Data encryption and protection
Every domain user has a linked phone number (secure phone)
Y360-4
For added security, domain users must have a mobile phone number (secure phone) linked to each account. In addition to reliable authentication and account recovery, this will also enable two-factor authentication (2FA).
-
Go to the Phones page.
The page will display several numbers if a phone number different from main one was specified in a different Yandex service.
To get the 2FA setup status for each domain user, use the UserService_Get2fa REST API method for the UserService resource. In the response, check that the hasSecurityPhone field is set to true.
Note
For users with a Yandex ID account, this verification mechanism will be implemented at a later stage.
How to implement:
It is the administrator's duty to have the users' phone numbers linked to their domain accounts. This is done to strengthen security and prevent unauthorized access.
If there is an existing DLP system in place, configure it for Yandex 360 services
Y360-14
To protect corporate information and minimize the risk of data leaks, we recommend setting up the DLP (Data Loss Prevention) system in Yandex 360 services. DLP automatically detects sensitive information, such as passwords, tokens, secret keys, personal data, etc., and prevents it getting in the hands of unauthorized recipients.
To check if there is a rule for incoming and outgoing mail to be forwarded to a DLP address, use the RoutingService_GetRules REST API method for the RoutingService resource. Make sure that one of the rules (the first or required one) has the forward action to forward emails to a dedicated DLP address (dlp@domain.ru or similar).
Response example:
{
"terminal": false,
"condition": {},
"actions": [
{
"data": {"email": "dlp@domain.ru"},
"action": "forward"
}
],
"scope": {"direction": "outbound"}
}
Also check the incoming mail forwarding setting: we recommend forwarding all correspondence for extended control.
How to implement:
- Consider setting up forwarding of outgoing (and, optionally, incoming) mail to a dedicated DLP mailbox for automated analysis:
- Check if there is a forwarding rule with the help of the
GET https://api360.yandex.net/admin/v1/org/{ORGANIZATION}/mail/routing/rulesAPI request. - Make sure that one of the rules has the
forwardaction to forward emails to a dedicated DLP address, e.g.,dlp@domain.ru.
- Check if there is a forwarding rule with the help of the
- Make sure the DLP mailbox can be accessed externally:
- Create a dedicated user for integration of the DLP platform with the mailbox.
- Set up an app-specific password or OAuth access for this user.
- Check if email scans are on for:
- Passwords and password reset requests.
- Access tokens.
- SSH, PKI, or VPN private keys.
- Personal or confidential data (if this is part of the policy).