Guidelines on security and safe use of Yandex 360

Introduction

This page provides recommendations for implementing technical security measures in Yandex 360. They'll help you improve the security of your company.

You'll also find links to the API and setup solutions.

Scope

These recommendations are intended for administrators and information security specialists. These employees are responsible for the security of systems that use Yandex 360.

Certain clauses aren't applicable for some organizations. Use these guidelines as a basis for developing your own recommendations and internal policies.

Requirements and preparation

To complete the checks, make sure that:

  • You have the required permissions to access the Yandex 360 API.
  • You are familiar with the API documentation.
  • You have access to audit logs.

You can automate auditing using API-based scripts.

Disclaimer

Yandex 360 uses the concept of shared responsibility. Security responsibility depends on the platform type (SaaS model), integrated protection mechanisms, and the provider's policies.

Yandex, as the service provider, is responsible for:

  • Physical security of data centers.
  • Platform fault tolerance.
  • Protection of the network infrastructure.
  • Monitoring events.
  • Security-by-default mechanisms.

The client is responsible for:

  • Configuration and access management.
  • Implementation of password policies.
  • Enabling two-factor authentication.
  • Configuration of network rules.
  • Data processing and classification.
  • Creating backups.
  • Audit of assets within the organization.

Safety recommendations in PDF format

For your convenience, a file with recommendations is provided below. You can download and print it. As you follow the recommendations, check off the items in this list.

{% file src="https://doc-static.yandex.net/support/business/ru/files/security-recommendations.pdf" name="{% src="https://doc-static.yandex.net/support/business/ru/files/security-recommendations.pdf" name="Download PDF" type="application/pdf" %}" type="application/pdf" %}

Managing authentication and access

Minimum number of administrators in the company

Administrators have maximum privileges. In the administrator's account, they manage the company's profile, change its owners, configure domains, and work with audit logs.

Having too many administrators raises security risks.

  • We recommend keeping the number of administrators in the company to the minimum.
  • For other tasks, use roles with limited permissions. Available roles.
  1. Log in to the admin account for the company.
  2. Go to the Employees page.
  3. Find users with a special Admin tag.

Prohibiting the use of a single administrator account by multiple employees

Don't allow multiple employees to access a single administrator account. This reduces the risk of unauthorized access and makes it easier to track who performed certain actions and when.

Use of two-factor authentication for domain and Yandex ID users

Enable two-factor authentication (2FA) for all employees using Yandex ID or Yandex 360 domain accounts. To log in, they'll need a password and a one-time code. This is the minimum security standard that must be implemented in all organizations working with protected or critical information. How do I set it up

  • To get the status of 2FA setup:
    1. For a business:
      • Permissions: ya360_security:domain_2fa_write — managing mandatory two-factor authentication.
      • Request method: Domain2FAService_Get.
      • Parameter in the response: enabled — contains the true value.
    2. For each domain user:
      • Permissions: directory:read_users — reading employee data.
      • Request method: UserService_Get2fa.
      • Parameter in the response: has2fa — contains the true value.
  • To ensure that domain users can't postpone enabling the second factor:
    • Permissions: ya360_security:domain_2fa_write — managing mandatory two-factor authentication.
    • Request method: Domain2FAService_Disable.

  1. Log in to the admin account for the company.

  2. Select SecurityLogin verification.

  3. Set the value for Enable for:

    • All employees for the entire company.
    • Selected employees for customized settings.

  4. Set the Warning period after which employees won't be able to postpone enabling the second factor.

  5. Click Enable.

Enabled company password policy

If you don't use SSO, set an expiration period for user passwords. Set the password expiration period to no more than 180 days to make sure users change it at least once every six months. When an employee's password expires, Yandex will prompt them to change it.

  • Permissions: ya360_security:domain_passwords_read — reading information about user password parameters.
  • Request method: DomainPasswordsService_Get.
  • Parameters in the response:
    • enabled — contains the true value.
    • changeFrequency — value not exceeding 180 days.

Change the password policy parameters:

Recovery options for the organization owner's account

  • Make sure the domain owner's account has a phone number linked for recovery via SMS or call.
  • Enable two-factor authentication for the domain account via the API.
  1. Log in to the admin account for the company.
  2. Check the security settings for:
    • Linked phone.
    • Enabled 2FA.
  1. Check that the company owner's account can be recovered:
    • Permissions: directory:read_users — reading information about user password parameters.
    • Request method: UserService_Get2fa.
    • Parameters in the response:
      • hasSecurityPhone — contains the true value.
      • has2fa — contains the true value.
  2. Check the global 2FA settings in the company:
    • Permissions: ya360_security:domain_2fa_write — managing mandatory two-factor authentication for users.
    • Request method: Domain2FAService_Get.
    • Parameter in the response: enabled — contains the true value.
  1. Log in to the admin account for the company.
  2. In the menu, select SecurityLogin verification.
  3. Configure the following:
    • Enable for — select All employees.
  4. Click Enable.

For Yandex accounts, transfer the ownership of the company to the domain user.

Enable 2FA for the domain account:

  • Permissions: ya360_security:domain_2fa_write — managing mandatory two-factor authentication for users.
  • Request method: Domain2FAService_Enable.

Session security and cookies

Configure a time limit for cookie sessions, after which employees are required to log in to their accounts again. By default, the lifespan is unlimited.

We recommend setting the cookie lifespan to no more than 7 days (604,800 seconds).

  • Permissions: ya360_security:domain_sessions_read — reading information about the lifespan of user cookie sessions.
  • Request method: DomainSessionsService_Get.
  • Parameter in the response: authTTL — time in seconds after which sessions expire (if 0, the lifespan is unlimited).

