Secure Configuration Guide
Copy link

ℹ️

About this guide

The security configurations that are available to employ in your Rapid7 InsightGovCloud environment closely match the security configurations in Rapid7’s commercial Command Platform. For this reason, this Secure Configuration Guide contains links to Rapid7 commercial documentation and highlights any exceptions or considerations that are specific to InsightGovCloud.

To ensure you have the best security configuration for your InsightGovCloud environment, it is important to understand and implement the measures contained in this guide.

In this Secure Configuration guide, you can learn about:

  • The types of administrative accounts that can be used in Rapid7 InsightGovCloud Platform.
  • How to securely access, configure, operate, and decommission administrative accounts.
  • The security-related settings that are controlled by administrative accounts and their impact.

After an InsightGovCloud license is issued, the user who deploys InsightGovCloud is provided with Platform Administrator  privileges. It is advisable to appoint more than one Platform Administrator to ensure that you have adequate administrative coverage.

Platform Administrators can manage and decommission other Platform Administrator accounts. For more information, read the InsightGovCloud Deployment guide.

Understanding Rapid7 InsightGovCloud Administrator levels
Copy link

To understand the role of the Platform Administrator, read the Command Platform documentation . A Platform Administrator can perform the tasks of a super-admin and can manage both ordinary users and other Platform Administrators at the account level.

In addition, as long as they are assigned to a Rapid7 capability, the Platform Administrator can raise their own privileges and edit other users’ privileges. They also control the multi-factor authentication  and session timeout  settings.

ℹ️

Default settings for session timeout and password expiration

The default session timeout is 15-minutes idle, which is FedRAMP compliant. You can reduce the time to increase the security level if you need to. The default platform policy on password expiration is not configurable, but it also meets the required FedRAMP threshold for compliance.

The key differentiators between a Platform Administrator and a Product Administrator are:

  • Platform Administrators can add a user to the Command Platform and grant them access to any capability.
  • Product Administrators can also add users, but can only grant access to the capabilities they themselves have access to. Product Administrators can also be non-admins in other capabilities. The term Product Administrator refers to the administrator who manages the users and settings for any of Rapid7’s capabilities. Note that individual capabilities may refer to this administrator with slightly varying terminology. For help with understanding this terminology, see the Administrator roles and terminology section.
⚠️

Capability access for Platform Administrators

Platform Administrators do not have access to all licensed capabilities by default. If you want your Platform Administrator to have full administrative oversight of one of your licensed capabilities, ensure they are set as a Command Platform Administrator and are assigned the Administrator role for that capability. For a list of the capabilities that are supported with InsightGovCloud, read the Included features and capabilities documentation.

For a breakdown of the different roles and permissions in the Command Platform, read Objects of the Command Platform RBAC system .

For capability-specific information about user management and authentication, review these topics:

Administrator roles and terminology
Copy link

This section explains the administrator roles that are unique to each capability, so that you can better understand the similarities and differences between each one.

  • Global Administrator - This is the Product Administrator role for Vulnerability Management (InsightVM). The Global Administrator has permissions to manage sites, asset groups, scan templates,and much more. For a breakdown of this role, read the Configuring roles and permissions  documentation where the permissions tables list all of the actions available.
  • ICS Domain Administrator - This Product Administrator role has all permissions for all cloud resources across the entire Cloud Security (InsightCloudSec) Platform installation. This role includes Platform Reporting and Dashboard permissions. For more information, read the Rapid7 built-in roles  documentation.
  • ICS Organization Administrator - This Product Administrator role has all permissions for all cloud resources within a given Cloud Security (InsightCloudSec) organization or organizations. This role includes Platform Reporting and Dashboard permissions. For more information, read the Rapid7 built-in roles  documentation.
  • Product Administrator - This is an umbrella term for administrators who manage individual capabilities - often referred to in the documentation as ‘products’.
  • Platform Administrator - This administrator has full oversight and responsibility for InsightGovCloud and the Command Platform, and can perform all of the tasks outlined in the Command Platform overview , including all aspects of user management, company settings, platform reporting, and dashboard permissions.

Grant administrator access to capabilities
Copy link

To create a user group that grants Administrator access to Vulnerability Management (InsightVM) and Cloud Security (InsightCloudSec):

  1. Navigate to Administration > User Management > User Groups.
  2. Click Create New User Group and give the group a meaningful name and description.
  3. Assign these user group privileges:
    1. Select the Vulnerability Management check box and, from the Roles dropdown menu, select the Administrator (Shared) role.
    2. Select the Cloud Security check box and, from the Roles dropdown menu, select the Cloud Security Domain Administrator role.
  4. To select the users that you want to have full Administrator access to Vulnerability Management (InsightVM) and Cloud Security (InsightCloudSec), select Add User Group Members.
  5. Search for and select the check boxes for each user you want to add.
  6. Click Save User Group Members.

