Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Yandex 360 protection and safe use standard, version 1.0.0

Written by
Updated at October 13, 2025

Introduction

This document offers recommendations for means of technical protection and helps you choose adequate information security measures when using Yandex 360 services.

The recommendations and security measures mentioned in this standard come with links to the APIs and solutions for setting up secure configurations using standard information security tools.

The standard describes the methods and means of verifying compliance with the recommendations, including:

Scope

These recommendations are addressed to administrators, technical specialists, and information security specialists responsible for the security of information systems built around Yandex 360 services.

The standard can be used as the basis for developing company-specific recommendations. Not all of the information security measures and recommendations from this document are applicable. Moreover, additional measures and recommendations that are not included in the current standard may be required.

Standard structure

The standard describes recommendations for the following security objectives:

  • Account and access permission management.
  • Two-factor authentication and account recovery.
  • Monitoring and analysis of audit logs.
  • Password policy and password management.
  • Restricting access to external services and applications.
  • Data protection and leak prevention.

Requirements and preparation

Prior to the checks, make sure that:

  • You have the necessary access permissions for the Yandex 360 APIs.
  • You are familiar with the documentation for the APIs in question.
  • You have access to audit logs and other necessary data.

You can automate the audit of compliance with all recommendations using Yandex 360 API-based scripts.

Limitation of responsibility

Yandex 360 uses the concept of shared responsibility. The limit of responsibility for security depends on the type of platform (SaaS model), built-in protection mechanisms, and policies made available by the provider.

As a service provider, Yandex is responsible for physical security of data centers, supporting a holistic fault-tolerant platform, network infrastructure protection, monitoring and analysis of system-level events, as well as implementation of the Security-by-Default mechanisms: data encryption, anti-spam and anti-DDoS tools, other inbuilt levels of protection.

The client (Organization 360 owner) contributes access setup and management functions: assigns roles (users, managers, admins), implements password policies, enables two-factor authentication, configures networking rules for services (e.g., Yandex Telemost), performs data processing and classification, backups and audits of objects within the organization.

The provider thus guarantees the infrastructure-level security and stability, whereas the client ensures reliable configuration, access control, and data protection within their SaaS organization.

Terms and abbreviations

This document uses the terms and definitions used in the Yandex 360 documentation, as well as generally accepted terms in the field of information security.

Authentication and access management

Number of organization administrators is minimal

Y360-1

Organization 360 is a logical container in the Yandex 360 infrastructure which consolidates a company’s employees, domains, groups, and services. You can manage the organization profile, change its owner, configure domains, and work with audit logs via the admin profile.

Admins have the widest permissions within a Yandex 360 organization, including management of security settings, employee access, and integrations. With too many admins, the risk of compromising critical functions increases.

  1. Log in as the organization administrator.
  2. Go to the Employees page.
  3. The rows of users with admin permissions will indicate Admin, and their profile images will be marked with the relevant icon.

To view a list of employees, use the UserService_List REST API method for the UserService resource. To find users with admin permissions, filter the results by this parameter: isAdmin: true.

How to implement:

  • Limit the number of admins to one (or the minimum required number).
  • For other users with administrative tasks, use roles with restricted permissions. For more information, see this guide.

Second factor is used for domain users and Yandex ID users

Y360-3

To improve security of access to Yandex 360 corporate services, use two-factor authentication (2FA) for all domain users and Yandex ID users. This means, in addition to their password, a user will need a one-time code delivered by phone call or SMS to log in to their account. Such approach significantly reduces the risk of unauthorized access even if the password has been compromised.

  1. Log in as the organization administrator.

  2. Select Login confirmation in the Security menu.

  3. Specify the required settings:

    • Enable for: Specify All employees if you are enabling verification for the entire organization or Selected employees if you want to set it up individually.
    • Warning period: Time given to users to set up sign-in verification. After this period expires, employees will not be able to postpone its setup.

    Note

    The Verification method setting is non-editable. The priority method for code delivery is a phone call. SMS delivery is used only when phone calls are not available.

  4. Click Enable.

  5. If you are enabling login confirmation for specific users, select them.

  6. If you are enabling login confirmation for all organization users, you can forcibly terminate sessions of all user accounts.

  1. To get the 2FA setup status for an organization, use the Domain2FAService_Get REST API method for the Domain2FAService resource. Make sure 2FA is enabled for all domain users or selected employees according to your organization’s policy.

  2. To get the 2FA setup status for each domain user, use the UserService_Get2fa REST API method for the UserService resource. Make sure the twofaEnabled parameter in the response body is set to true.

