Security recommendations

Here you can find recommendations for increasing your organization's security posture when using Yandex 360 for Business.

Account protection

If malicious actors gain access to the owner's or an administrator's account, they'll also gain access to your organization's profile. To prevent this, follow our recommendations.

Use strong passwords

Come up with a complex password and don't use it for other websites and applications. How to create a strong password

Enable two-factor authentication (2FA)

Logging in with a combination of a permanent and a one-time password (OTP) is one of the most secure ways to access your account. Learn more about 2FA

If you can't enable 2FA for all users for whatever reason, make sure that it's enabled for administrators and other key employees.

You can enable login with a password/OTP combination for all employees at once via an API request. How to do this

Add phone numbers and additional email addresses

The phone number and additional email address linked to Yandex ID will help restore access to your account if you lose it. Yandex also sends notifications about suspicious activity and other important events there. A secure phone number is also used to verify that it's you logging in to Yandex, not someone else. For more information, see Linking phone numbers and Additional email addresses.

Use single sign-on (SSO)

The SAML 2.0 single sign-on (SSO) technology helps to organize access to Yandex 360 services through your access management system (for example, Active Directory or Keycloak). This way, employees don't have to remember a new username and password, and you don't have to create separate accounts for them in Yandex 360 for Business. How to set up SSO

Synchronize users from Active Directory.

If your company has a deployed Active Directory Federation Service, you can configure automatic synchronization of employees and groups with Yandex 360 for Business. If an employee quits or their account is compromised, you'll be able to deactivate the account in Active Directory — doing so will block it in Yandex as well. How to synchronize users with LDAP directory

Set the password change frequency

If you don't use SSO, set an expiration period for user passwords. When an employee's password expires, Yandex will prompt them to change it. You can set the password change frequency via an API request. How to change password policy settings

Set the session cookie lifetime

You can set a period after which employees will need to log in again. By default, the lifetime of session cookies is not limited. Set this value in accordance with your organization's information security policy. You can do this via an API request. How to change the session cookie lifetime

Grant only the necessary permissions

Minimize the number of administrators. Grant users only the permissions they really need. How to assign managers

You can create additional accounts with regular user permissions for the administrators of the organization. This will reduce the likelihood of attackers gaining access to the account with important permissions.

Don't use one administrator account for multiple employees

If several employees use one administrator account, it increases the chances of attackers gaining access to it. If there's only one account, it's impossible to track who and when performed actions in it.

If you've lost access to the owner's account, restore it

Access to the organization owner's account can be lost when an employee quits, forgets their password, and in similar situations. Try to restore access on your own. How to do this

Corporate email protection

Set up a DKIM signature
You can set up a DKIM signature for emails that your employees send from your domain. This way, recipients will know that the email is definitely from you and not someone else. How to set up a DKIM signature
Set up an SPF record
An SPF record reduces the risk of an email from an address on your domain ending up in the recipient's spam folder. How to configure an SPF record
Limit unwanted emails
You can manage the emails that employees receive using message filters. For example, restrict emails coming from a specific address. How to set up message filters

We also recommend that you read the general recommendations on data protection:

Contact support

A user with a Yandex account (login@yandex.ru) who created an organization in Yandex 360 for Business. How to change the owner

An employee with the rights to manage organization settings in Yandex 360 for Business. How to grant administrator rights

Company name on the internet. For example, for Yandex it's yandex.ru. You can create mailboxes for employees with addresses like login@example.com on the domain. How to set up domains

Single Sign-On (SSO) or single sign-on technology is an authentication method that allows users to use one set of credentials to log in to multiple apps. This solution facilitates centralized management of employee access and ensures data security.

A cookie is a file that's sent by the server and stored on the user's computer to identify their session in the web application.

Contains information about the list of servers that are authorized to send emails on behalf of the specified domain. SPF records reduce the risk of an email from an address on your domain ending up in the recipient's spam folder. SPF configuration is written in the TXT record for the domain.

A digital signature that confirms the authenticity of the sender and guarantees the integrity of the delivered message. DKIM configuration is written in the TXT record for the domain.

Previous
Аudit logs
Next
Outgoing mail protection from leaks