IP whitelisting for an organization and API key
M
Matan Heled
In order to prevent damage in an event of a leakage of an API key, extra security measures are needed.
By whitelisting specific IP addresses for a Port organization, you reduce the impact of a leakage of API keys for an organization.
Adding whitelisting in an organization level, and in an API key level will help protect customers' data.
K
Kieron Wilkinson
Hopefully it helps adding my user case, which I suspect is quite common. I work for a large company in the finance industry. As much as I'm excited about the capabilities Port offers, I don't feel that I can argue for it's adoption in the company without this feature.
As with all the other SaaS products we adopt, we need a way to configure Port to only only accept traffic from our network egress IPs, so only devices within our network boundary can access our Port instance. Currently it appears that compromising company data from Port is a credential leak away.
Within our tightly regulated industry we need multiple levels of security controls as well as evidencing that we can protect against both external and internal threats. To do that, we need to ensure we have sufficient data loss protection so that somebody leaves the company, or even with a existing disgruntled employee, has no way of access our systems and data by swapping to their personal device. Currently from what I can see, an employee on our instance would be able to generate an API token (https://docs.getport.io/api-reference/port-api#authentication), type that into a personal device and use it to access company data off network.
Matan Grady
Kieron Wilkinson your concern is clear, we will look into this possibility in the future.