  3. To check that domain users are unable to postpone setting up a second factor, use the Domain2FAService_Disable REST API method for the Domain2FAService resource. Make sure there are no users with active postponement of 2FA setup.

    Note

    For Yandex ID users, use the available verification options via Yandex ID.

How to implement:

Set up two-factor authentication for all employees using Yandex ID or Yandex 360 domain accounts. This is the minimum security standard to adopt in all organizations handling protected or critical information.

Password policy is enabled in your organization

Y360-6

An organization must have an active password management policy which requires users to change their passwords at least every six months. This is an additional security measure in case 2FA is not implemented or is not enabled for all users.

To get password policy parameters, use the DomainPasswordsService_Get REST API method for the DomainPasswordsService resource. Make sure the enabled parameter in the response body is set to true and the changeFrequency parameter value does not exceed 180 days.

Response example:

{"changeFrequency":180,"enabled":true}

If the response returns enabled: false or changeFrequency > 180, the policy does not comply with Y360-6.

How to implement:

Set the password policy parameters so that password expiration period does not exceed 180 days and check that users can actually change their passwords.

Organization owner’s account has recovery tools

Y360-9

Make sure to set up access recovery options for the organization owner’s account:

  1. Associated phone number (secure phone) for recovery via SMS or phone call.

  2. Two-factor authentication (2FA) to enforce using a second factor.

    Specifics:

    • For domain users, you can check 2FA via the API.
    • For @yandex.ru accounts, you need to perfrom the check manually (the API is not available).
  1. Log in as the organization administrator.
  2. In the security settings, manually check that:
    • There is an associated phone number.
    • 2FA is activated.

  1. To make sure the organization owner’s account has access recovery options configured, use the UserService_Get REST API method for the UserService resource. Make sure the has_security_phone and 2fa_enabled parameters in the response body are set to true.

  2. To check global 2FA settings in an organization, use the Domain2FAService_Get REST API method for the Domain2FAService resource. Make sure the enabled parameter in the response body is set to true 2FA.

How to implement:

  1. Log in as the organization administrator.

  2. Select Login confirmation in the Security menu.

  3. Specify the required settings:

    • Enable for: Specify All employees.

  4. Click Enable.

For Yandex accounts, transfer the organization ownership to a domain user.

To enable 2FA for a domain account, use the Domain2FAService_Enable REST API method for the Domain2FAService resource.

Cookie lifetime is limited according to the information security policy of your organization

Y360-2

You can select the time interval before employees need to log in again. By default, session cookie lifetime is unlimited. Set this value to comply with your organization's information security policy. You can do this with an API request. For more information on how to change session cookie lifetime, see this article.

To check the current lifetime value of cookie sessions, use the DomainSessionsService_Get REST API method for the DomainSessionsService resource. The authTTL parameter in the response body gives the sessions' expiration time in seconds. If authTTL equals 0, the lifetime is unlimited.

Guides and solutions to use:

Set the cookie lifetime parameter to not more than 7 days (604,800 seconds). This will reduce the risks due to potentially compromised sessions and unauthorized access.

To update the cookie session lifetime value, use the DomainSessionsService_Update REST API method for the DomainSessionsService resource.

Response example:

{
"authTTL": 604800
}

Where authTTL is time in seconds (in this example, set to 7 days).

Monitoring and audit

Organization users who last logged in more than 30 days ago are blocked

Y360-5

To minimize the risks of unauthorized access, you should regularly audit user activity. We recommend blocking or deleting accounts that were inactive for more than 30 days. This especially concerns organizations with high turnover of staff, contractors, or temporary employees.

Before implementing this measure, make sure the session cookie lifetime in your organization is limited according to the Y360-2 standard. This is required for accurate evaluation of user activity.

To get a list of events in the organization’s audit log, use the get-logs REST API method for the audit-logs resource. Make sure the occurred_at parameter value in the response body does not exceed 30 days.

How to implement:

For added security, we recommend blocking or deleting user accounts that were inactive for more than 30 days, provided you comply with the Y360-2 standard for session cookies.

How to block or unblock an employee.

How to delete an employee account.

Monitoring of audit log events is set up

Y360-11

This recommendation mandates collection and analysis of audit log events in order to detect potentially dangerous actions and anomalies in the system. Such events may include information about access to files, user activity, system logins, and other actions.

Admins and managers can use audit logs to look into:

  1. Events in services:

    • How employees log in to their accounts, e.g., the time and device of their login.
    • Actions employees take with emails and files in their Mail and Disk. For example, you can find out who has moved an email or file.

