The Encompass LOS can represent a significant information security risk if not properly secured. As with any security implementation, you must take a layered approach to the security surrounding Encompass to protect your business from a variety of threat vectors.

Threats to your Encompass environment include external account takeover, external attacks against your Encompass server, and internal misuse. Additionally, you need to secure all your user scenarios, whether they be on premise, remote, or in a Citrix (or other virtual) environment.

At Prosurian we recommend you take a four part approach to securing Encompass:

1) Only permit access to Encompass from company owned computers.

2) Enforce MFA and SSO.

3) Ensure that all traffic is controlled by IP whitelists.

4) Implement Role Based Access Control

Company Owned Computers Only

BYOD (Bring Your Own Device) laptops, while convenient for employees, pose significant data leakage risks for organizations. One of the primary concerns stems from the lack of stringent security protocols on personal devices compared to corporate-owned devices. Employees may unwittingly download malicious software or visit compromised websites, leading to data breaches or malware infections. Additionally, BYOD laptops often lack centralized management, making it difficult for IT departments to enforce security measures such as encryption and access controls. Moreover, employees may store sensitive company data alongside personal information, increasing the likelihood of accidental data exposure or loss.

In a Mortgage company or banking environment, Users should only be permitted to use properly configured and managed corporate owned computers. These computers should be configured with a baseline security setup that complies with the operating system manufacturer’s best practices, or an external standard like the CIS Benchmark. Installing Encompass on a secure company owned computer ensures that any loan data stored on the computer is discoverable and can be properly managed.

Secure Login

Multi-factor authentication (MFA) and single sign-on (SSO) are crucial components for securing sensitive applications in today's digital landscape. MFA adds an extra layer of protection by requiring users to verify their identity through multiple factors such as passwords, biometrics, or one-time codes. This significantly reduces the risk of unauthorized access, even if login credentials are compromised.

SSO streamlines the authentication process by forcing users to access multiple applications with a single set of credentials, ensuring the security of all systems, and providing for a seamless user experience. By centralizing authentication and authorization processes, SSO reduces the likelihood of weak or reused passwords and simplifies the management of access privileges. Together, MFA and SSO create a robust security framework that fortifies sensitive applications against various threats, including password-based attacks, phishing, and unauthorized access attempts.

If your MFA / SSO solution supports additional security or application control features. You can, for instance, ensure that your users are only logging in to Encompass from a company owned computer. Preventing a threat actor with compromised credentials from accessing your environment.

IP Whitelisting

IP whitelisting is a fundamental cybersecurity measure that serves as a proactive defense against unauthorized access and malicious activities. By restricting access to specific IP addresses or ranges, organizations can control who can interact with their networks, systems, and applications. This granular control enables organizations to limit access to trusted entities, such as employees or partners, while blocking access from unknown or suspicious sources. This helps prevent unauthorized access attempts, brute force attacks, and other malicious activities originating from unauthorized locations.

Encompass enables IP whitelisting through Server Administration. Traditionally this was an effective tool to restrict access to corporate offices, or Citrix pools. In today’s remote work environment, many companies have sent employees home without implementing a solution to continue whitelisting, exposing their server to remote attacks.

In a remote workforce scenario, it is imperative that you implement a technology that concentrates all your Encompass traffic through known IP addresses so that the IP whitelisting feature can be leveraged.

Proper Access Control

Role-Based Access Control (RBAC) is a crucial security mechanism for managing access rights within an organization. In Encompass this is accomplished through proper Persona and Group configuration. It enhances security by assigning system access to users based on their roles within an organization, rather than on a per-user basis. This ensures that individuals only have access to the information and functionality necessary for their roles, minimizing the risk of unauthorized access to sensitive data.

Moreover, RBAC helps in achieving regulatory compliance by ensuring that access controls are consistently applied and documented throughout the organization. By restricting system access to only what is necessary, RBAC reduces potential attack vectors and helps protect an organization’s critical assets.

‍

Schedule your Encompass security consultation with Prosurian today!