# Security FAQs

Get answers to frequently asked security questions.

What is Workato's approach to security?

Workato has a comprehensive approach to security, including a complete security program with documented policies and procedures, verified by an annual audit, secure development and testing, a secure and scalable infrastructure, and product capabilities that enhance security.

Where can I find an overview of Workato's security practices?

Our Workato Security Overview page (opens new window) provides an overview of Workato's security practices.

What are the essential features associated with access and authentication in Workato?

Workato offers the following access and authentication features:

How does Workato enforce password policies?

Workato enforces password length, complexity, and expiration standards for user accounts. Workato does not store passwords and only stores secure hashes of passwords in our database.

Clients using password authentication are required to rotate their passwords every 90 days. Workato prohibits password reuse to further safeguard accounts.

How can organizations configure session timeouts in Workato?

Organizations can set a session timeout duration according to their security needs. The default session timeout duration is seven days, but it can be configured to range from 15 minutes to 14 days, depending on the organization’s security policy.

Users can update their timeout duration by navigating to Workspace admin > Settings > General > Session timeout duration.

What two-factor authentication options are supported by Workato?

Workato supports the following two-factor authentication mobile apps:

  • Google Authenticator
  • Microsoft Authenticator
  • Authy
How does Workato ensure organizational separation within its platform?

Admins can configure separate workspaces for different teams or business functions. This ensures that users can only access the resources of the workspace to which they are assigned.

What does "separation of environments" in Workato mean?

Workato supports a multi-phase development lifecycle, allowing development, testing, and production activities to occur in separate environments and by different users. The Environments feature is available to customers on specific pricing plans.

What single sign-on (SSO) options does Workato support?

Workato supports integration with third-party SAML-compliant SSO systems and offers single sign-on using third-party credentials. Refer to the SSO documentation for a complete list of SSO options.

How does Workato handle user provisioning and authorization to minimize data exposure?

Workato follows the principle of least privilege through a role-based access control (RBAC) model when provisioning system access.

Workspace admins use RBAC to assign collaborators to projects and folders, grant permissions, and pre-configured system roles (Admin, Operator, Analyst) based on their tasks. You can also configure custom roles to control access to specific features, projects, folders, and more on a granular level.

How does Workato handle connections to external systems securely?

When connecting to external systems, Workato uses OAuth 2.0 whenever possible. If credentials must be stored, they are encrypted using a 256-bit key. Custom OAuth profiles can be created for greater control.

How is data protected within Workato?

All data stored in Workato is encrypted at rest using a strong encryption algorithm (AES-256). Data retention, data masking, and data privacy measures are in place to protect sensitive information.

Workato stores transaction-related data for a limited period based on the Workato plan, allowing system activity visibility, testing, debugging, and support for long-running transactions.

How is encryption key management handled in Workato?

Workato uses a hierarchical key model for encryption key management with different levels of keys to limit access and exposure. The Customer Main Key (CMK) is at the top of the hierarchy.

Can Workato's encryption keys be managed using third-party services?

Workato supports Enterprise Key Management (EKM) that allows users to manage their workspace's encryption keys with the help of external key management services.

What is the role of Secrets Management in Workato?

Secrets Management allows you to securely store and retrieve sensitive information like passwords and API tokens. It centralizes credential management, improving security and ease of management.

Workato's Secrets Management feature supports the following secrets managers:

  • AWS Secrets Manager
  • HashiCorp Vault
  • Azure Key Vault

You can configure secrets management at either the workspace or project level in Workato. Workato does not support a mixed approach to secrets management.


Last updated: 11/5/2024, 6:04:00 PM