Limit the lifespan of cookie sessions:

  • Permissions: ya360_security:domain_sessions_write — managing user cookie session lifespan and authorization.
  • Request method: DomainSessionsService_Update.

Monitoring and audit

Blocking inactive company users

To minimize the risks of unauthorized access, block or delete accounts that haven't been used for more than 30 days. This is particularly important for organizations with high turnover of staff, contractors, or temporary employees.

  • Permissions: ya360_security:read_auditlog — reading company audit log events.
  • Request method: get-logs.
  • Parameter in the response: occurred_at — value less than or equal to 30 days.

Instructions

Apply together with restrictions on cookie session duration. How do I set it up

Monitoring audit logs

Set up event collection and analysis to identify threats. Events include:

  • Account logins.
  • Actions with emails and files.
  • Changes to the company account.
  • Actions of other administrators with the email archive and message filters.
  1. Log in to the admin account for the company.
  2. Select Audit log.
  3. Make sure the Enable button isn't displayed.

How to enable log collection

Encryption and data protection

Linking a phone number for each domain user

Require all domain users to link phone numbers to their accounts to improve authentication security.

Go to the Phone numbers page.

The page will display multiple numbers if a different number than the primary one was specified in another Yandex service.

  • Permissions: directory:read_users — reading information about user parameters.
  • Request method: UserService_Get2fa.
  • Parameter in the response: hasSecurityPhone — contains the true value.

How to link a phone number

Configuring an existing DLP system

Set up the DLP system to protect corporate information and minimize the risks of unauthorized access and data leaks.

  • Permissions: ya360_admin:mail_read_routing_rules — reading message filters.
  • Request method: RoutingService_GetRules.
  • Parameter in the response: forward — available and indicates a specially created DLP address (dlp@domain.ru or similar).

Instructions for setting up a DLP system

Corporate email protection

Configure a DKIM signature

Set up a DKIM signature for emails that your employees send from your domain. This way, recipients will know that the email is definitely from you and not someone else.

How to configure the DKIM signature

Set up an SPF record

Setting up an SPF record helps reduce the risk that an email sent from your domain address will end up in the recipient's spam folder.

How to configure the SPF record

Restriction on receiving unwanted emails

Use message filters to manage emails that employees receive. For example, restrict emails coming from a specific address.

How to set up message filters

Integration with third-party services

Ban on the use of portal accounts

Prohibit the use of personal accounts with the address @yandex.ru in your company: you can't centralize the management of security policies for them. Only domain users should have ownership of the company.

  • Permissions: directory:read_users — reading employee data.
  • Request method: UserService_List.
  • Parameter in the response: email — should not end with @yandex.ru.

How to transfer company ownership

Using SSO

Implement single sign-on (SSO) access using an external SAML-compliant Identity Provider (IdP) for centralized access management. Domain users should not exist in parallel with SSO accounts.

How to connect SSO

Synchronizing users from Active Directory

If your company has a deployed Active Directory Federation Service, you can configure automatic synchronization of employees and groups with Yandex 360 for Business. If an employee quits or their account is compromised, you'll be able to deactivate the account in Active Directory — doing so will block it in Yandex as well.

How to synchronize users

Prohibiting to authenticate in external services

To enhance your information security, prohibit company employees from using their corporate accounts to authenticate with third-party OAuth services. This prevents corporate OAuth tokens from being passed to third‑party applications, reduces the risk of phishing, compromised access, and corporate data leaks through connection to external services.

  • Permissions: ya360_security:domain_settings_read — reading information about the possibility of authorization in external OAuth services.
  • Request method: OauthAccessRestrictionsService_Get.
  • Parameter in the response: restricted — the value should be true.

Prohibit authentication in external services:

Setting a restriction on connecting applications

Applications can request various access permissions (scopes) and use corporate resources. Uncontrolled connection of applications significantly increases the risks of data theft, unauthorized access, malicious code injection, and bypassing external security policies.

For greater protection of the organization, minimize connected applications:

  • Ban them completely.
  • Allow only trusted applications to have access.
  • Disable default connection.
  • Regularly check connected applications.
  • Immediately delete suspicious applications.

Check all issued OAuth tokens:

  • Apply the principle of least privilege to each application.
  • Keep a token registry (owner, purpose, minimum set of permissions).
  • Conduct an audit at least once a quarter.
  • Use tokens with short lifespans for one-time jobs.
  • Promptly revoke unnecessary tokens.
  • Permissions: ya360_security:service_applications_read — reading the list of applications.
  • Request method: ServiceApplicationsService_Get.
  • Parameter in the response: the applications array with objects — list of applications.

  1. Prohibit the connection of applications:

  2. Reduce the list of applications:

Single Sign-On (SSO), or single sign-on technology, is an authentication method that allows users to use one set of credentials to log in to multiple apps. This solution facilitates centralized management of employee access and ensures data security.

A cookie is a file that's sent by the server and stored on the user's computer to identify their session in the web application.

Contains information about the list of servers that are authorized to send emails on behalf of the specified domain. SPF records reduce the risk of an email from an address on your domain ending up in the recipient's spam folder. SPF configuration is written in the TXT record for the domain.

A digital signature that confirms the authenticity of the sender and guarantees the integrity of the delivered message. DKIM configuration is written in the TXT record for the domain.

A technology that helps detect and prevent unauthorized disclosure of confidential information by employees, such as personal data, trade secrets, intellectual property, and so on.

Company name on the internet. For example, for Yandex it's yandex.com. You can create mailboxes for employees with addresses like login@example.com on the domain. How to set up domains

Previous
How to disable an exclusive address
Next
Two-factor authentication