  2. Events in the organization’s profile:

    • Changes in the organization’s profile. For example, you can view what changed in a user’s data and who made those changes.
    • Past searches of other admins in the email archive and how they set up email rules.

  1. Log in as the organization administrator.

  2. In the left-hand menu, select Audit logs.

    If you see the Connect button, your configuration does not comply with Y360-11.

How to implement:

To ensure system security, enable collection and analysis of audit log events. This will allow you to timely detect and respond to potential threats.

Data encryption and protection

Every domain user has a linked phone number (secure phone)

Y360-4

For added security, domain users must have a mobile phone number (secure phone) linked to each account. In addition to reliable authentication and account recovery, this will also enable two-factor authentication (2FA).

  1. Go to the Phones page.

    The page will display several numbers if a phone number different from main one was specified in a different Yandex service.

To get the 2FA setup status for each domain user, use the UserService_Get2fa REST API method for the UserService resource. In the response, check that the hasSecurityPhone field is set to true.

Note

For users with a Yandex ID account, this verification mechanism will be implemented at a later stage.

How to implement:

It is the administrator's duty to have the users' phone numbers linked to their domain accounts. This is done to strengthen security and prevent unauthorized access.

If there is an existing DLP system in place, configure it for Yandex 360 services

Y360-14

To protect corporate information and minimize the risk of data leaks, we recommend setting up the DLP (Data Loss Prevention) system in Yandex 360 services. DLP automatically detects sensitive information, such as passwords, tokens, secret keys, personal data, etc., and prevents it getting in the hands of unauthorized recipients.

To check if there is a rule for incoming and outgoing mail to be forwarded to a DLP address, use the RoutingService_GetRules REST API method for the RoutingService resource. Make sure that one of the rules (the first or required one) has the forward action to forward emails to a dedicated DLP address (dlp@domain.ru or similar).

Response example:

{
  "terminal": false,
  "condition": {},
  "actions": [
    {
      "data": {"email": "dlp@domain.ru"},
      "action": "forward"
    }
  ],
  "scope": {"direction": "outbound"}
}

Also check the incoming mail forwarding setting: we recommend forwarding all correspondence for extended control.

How to implement:

  1. Consider setting up forwarding of outgoing (and, optionally, incoming) mail to a dedicated DLP mailbox for automated analysis:
    • Check if there is a forwarding rule with the help of the GET https://api360.yandex.net/admin/v1/org/{ORGANIZATION}/mail/routing/rules API request.
    • Make sure that one of the rules has the forward action to forward emails to a dedicated DLP address, e.g., dlp@domain.ru.
  2. Make sure the DLP mailbox can be accessed externally:
    • Create a dedicated user for integration of the DLP platform with the mailbox.
    • Set up an app-specific password or OAuth access for this user.
  3. Check if email scans are on for:
    • Passwords and password reset requests.
    • Access tokens.
    • SSH, PKI, or VPN private keys.
    • Personal or confidential data (if this is part of the policy).

Integrations and third-party services

The organization does not use portal accounts

Y360-7

The organization does not allow personal accounts with @yandex.ru email addresses, as it is not possible to centrally manage security policies for such accounts. Organization ownership must be delegated exclusively to domain users.

To get a list of employees, use the UserService_List REST API method for the UserService resource. Make sure the email parameter in the response body does not end with @yandex.ru. Personal accounts do not pass the Y360-7 check.

Guides and solutions to use:

We recommend avoiding the use of personal @yandex.ru portal accounts in the corporate environment. Instead, delegate organization ownership to domain users to enable centralized security policy management and controlled access to corporate resources.

The organization uses SSO based on a SAML-compatible IdP

Y360-8

The organization use single sign-on (SSO) access implemented through an external SAML-compatible identity provider (IdP). Domain users must not coexist with SSO accounts. If you do not have a dedicated IdP, you can use Yandex Identity Hub. To do so, create a SAML application in Identity Hub and configure it both on the Identity Hub side and the service provider side.

For more information, see Creating a SAML application in Yandex Identity Hub.

How to implement:

We recommend using single sign-on (SSO) through a SAML-compatible IdP for centralized access management and enhanced security. This will simplify the authentication process for users and streamline the management of access to the organization's resources.

Checking issued OAuth tokens and their permissions available when setting up the application

Y360-10

This control involves checking that all issued OAuth tokens comply with the principle of least privilege, there are no tokens with excessive permissions, and that only trusted applications and users get to own the tokens. You do this to maintain security and manage access to the services, in particular to:

  • Ensure compliance with the principle of least privilege.
  • Make sure there are no tokens with excessive permissions (e.g., mail:full_access or cloud:admin).

