Note the following adjacencies, would be good to see some backlog grooming to harmonise these a bit more:
- https://jira.atlassian.com/browse/ACCESS-1740 - Ability to allow Org Admin to schedule user session timeout via certain timeout policy
- https://jira.atlassian.com/browse/ACCESS-1644 - API for Reset Session in Authentication Policies
- https://jira.atlassian.com/browse/ACCESS-1044 - Manage authentication policies via Admin API
- https://jira.atlassian.com/browse/ACCESS-1451 - Improvements to Idle Session Authentication Policy Options
Session management is an important security element, current approaches might tick an ISM compliance box using the reset-session feature described in https://support.atlassian.com/security-and-access-policies/docs/update-idle-session-duration/#Reset-sessions-for-an-authentication-policy but there is clearly appetite for some more fine-grained approaches to session management/termination. Please consider customer obligations to meet Session Termination compliance obligations and help ensure we can meet those. Example below from https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-system-hardening
Session termination
Implementing measures to terminate user sessions and restart workstations on a daily basis, outside of business hours and after an appropriate period of inactivity, can assist in both system maintenance activities as well as removing malicious actors that may have compromised a system but failed to gain persistence.
Control: ISM-0853; Revision: 3; Updated: Sep-22; Applicability: All; Essential Eight: N/A
On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and workstations are restarted.
Feel free to test new functions against the resources at https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality
Relevant FEDRAMP links
https://wayfinder.digital/FedRAMP/SC023-FedRAMP.html
https://wayfinder.digital/FedRAMP/AC012-FedRAMP.html
Note the following adjacencies, would be good to see some backlog grooming to harmonise these a bit more:
Session management is an important security element, current approaches might tick an ISM compliance box using the reset-session feature described in https://support.atlassian.com/security-and-access-policies/docs/update-idle-session-duration/#Reset-sessions-for-an-authentication-policy but there is clearly appetite for some more fine-grained approaches to session management/termination. Please consider customer obligations to meet Session Termination compliance obligations and help ensure we can meet those. Example below from https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-system-hardening
Session termination
Implementing measures to terminate user sessions and restart workstations on a daily basis, outside of business hours and after an appropriate period of inactivity, can assist in both system maintenance activities as well as removing malicious actors that may have compromised a system but failed to gain persistence.
Control: ISM-0853; Revision: 3; Updated: Sep-22; Applicability: All; Essential Eight: N/A
On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and workstations are restarted.
Feel free to test new functions against the resources at https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality
Relevant FEDRAMP links
https://wayfinder.digital/FedRAMP/SC023-FedRAMP.html
https://wayfinder.digital/FedRAMP/AC012-FedRAMP.html