In-product Security Features

Several built-in security features allow you to configure your Jive community for the appropriate level of security for your organization.

Authentication Features

Login Security
Using the Admin Console, you can configure Jive to strongly discourage automated (computer-driven) registration and logins. Automated registration is usually an attempt to gain access to the application for malicious reasons. By taking steps to make registering and logging in something that only a human being can do, you help to prevent automated attacks. We recommend using the following tools, all of which are available as options in the Admin Console:
  • Login Throttling: Enabling login throttling slows down the login process when a user has entered incorrect credentials more than the specified number of times. For example, if you set the number of failed attempts to 5 and a forced delay to 10 seconds and a user fails to log in after more than 5 attempts, the application would force the user to wait 10 seconds before being able to try again.
  • Login Captcha: Enabling login Captcha will display a Captcha image on the login page. The image displays text (distorted to prevent spam registration) that the user must enter to continue with registration. This discourages registration by other computers to send spam messages. The login Captcha setting is designed to display the Captcha image when throttling begins. In other words, after the number of failed attempts specified for throttling, the Captcha image is displayed and throttling begins. You cannot enable the login Captcha unless login throttling is enabled. The Captcha size is the number of characters that appear in the Captcha image, and which the user must type when logging in. A good value for this is 6, which is long enough to make the image useful, but short enough to make it easy for real humans.
  • Password Strength: You can choose to enforce strong passwords via the Admin Console. The following options are available out of the box:
    • a minimum of 6 characters of any type
    • a minimum of 7 characters including 2 different character types (uppercase, lowercase, number, punctuation, and/or special characters)
    • a minimum of 7 characters including 3 different character types
    • a minimum of 8 characters, including all 4 character types
To learn more about configuring login and password security, see Configuring Login Security and Configuring User Registration.
Session Timeout
By default, Jive passes a token that persists the user session for 30 minutes from the last request. If you have a specific need to modify this limit (for example, if you need to make your Jive session timeout match the timeout of your identity provider when configuring SSO), you can use the auth.lifetime system property to set a new session timeout period in minutes. Keep in mind that increasing session duration increases security risks such as session hijacking and unattended workstation tampering. You should consult your organization's security team before you modify this value.
Email Validation
You can configure Jive to require email validation for all new accounts. This setting helps to prevent bots from registering with the site and then automatically posting content. When you configure email validation, Jive will require a new user to complete the registration form and retrieve an email with a click-through link to validate their registration. To learn how to enable this setting, see Configuring User Registration.
Account Lockout
Jive does not offer account lockout as an out-of-the-box feature. However, you can configure Jive to authenticate against a thirty-party IDP that will perform account lockout. If this is not something you want to implement, you can request the account lockout feature from Jive's Professional Services team as a customization.
SSO
Jive includes support for SAML out of the box and can also be implemented as a customization from Jive's Professional Services team, a Jive partner, or an engineer of your choice. Be sure to read Getting Ready to Implement SAML SSO.
Delegated Authentication
When delegated authentication is enabled and configured, Jive makes a simple Web Service call out to the configured server whenever a user attempts to log in. This allows administrators to control the definition of users outside of the community. To learn more about this, see Configuring Delegated Authentication.

Authorization Features

Jive includes powerful built-in end user and admin permissions matrices, as well as customizable permissions. Depending on the assigned role, users can see or not see specific places and the content posted there. In addition, administrative permissions can be used to limit the access level of administrators. Jive administrators control user and admin permissions through the Admin Console. To learn more about how permissions work, see Managing Permissions.

Moderation and Abuse Features

Moderation
Jive administrators can enable moderation so that designated reviewers view and approve content before it is published in the community. This can be useful for places that contain sensitive information. In addition to content moderation, administrators can enable moderation for images, profile images, avatars, and user registrations. For more about moderation, see the Moderation section.
Abuse Reporting
Administrators can enable abuse reporting so that users can report abusive content items. To learn more about abuse reporting, see Setting Up Abuse Reporting.
Banning Users
Administrators can block a person's access to Jive so that they are no longer able to log in to the community. For example, if someone becomes abusive in their messages (or moderating their content is too time-consuming), administrators may choose to ensure that the user can no longer log in. Users can be banned through their login credentials or their IP address. Be sure to read Banning People for more information.
Interceptors
Interceptors can be set up to perform customizable actions on incoming requests that seek to post content. Administrators can set up interceptors to prevent specific users from posting content or to filter and moderate offensive words, anything from specific IP addresses, or the posting frequency of specific users. To learn more about how interceptors work, see Configuring Interceptors.

Encryption

HTTPS and Browser Encryption
You can configure Jive to encrypt HTTP requests using SSL. Documentation and instructions for configuring SSL is available in Enabling SSL Encryption. Additionally, you can configure Jive to use three different HTTP/HTTPS configurations:
  • Allow both HTTP and HTTPS
  • Force HTTPS
  • Force HTTPS on secure pages (login, registration, change password, etc.)
Data Encryption
Jive supports anything the JVM does at the application level and anything OpenSSL does at the HTTPD level. We actively use Blowfish/ECB/PKCS5P, AES-256 for symmetric key encryption, SHA-256 for one-way hashing, and we support and recommend Triple-DES ciphers at the HTTPD server for TLS encrypted channels.
  • SHA-256 -- Jive user passwords are stored in the database as salted SHA-256 hashes.
  • AES-256 -- Bridging credentials, License Metering information, and iPhone UDIDs are all encrypted with AES-256.
  • Blowfish/ECB/PKCS5Padding -- Used for storing LDAP administrator credentials and OpenSearch credentials in the database.

Cookies

Jive uses HTTP cookies in several places in the application to provide a better user experience. To learn more about how the application uses cookies, be sure to read Jive and Cookies.

Note: The Jive Professional Services team can deliver security customizations if the out-of-the-box security features do not meet the specific requirements of your organization.
Parent topic: Jive Security

Powered by Jive Software
© 1999-2013 Jive Software. All rights reserved. Follow us on Twitter @JiveSoftware