Platform Security Best Practices

This guide outlines recommended best practices for securing your environment within the Delinea Platform. Following these practices helps ensure the availability, integrity, and confidentiality of privileged access and sensitive data.

Maintaining Two Emergency CloudAdmin Accounts (Non-Human Admin Accounts)

Description

Provision two CloudAdmin-level emergency access accounts—Primary and Secondary—that are not assigned to individual human users. These "break-glass" accounts are used in critical situations, such as identity provider failures or credential loss.

Recommendations

  • Do not use these accounts for daily operations.

  • Store credentials in a secure physical or offline location.

  • Exclude these accounts from access to secrets or managed endpoints.

Enforcing AAL3 Multi-Factor Authentication for CloudAdmin Accounts

Description

Protect CloudAdmin accounts with Assurance Level 3 (AAL3) authentication using physical devices (e.g., FIDO2 USB keys or YubiKeys). These hardware MFA devices provide strong security while minimizing reliance on software-based credentials.

Recommendations

  • Enforce AAL3 in authentication profiles for CloudAdmin.

  • Store MFA devices in a secure physical vault.

  • Limit access to only authorized personnel.

Using a Hardware Security Module for the Master Encryption Key

Description

Integrate an HSM (Hardware Security Module) to manage your MEK (Master Encryption Key), ensuring enhanced control and tamper-resistant protection of secrets in Secret Server Cloud.

Benefits

  • Tamper-proof generation and storage of encryption keys

  • Compliance with internal and regulatory security standards

Reference

AWS Key Management in Secret Server Cloud

Always Using Federated Identity—Avoiding Local Accounts

Description

Leverage your organization’s enterprise Identity Provider (IdP) for all user authentication. Avoid creating local accounts within the platform whenever possible.

Benefits

  • Aligns with HR and IT-managed identity lifecycle

  • Prevents orphaned accounts upon employee departure

  • Reduces risk from unmanaged credentials

Recommendation

Use local accounts only when absolutely necessary.

Requiring MFA for All User Log ins

Description

Enforce MFA (Multi-Factor Authentication) for all user access to the Delinea Platform—regardless of role or permission level.

Recommendations

  • Use authentication profiles to mandate MFA for all users.

  • Prefer device-based or biometric MFA where supported.

Enforcing Least Privilege Access

Description

Apply the principle of least privilege by assigning users to roles or groups with only the minimum required permissions.

Recommendations

  • Minimize the use of high-privilege roles such as CloudAdmin and System Administrator.

  • Perform regular audits of role and group assignments.

Monitoring for Suspicious Activity

Description

Continuously monitor platform usage for anomalous or suspicious activity.

Recommendations

  • Utilize Delinea’s built-in analytics to track user behavior and access.

  • Integrate with your organization’s SIEM solution to enable real-time alerts and centralized monitoring.

Implementing a Disaster Recovery Site for Vault Access

Description

Deploy an on-premises DR (Disaster Recovery) site to ensure critical secrets remain accessible even during cloud service outages.

Benefits

  • Ensures business continuity during disruptions

  • Supports rapid incident response and recovery

Reference

Disaster Recovery Planning for Secret Server