprawl — if a role needs >80% of module permissions, split duties.
- Document role intent in your internal governance wiki with permission matrix.
- Review quarterly — remove unused roles; audit membership.
#Segregation of duties matrix
| Function | Create | Approve | Post to GL | Export |
|---|---|---|---|---|
| Requester | ✓ | — | — | — |
| Approver | — | ✓ | — | — |
| Accountant | ✓ | — | ✓ | ✓ |
| Auditor | — | — | — | ✓ (read-only) |
Configure approval workflows so the same user cannot create and approve the same document class where policy requires separation.
#API keys and integrations
| Standard | Detail |
|---|---|
| One key per integration | Never share keys across systems |
| Minimal scopes | Request only required module permissions |
| No keys in source control | Use secret managers or environment variables |
| Rotation schedule | Rotate every 90 days or on personnel change |
| Revoke immediately | On compromise suspicion or decommission |
| Log all API usage | Review Audit Trail for anomalous patterns |
Disable unused API keys rather than leaving them dormant.
#Data protection and tenant isolation
- Confirm users access only their tenant URL — train staff to recognize phishing domains.
- For dedicated-database plans, restrict database credentials to infrastructure team.
- Export sensitive reports only through authenticated sessions — avoid emailing unencrypted attachments.
- Apply branch scoping so regional staff cannot view other regions unless required.
- Use Document Archive retention policies aligned with legal hold requirements.
#Audit and monitoring
- Enable Audit Trail review cadence — weekly for admins, monthly for standard tenants.
- Alert on: bulk exports, role changes, API key creation, failed login spikes.
- Retain audit logs per your compliance framework (SOX, GDPR, local tax law).
- Correlate EGKits audit entries with IdP sign-in logs for SSO tenants.
- Include security review in onboarding and offboarding checklists.
#Offboarding checklist
| Step | Owner |
|---|---|
| Disable user account | HR notifies IT |
| Revoke API keys owned by user | Integration admin |
| Reassign owned records | Department manager |
| Remove from approval chains | Finance admin |
| Confirm MFA devices invalidated | Identity admin |
#Compliance alignment
EGKits provides controls that support common frameworks — implementation responsibility remains with the customer:
| Control area | EGKits capability |
|---|---|
| Access control | RBAC, MFA, SSO |
| Change management | Audit trail, approval workflows |
| Data integrity | Validation rules, posting controls |
| Availability | Platform SLA (per contract) |
| Confidentiality | Tenant isolation, encryption in transit |
Consult legal and compliance teams for jurisdiction-specific requirements (e-invoice, payroll, PII).
#Incident response
- Contain — disable compromised accounts and API keys immediately.
- Assess — review Audit Trail for unauthorized transactions or exports.
- Notify — follow internal IR plan; contact EGKits support for platform issues.
- Remediate — reset credentials, patch integration, tighten policies.
- Document — post-incident review with timeline and preventive actions.
#Related links
- Identity & Access Guide — detailed RBAC configuration
- Multitenancy Guide — isolation topologies
- Login Issues — authentication diagnostics
- Audit Trail Guide — investigation workflows
- System Configuration Guide — security settings