The recent launch of the CAKE Idea Portal has provided our customers with a direct line of communication to share with us the challenges they’re facing and their proposed solutions to overcome those challenges. Based on our community’s recent input, we have moved forward in expanding the CAKE security settings to help further safeguard our customers’ businesses, including Multi-Factor Authentication (MFA), system alerts, and increased API controls.
To help our customers ensure system security, the following is a list of CAKE security features and best practices across system logins and APIs.
System login security settings and notifications
The CAKE platform delivers the following security settings for system login.
First, be sure to use the Multi-Factor Authentication (MFA) functionality within CAKE to log in to your CAKE instance. MFA verifies a user’s identity by requiring multiple credentials and is a critical component of identity and access management. CAKE sends a Time-based One-time Password (TOTP) to an authenticator app (e.g. Google Authenticator or Microsoft Authenticator) on your smartphone to verify credentials and securely access your CAKE platform.
While users do have the option to disable or change security settings within CAKE, we enable our default security settings based on best practices that ensure secure system login. CAKE security settings across admin and partner portals are:
- Failed Login Attempts: 5 attempts
- Admin Portal Session Timeout: 60 minutes
- Password Strength: Strong
- Password Usage History Restriction:10 passwords
- Password Expiration Policy: 90 days
New this month, the CAKE platform will now notify users via email if there is a login from a new location or device. The platform tracks logins based on IP address and device ID and indicates when your login has been compromised so you can change your credentials. This functionality is in addition to the existing system alert for when login credentials are modified, e.g. if someone changes the email address or password on a contact record.
API security settings
API security is of utmost importance in CAKE.
Our latest platform update encrypts (hides) API keys in the UI, requiring users to click a “show” button to see/grab the API key. This enables the platform to accurately log who accesses the API keys and when in case there’s an issue.
To ensure maximum security of your APIs, follow these four best practices:
- Give API keys custom names based on where the key is used. For example, if you want to generate a custom key for a third-party webhook integration, you could name the CAKE API key after the third-party system (e.g. Salesforce.)
- Utilize the role access/permission setting for API key visibility so that only the necessary admin users have access to API keys.
- If you know the IP address of the server that will be making API calls, you can whitelist the IP and choose to only allow calls from whitelisted IPs. You can do this through CAKE’s IP Whitelisting for API calls feature.
- Create new API keys often — at least every three months — in case an API key has been compromised.
CAKE is committed to safeguarding your performance marketing program, to learn more about CAKE security settings, contact your Account Manager, or visit our Knowledge Base.