Abstract
Since Smartsheet does not have a native feature for IP address restriction, the enterprise account authentication option controls access from other than the specified IP by allowing only the authentication option that has IP address restriction.
Reasons for IP address control
If you are an organization with high security, you may want to restrict access from other than your organization's IP address.
Typically, when introducing SaaS in a company, it is conceivable to take "external measures" to prevent the situation where it is possible to access from outside the office and acquire internal information.
With the new Corona, remote work has become commonplace, and it has become more common to access in-house cloud resources from home.In addition to accessing internal data from personal terminals at home or on the go, cloud services are often used to contact colleagues and meet with business partners.
On the other hand, with the rapid increase in remote work, information security problems have surfaced one after another, and concerns about information leakage are increasing.
In addition to measures such as two-step verification, by enabling access only from a specific IP address or IP address range specified by the administrator in advance, unauthorized access by a third party can be prevented and security can be strengthened. increase.
Ideal IP address limiting method
For Microsof 365
You can control access to OneDrive and Microsoft 365 resources by setting it in the SharePoint admin center.This, also known as location-based policy, allows for IP address restriction.
https://docs.microsoft.com/ja-jp/sharepoint/control-access-based-on-network-location
For Salesforce
With Salesforce, you can limit the IP addresses that users can access Salesforce to only the IP addresses defined in Restrict Login IP Addresses by setting Enforce login IP address restrictions on all requests. I can do it.
https://help.salesforce.com/s/articleView?id=000339125&type=1
For Smartsheet
Authentication option restrictions + IP address restrictions in authentication options (Google Workspace, Microsoft365, etc.)
For Smartsheet, unfortunately, there is no native IP address restriction feature.However, for enterprise plans, the authentication option allows you to disable authentication options that your organization / organization does not currently need and specify only those that have IP address authentication for your organization / organization to log in to that authentication option. is.This allows you to restrict logins from other than the specified IP address.
For Google Workspace
For example, if you are using Google Workspace and you are using SSO (for example, HENNGE One) to restrict your IP address to log in to your organization's Google Account,
- At the time of trying to log in to Smartsheet, Smartsheet asks SSO to confirm the user's ID.
- SSO confirms that the user has not signed in yet.
- SSO requires the user to log in.
- The user's browser redirects to the SSO login page.
- The user enters the user name and password.
- Since IP address is restricted, if the user is trying to log in from the corporate network, for example, the login is successful, and if it is not the specified IP, the login is unsuccessful.
Smartsheet → SSO → (SMAL Request) IdP – (SAML Response) → SSO → Smartsheet
For Microsoft 365 (formerly Office 365)
In the case of Microsoft 365, which is often used by Japanese companies along with Google Workspace, Azure AD IP address restriction is possible with a license for ctive Directory P1 or P2.
How to limit
Required license
Conditional access description
https://docs.microsoft.com/ja-jp/azure/active-directory/conditional-access/overview
Benefits of SSO
With the expansion of remote work under the corona, the number of employees using SaaS apps is increasing.
By leveraging SSO, authentication and access control can be centralized on the part of the identity provider, with each user managed by a single internal credential.
Changing / deleting account access rights due to employee retirement or transfer is a source of concern for the IT department.Even in the organization I was originally from, the IT department was not informed of the transfer information in advance, so when there was a large number of transfers such as April XNUMX, the IT department was busy responding.
There is still a lot of hand-based parts such as group settings, but SAML enables centralized management, and users authenticated by IdP (identity provider) are also authenticated by SaaS to realize SSO and seamlessly SaaS. Will be available.
reference
Articles on Smartsheet Enterprise Plan Authentication Options
https://help.smartsheet.com/ja/articles/516133-managing-authentication-options-enterprise-only-
Enterprise plan and other security benefits
Setting up an accepted domain share list
Smartsheet users can be restricted to sharing only within their company's domain.This feature is available with your Enterprise subscription.With this feature, you can limit the sharing of sheets outside the company and the sending of emails from Smartsheet.
If you control the IP address, you will not be able to access Smartsheet from any network other than the one approved by your organization, but there is a possibility that rows and sheet emails will be sent from Smartsheet to the outside without logging in to Smartsheet. Remains.
You can mitigate this risk by limiting the approved domain sharing list for your enterprise account.
Managing the types of files that users can attach
The file attached to the sheet by the user can be downloaded and printed. Even if only access from the network specified by the IP restriction can be shared only by users such as authorized domains, it is necessary to consider the possibility that the downloaded file may cause information leakage.
Of the cloud stories, Google Drive, Box, etc. have a function to restrict download and printing, so if you attach an attachment with these, employees outside the office will download the attachment of Smartsheet to a PC such as your home. You can control what you do. →Related article
Note that attachments are uploaded from your computer and are not controlled by the cloud storage service.
In the enterprise, you can control the type of attachment, so you can be more prepared for information leakage.
Restrictions on publishing sheets, reports, etc.
Publishing sheets, reports, dashboards, etc. is a useful feature, but it also makes the information visible to anyone who knows the link.
In the example of the Smartsheet Admin Center image above, all types of publishing are possible, but as a preparation for higher information leakage, "All users with links access the published sheet etc. It is recommended to turn off "Can".