We take security seriously, and access management is a critical component of that. This article outlines how we manage authentication and access for two distinct groups: our internal employees (Redoxers) and our customers (your organization users) using the Redox dashboard.
By default, we deny Redoxers access to internal systems, applications, and customer data. We only allow access on a minimum necessary basis, which is based on the principle of least privilege.
Each Redoxer has a unique username and complex password that they use to access our internal systems. We align our password policy with the National Institute of Standards and Technology (NIST) password guidelines and best practices. NIST emphasizes length over complexity and multi-factor authentication (MFA) over shorter rotation periods.
As such, we have high length requirements (16 characters) and require MFA whenever possible. We have single sign-on (SSO) in place for access to all internal systems.
Access provisioning is based on an assigned role in our Human Resources Information System (HRIS). If the role has certain access rights assigned, the user is granted that access when they’re granted the indicated role. When the user is no longer a member of that role, their access is removed. We provision access to contractors similar to employees, but they’re placed into their own roles. We continuously update access within roles based on business needs.
We review critical system accounts and privileged access rights every 60 days. We review standard user accounts upon hire, termination, and role change.
This group applies to any users that are part of your Redox organization. You can manage your own access and provisioning to users within your organization with Redox access control. Learn about using access control.
For the Redox dashboard, we enforce the following password requirements:
- Passwords must not contain:
- common or repeated words and characters
- your name, email, or organization name
- Password must be between 9 and 71 characters (longer than 8 characters, shorter than 72 characters). Characters can be anything, including unicode and whitespace.
- Password must include characters from at least two of these categories:
- uppercase letters (A-Z)
- lowercase letters (a-z)
- numbers (0–9)
- special characters (~!@#$%^&*/?)
Lockout occurs after 3 failed login attempts.
As a best practice, we recommend requiring MFA for any user in your Redox organization who has access to PHI. MFA is available to any user via SMS text message. Organization owners can view which users have enabled MFA within the dashboard.
If you don’t want to input an MFA token every time you log in, you can check the box for the option: “Remember this device for 30 days.” You’ll still have to enter the MFA token, though, if you explicitly log out, use a new device or incognito browser, or delete browser cookies.
We support SSO via Security Association Markup Language (SAML). SSO allows you to enforce your own password complexity requirements and more stringent MFA rules via your own identity provider. Learn how to set up SSO for your Redox organization.