# Security FAQs
Get answers to frequently asked security questions.
What is Workato's approach to security?
Workato has a comprehensive approach to security, including a complete security program with documented policies and procedures, verified by an annual audit, secure development and testing, a secure and scalable infrastructure, and product capabilities that enhance security.
Where can I find an overview of Workato's security practices?
An overview of Workato's security practices is available on our Workato Security Overview page (opens new window).
What are the essential features associated with access and authentication in Workato?
Workato offers the following access and authentication features:
- Password Policy Enforcement
- Session timeout settings
- Two-Factor Authentication
- Organizational separation
- Separation of development, production, and testing environments
- IP allowlists
- Single Sign-On (SSO) using SAML2.0 authentication
How does Workato enforce password policies?
Workato enforces password length, complexity, and expiration standards for user accounts. Workato does not store passwords and only stores secure hashes of passwords in our database.
How can organizations configure session timeouts in Workato?
Organizations can set a session timeout duration according to their security needs. Users can also update their timeout duration by navigating to their account settings.
What Two-Factor Authentication options are supported by Workato?
Workato supports the following Two-Factor Authentication mobile apps:
- Google Authenticator
- Microsoft Authenticator
- Authy
How does Workato ensure organizational separation within its platform?
Admins can configure separate workspaces for different teams or business functions. This ensures that users can only access the resources of the workspace to which they are assigned.
What does "separation of environments" in Workato mean?
Workato supports a multi-phase development lifecycle, allowing development, testing, and production activities to occur in separate environments and by different users. Note that this feature is an add-on.
What Single Sign-On (SSO) options does Workato support?
Workato supports integration with third-party SAML-compliant SSO systems and also offers Single Sign-On using third-party credentials. Refer to the SSO sign-up documentation for a complete list of SSO options.
How does Workato handle user provisioning and authorization to minimize data exposure?
Workato follows the principle of least privilege through a Role-Based Access Control (RBAC) model when provisioning system access.
Team admins use RBAC to assign collaborators to projects and folders, grant permissions, and pre-configured system roles (Admin, Operator, Analyst) based on their tasks. You can also configure custom roles to control access to specific features, projects, folders, and more on a granular level.
How does Workato handle connections to external systems securely?
When connecting to external systems, Workato uses OAuth2 whenever possible. If credentials must be stored, they are encrypted using a 256-bit key. Custom OAuth profiles can be created for greater control.
How is data protected within Workato?
All data stored in Workato is encrypted at rest using a strong encryption algorithm (AES-256). Data retention, data masking, and data privacy measures are in place to protect sensitive information.
Workato stores transaction-related data for a limited period based on the Workato plan, allowing system activity visibility, testing, and debugging, and support for long-running transactions.
How is encryption key management handled in Workato?
Workato uses a hierarchical key model for encryption key management with different levels of keys to limit access and exposure. The Customer Main Key (CMK) is at the top of the hierarchy.
Can Workato's encryption keys be managed using third-party services?
Workato supports Enterprise Key Management (EKM) that allows users to manage their workspace's encryption keys with the help of external key management services.
What is the role of Secrets Management in Workato?
Secrets Management allows you to securely store and retrieve sensitive information like passwords and API tokens. It centralizes credential management, improving security and ease of management.
Workato's Secrets Management feature supports the following secrets managers:
- AWS Secrets Manager
- HashiCorp Vault
- Azure Key Vault
You can configure secrets management at either the workspace or project level in Workato. Workato does not support a mixed approach to secrets management.
Last updated: 4/5/2024, 10:15:05 PM