To check the list of connected applications:

  1. Log in as the organization administrator.
  2. Go to SecurityService applications.
  3. View the list of all registered applications.
  4. Cross-reference each application with your internal registry of trusted integrations, check for mismatches and suspicious integrations.

To check scopes:

  1. For each application, copy its Client ID.

  2. Navigate to https://oauth.yandex.com/client/<client_id>/info, where client_id is the application ID.

  3. Check the page for:

    • Scopes requested by the application.
    • Whether the application has access to sensitive data (mail, calendar, contacts, etc.).

  4. Compare the requested permissions against the application's actual needs, check for excessive or suspicious permissions.

To check authentication:

  1. Log in as the organization administrator.

  2. Go to SecurityDevices and activity.

  3. View the list of active user sessions looking for:

    • Employees with third-party apps connected.
    • Inactive or suspicious sessions.

  4. Optionally, you can:

    • Terminate unnecessary or outdated sessions.
    • Notify users they need to revise their accesses.

To disconnect applications you do not need:

  1. Log in as the organization administrator.
  2. Go to SecurityService applications.
  3. Deactivate or remove all unapproved, outdated, or unused applications.
  4. Make sure you leave only applications that:
    • Are officially approved.
    • Satisfy the principle of least privilege.
    • Have no excessive permissions.

  1. To get a list of service applications and their scopes, use the ServiceApplicationsService_Get REST API method for the ServiceApplicationsService resource.

  2. To shorten the list of service applications, use the ServiceApplicationsService_Create method for the ServiceApplicationsService resource.

  3. To test actual access using a short-lived token, do the following:

    Issue a temporary token for a particular user and check that the operations succeed only within the granted permissions:

    curl --location \
--request POST 'https://oauth.yandex.ru/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'client_id=<OAuth_service_app_client_id>' \
--data-urlencode 'client_secret=<OAuth_service_app_client_secret>' \
--data-urlencode 'subject_token=<user_id>' \
--data-urlencode 'subject_token_type=urn:yandex:params:oauth:token-type:uid'

    Where:

    • OAuth_service_app_client_id: Client ID of the service app.
    • OAuth_service_app_client_secret: Client secret of the service app.
    • user_id: User ID.
    • user_email: User email in username@domain.ru format.

    The response will contain a token for use in Yandex 360 API requests.

How to implement:

Apply the principle of least privilege to each service app. Maintain a registry (owner, purpose, minimal scopes). Revise at least once per quarter. Use short-lived tokens for one-off tasks, promptly revoke tokens you no longer need. For Disk, use narrow scope permissions where possible (e.g., cloud_api:disk.app_folder or cloud_api:disk.read).

Authentication in external OAuth services is banned

Y360-12

To strengthen information security, we recommend you to ban your employees from authenticating in third-party OAuth services using their corporate accounts. This will prevent corporate OAuth tokens being forwarded to external apps, thus minimizing the risk of phishing, account compromise, and corporate data leaks through external services.

To get the ban status, use the OauthAccessRestrictionsService_Get REST API method for the OauthAccessRestrictionsService resource.

Analyze the response:

How to implement:

  • Set the ban (restricted = true) for all employees with accounts in the corporate domain.
  • Revisit this policy from time to time, especially after updates in the organization's management structure or bulk third-party app integrations.

New service app connections are banned or limited to a list of trusted applications

Y360-13

To make your organization more protected, service app connections must be limited as much as possible:

  • Either banned completely (default), or
  • Limited exclusively to a list of pre-approved, trusted applications authorized by your security or IT team. All unauthorized, unknown, or suspicious app must be off the list.

Service apps can request various scopes and interact with corporate resources. Uncontrolled service app integrations greatly increase the risks of data theft, unauthorized access, malware injection, and circumvention of perimeter security policies.

To get the current list of service apps, use the ServiceApplicationsService_Get REST API method for the ServiceApplicationsService resource. In the response body, find the applications array with objects formatted as follows:

{
  "id": "some_id",
  "scopes": [
    "scope1",
    "scope2"
  ]
}

Analyze the response:

  • Check if the apps are on your organization's internal whitelist of approved service apps.
  • Make sure there are no unknown, unused, or suspicious apps on the list.
  • Review the granted scopes and minimize excessive permissions.

If no service apps are allowed, the list must be empty.

Guides and solutions to use:

  • By default, prohibit users from connecting any service apps (whitelist only). Audit the list of connected service applications and their scopes on a regular basis.
  • Have new connections approved by your information security team and tighten up access control.
  • Promptly remove unknown or suspicious apps.
Previous
Versions
Next
Introduction