These security recommendations depend on your community's specific configuration.
Internal communities are typically for employees only.
External communities are typically for customers, vendors, and other external audiences.
| Security Recommendation: | Applies to: | Description: |
|---|---|---|
| Configure user login security | External Communities | Login security can include throttling, Captcha, and password strength
requirements. For implementation details: See Configuring Login Security and Configuring User Registration. |
| Enable SSO | Internal Communities | A single-sign on solution can help you provide a consistent login
experience for your users while providing identity management for your
organization via a third-party vendor. Jive Software strongly recommends
using a single sign-on solution for access to internal communities. In
addition to the out-of-the-box SSO options in the application, our
Professional Services team can create customizations to meet almost any
single sign-on requirement. For implementation details: See the Single Sign-On section, or, if you need an SSO customization, contact your Jive Software account representative. |
| Add an extra layer of security with SSL | External and Internal Communities | SSL will enable you to encrypt HTTP requests. Over the past few years
it's become more common for public sites that request a username and
password to give the user the option to browse the site in either HTTP
or HTTPS. For security and ease of use, we believe that authenticated
users should always be browsing the community via HTTPS because it's
become commonplace to browse the Internet via insecure wifi access
points. Any community that allows its authenticated users to browse via
HTTP is open to session hijacking. Current SSL solutions typically
require no additional machines or hardware and require only a very small
amount of CPU resources. For implementation details: See Enabling SSL Encryption. |
| Add VPN | Internal Communities | If you use both SSO login and SSL/HTTPS user access, you shouldn't
need VPN, too. However, VPN-only access to the community can be
configured for your community in both public and private cloud
communities. For implementation details: Contact your IT department to set up VPN-only access to the Jive application. |
| Prevent spam in your community | External Communities | Everyone hates spam, and it can also present security risks. Limit it
in your community as much as you can. For implementation details: Preventing Spam includes several suggestions for dealing with spammers and preventing spam in your community. |
| Understand administrative permissions and how they work | External and Internal Communities | Administrative permissions can be a powerful tool for limiting
who can make changes to your community. For implementation details: See the Managing Administrative Permissions section. |
| Add an extra username/password verification step for Admin Console access via Apache | External and Internal Communities | Apache includes a couple of features that can help you keep Jive
more secure. Jive runs on Tomcat behind an Apache HTTP web
server. You can set up Apache features such as IP restrictions or
basic authentication for specific URLs using standard Apache HTTP
configurations. The main Apache HTTP configuration file for the Jive
application is
/usr/local/jive/etc/httpd/conf/httpd.conf.
For requests inside your network, Apache should remain totally open. The security for specific requests (admin pages, file attachments, hidden content) is all executed at the Tomcat/Java level. For every request that comes in, the user's account is looked up and the permissions are checked against the specific request. Because of this, users are only able to access URLs which they have permission to view. Some system administrators choose to set IP filtering or basic authentication (via Apache) on the Admin Console. This is primarily useful for externally-oriented Jive communities (those that allow employees, as well as vendors and customers as community users) so that users are unaware of an Admin Console. There is no security risk of leaving the /admin URL exposed. If you implement this, users trying to access any of the Admin Console pages must successfully enter their external username/password combo to gain access. For implementation details: See Apache's documentation. |
| Understand the security of the Jive Genius Recommender Service | External and Internal Communities | This cloud-delivered service communicates between your community and
Jive Software via a secure proxy and state-of-the-art encryption
protocols. For more details: See Jive Genius Security. |
| Block search robots | External Communities | Search robots can wreak havoc in your community, so it's a good idea
to set up robot blockers. For implementation details: See this tutorial. |