SAML-based Single Sign-on (SSO)
Connect your Identity Provider (IdP) using the widely used open standard SAML to enable SSO. SSO enables you to take full control of password and two-factor rules through your IdP.
When SSO is not in use, Listrak credentials are created and secured with the following protections:
- Two-factor Authentication (2FA): 2FA is a critical layer of security that protects you from stolen passwords and password reuse and as such it cannot be disabled. If Listrak detects you are logging in from a new device or browser, you will be asked to provide an authorization code for your protection.
- Failed Attempts Lockout: To protect against brute force attacks, users are locked out of the platform after multiple successive failed login attempts.
- Password Policy: Platform user passwords must be at least 8 characters in length and contain three of the following: uppercase letter, lowercase letter, number or special character.
- Password Encryption: Listrak user passwords are stored using industry-standard one-way encryption so they cannot be extracted by support or development personnel, or by exploitation from an attacker. Other sensitive information, such as integration credentials, are encrypted with an industry-standard two-way encryption process where only authorized servers in a set environment can encrypt and decrypt the information. This prevents the development environment, support personnel, foreign workstations, etc., from extracting usable information.
- Password Reset Policy: The Listrak Support Team has created a Password Reset Policy that disallows the reset or retrieval of passwords until we can positively identify the client by contacting them via the telephone number on file. If we are unable to positively identify the client, this policy prevents Listrak from resetting or retrieving the password. In addition, the Support Team is unable to check or verify the password on file and provides only temporary password resets, forcing the client to enter the permanent password and thereby eliminating the possibility that the permanent password can be obtained through any communication with Listrak.
Firewall clusters provide perimeter defense for the multiple 10 Gigabit feeds to our data center. Additionally, all web requests are scanned for malicious intent, such as SQL injection, bot activity and various other attacks, and blocked when detected.
Listrak APIs use an IP access list which you can manage through the admin portal. By default, all IPs attempting to access APIs are blocked until they are granted access in the system.
You can limit a user’s access to the platform using the built-in roles; select one or more roles per user to customize the access.
Least Privilege Principle
Listrak employees and systems are provided the least set of privileges required to complete the job. Additionally, employees use 2FA to authenticate to the platform and other business services.
The admin portal and API communications occur only over HTTPS using TLS1.2. All data, personal information or otherwise, is encrypted at rest using AES256 encryption.
Physical Security Standards
All physical locations, including headquarters, data centers and cloud providers, use badge access, video surveillance, and third-party audits and protections.
Each location utilizes redundant power, air conditioning, and internet feeds. Equipment is also protected by fire suppression systems.
Monitoring and Audits
Platform logs are monitored for stability, performance, and security in real time to warn of attacks, failures, and pending problems. Together, this monitoring allows us to intercept pending outage scenarios before they occur. Audit logs keep track of user activity to help support company policy and promote accountability. Monthly vulnerability scans across all networks provide assurance of our security posture.
Each year, our security posture and privacy protections are audited and tested by three (3) separate third-parties.
Whether you are a Listrak client, a consumer, a vendor of Listrak, or a security enthusiast, you are an important part of this process. Accordingly, we encourage responsible reporting of any confirmed or potential vulnerabilities found within our platform or services. Please review our Vulnerability Disclosure Policy for more information.