Securely configure your InsightGovCloud environment
Copy link

This section outlines the recommendations for configuring your InsightGovCloud environment with the highest security levels possible.

InsightGovCloud security baseline
Copy link

FeatureSecure Default (Provisioned)FedRAMP Requirement
Session Timeout / Inactivity Logout15 minutesMax 15 minutes idle
Password Length16 charactersMin 12 characters
API AccessDisabled for non-adminsMandatory for all local and remote users
Unsuccessful Logins3 failed attempts3 failed within 60 minutes
⚠️

Personal Identity Verification (PIV) credentials and external identity providers (IDP)

Rapid7 InsightGovCloud does not offer Personal Identity Verification (PIV) card credentials natively. Therefore, it is necessary to use an external identity provider (IDP) where you can configure PIV cards through your SAML 2.0-compliant SSO.

As described in Phase 2, Task 4 of the InsightGovCloud deployment guide, your security configuration must include:

Password policy
Copy link

ℹ️

Customization of the default password policy is not allowed

InsightGovCloud does not allow you to modify the default password policy, which is FedRAMP compliant. The InsightGovCloud default password policy is stricter than that of the Command Platform.

The default InsightGovCloud password policy requires that all passwords meet these formatting rules:

  • Minimum of 16 characters
  • At least 1 uppercase (A-Z) character
  • At least 1 lowercase (a-z) character
  • At least 1 number (0-9)
  • At least 1 symbol (for example, !@#$%^&*)
  • Must not contain any part of the user’s Rapid7 account email address
  • Must not contain a common password
  • Password history is enforced for 24 password iterations

Manage and decommission Platform and Product Administrator accounts
Copy link

To add, edit, or delete users, or to decommission administrative accounts, follow the steps outlined in the Manage users  documentation.

Configure API access to update security settings
Copy link

Platform Administrators can create 2 types of API key:

  • Organization API key - Grants administration privileges for service accounts.
  • User API key - Only takes on the privileges of the individual user.

Non-platform Administrators can also create User API keys. For more information, read the Manage Platform API Keys  documentation.

Rapid7 provides REST APIs that you can use to programmatically manage users within your Insight Account and their access to capabilities. For more information, read the Insight Account API  documentation.

Special considerations for Vulnerability Management (InsightVM)
Copy link

Before you set up users in your InsightGovCloud Vulnerability Management (InsightVM) environment, it is highly recommended that you read about managing users and authentication .

Within that section of the documentation, you will learn about:

User management
Copy link

Depending on the order in which you add a user to the Security Console, the Security Console User Management and RBAC will dictate what access they have within the Security Console; for example, which asset groups and sites they have access to.

If you create a Vulnerability Management (InsightVM) user in the Command Platform first, that user adopts Global Administrator access by default. However, they won’t have access to the Security Console interface until an Administrator creates an account on the Security Console and links the two accounts.

You can upgrade an existing Vulnerability Management (InsightVM) user to Command Platform Administrator, which elevates the access they have to some Vulnerability Management (InsightVM) cloud features.

Special considerations for Cloud Security (InsightCloudSec) customers
Copy link

For guidance on how to manage user privileges in Cloud Security (InsightCloudSec), read the Users, groups, and roles  documentation.

User management
Copy link

Cloud Security (InsightCloudSec) can contain settings and permissions that override (or overlay) what is defined at the Command Platform level. For example, you may wish to assign a user to a Cloud Security Basic User role at the Platform level. For this user, you must go to the User Management page of Cloud Security (InsightCloudSec) to assign more granular permissions.

Authentication
Copy link

There are two authentication methods when using the Cloud Security (InsightCloudSec) API; API Key or Auth Token. To understand which authentication method to use, read the Establishing an authentication method  documentation.

API access to Cloud Security (InsightCloudSec)
Copy link

⚠️

Platform-level API tokens are not supported

To set up API access to Cloud Security (InsightCloudSec), you must create specific API keys in the User Management page. For more information, read Using the Cloud Security (InsightCloudSec) API .

To access the Cloud Security (InsightCloudSec) API, you must use a customer-specific domain. You can find the domain by navigating to Settings > System Profile Settings.

If your environment has an allow list  that is configured to block access to unknown connections, contact Rapid7 Support and provide the IP ranges that need to be allowed.

Multi-tenant API Keys
Copy link

If you are a Managed Security Service Provider (MSSP) who needs to manage multiple tenants in one bulk action, you can use a Multi-Tenant API Key to programmatically access data across all managed tenants. The two types of API keys that you can use are:

  • Multi-Tenant admin key - Grants full administrative privileges to all current and future tenants managed by your primary account.
  • Multi-Tenant user key - Inherits and mimics the specific access permissions of the owner at the exact time of the API call. For more information, read the Multi-Tenant API Key documentation .