Security Considerations
Protect your NetSuite account and data.
Security Basics
SECURITY LAYERS
===============================================================================
Layer 1: ACCESS CONTROL
├── Who can log in?
├── What can they do?
└── What data can they see?
Layer 2: AUTHENTICATION
├── Strong passwords
├── Two-Factor Authentication (2FA)
└── Session management
Layer 3: MONITORING
├── Login audits
├── Change tracking
└── Suspicious activity alerts
Must-Do Security Settings
1. Enable Two-Factor Authentication (2FA)
ENABLING 2FA
===============================================================================
For Your Account:
Step 1: Home > Set Preferences > Security
Step 2: Click "Set Up Two-Factor Authentication"
Step 3: Choose method (Authenticator app recommended)
Step 4: Follow setup wizard
Step 5: Save backup codes!
For All Admins (require it):
Setup > Company > Two-Factor Authentication
├── Require 2FA for: Administrator roles ✓
└── Applies on next login
2. Set Password Policy
PASSWORD POLICY SETTINGS
===============================================================================
Navigation: Setup > Company > Login Restrictions
Recommended Settings:
├── Minimum Password Length: 12+ characters
├── Require Mixed Case: ✓
├── Require Numbers: ✓
├── Require Special Characters: ✓
├── Password Expiration: 90 days
└── Lockout After Failed Attempts: 5 attempts
3. Configure Session Timeout
SESSION TIMEOUT
===============================================================================
Navigation: Setup > Company > General Preferences
Setting:
├── Session Idle Timeout: 60 minutes (or less)
└── Applies to all users
Why: Automatically logs out inactive users
IP Address Restrictions
Limit where users can log in from:
IP RESTRICTIONS
===============================================================================
Option 1: Company-Wide (all users)
Navigation: Setup > Company > Company Information
├── IP Address Rules section
├── Add allowed IP ranges
└── Users outside range = blocked
Option 2: Role-Based
Navigation: Role > Restrictions subtab
├── IP Address section
├── Add allowed ranges for this role
└── More flexibility per role
Common Uses:
- Admin role: Office IP only
- All users: Home + office IPs
- API users: Server IPs only
Role-Based Security
Principle of Least Privilege
LEAST PRIVILEGE = MINIMUM ACCESS NEEDED
===============================================================================
Bad: Good:
├── Everyone is Admin ├── 2-3 Administrators max
├── All roles have Full access ├── View-only where possible
└── No restrictions └── Restrict by dept/location
Security-Focused Role Design
| Role Type | Permission Approach |
|---|---|
| Admin | Full access (few people) |
| Manager | Edit own area, view others |
| Staff | Create/edit own work only |
| Viewer | View only, no changes |
| External | Minimal access needed |
Monitoring & Auditing
Login Audit Trail
REVIEWING LOGIN AUDIT
===============================================================================
Navigation: Setup > Users/Roles > View Login Audit Trail
Look for:
├── Failed login attempts (brute force?)
├── Logins from unusual locations
├── Logins at unusual times
└── Multiple logins from same user
Review Frequency: Weekly (at minimum)
What to Watch For
| Red Flag | Might Mean | Action |
|---|---|---|
| Many failed logins from one IP | Brute force attack | Block IP |
| Login from new country | Compromised account | Verify with user |
| Admin login at 3 AM | Suspicious activity | Investigate |
| Unusual number of record changes | Data manipulation | Audit records |
API and Integration Security
If you have integrations:
INTEGRATION SECURITY
===============================================================================
Token-Based Authentication (TBA):
├── Preferred over password-based
├── Create specific tokens per integration
├── Revoke easily if compromised
└── Setup: Setup > Integration > Manage Tokens
Best Practices:
├── Separate role for each integration
├── Minimum permissions needed
├── Log all API activity
└── Rotate tokens periodically
Quick Security Checklist
SECURITY AUDIT CHECKLIST
===============================================================================
□ ACCOUNTS
├── 2FA enabled for all admins: ✓
├── Password policy enforced: ✓
└── Inactive users removed: ✓
□ ACCESS
├── Admin count minimized (2-3): ✓
├── Roles follow least privilege: ✓
└── Restrictions applied: ✓
□ MONITORING
├── Login audit reviewed weekly: ✓
├── Role changes tracked: ✓
└── Alerts for admin access: ✓
□ INTEGRATIONS
├── Token-based auth used: ✓
├── Integration roles minimal: ✓
└── Tokens rotated annually: ✓
Quick Reference
| I want to... | Go to |
|---|---|
| Enable 2FA | Home > Set Preferences > Security |
| Set password rules | Setup > Company > Login Restrictions |
| Restrict by IP | Setup > Company > Company Information |
| View login history | Setup > Users/Roles > View Login Audit Trail |
| Manage tokens | Setup > Integration > Manage Tokens |
Do's and Don'ts
| Do | Don't |
|---|---|
| Enable 2FA for all admins | Share admin credentials |
| Review logins weekly | Ignore failed login patterns |
| Limit admin count | Give admin to everyone who asks |
| Use restrictions | Give full access unnecessarily |
| Document security settings | Make changes without documentation |
Key Takeaways
- 2FA is essential - especially for admins
- Least privilege - give minimum access needed
- Monitor regularly - review logins weekly
- Limit admins - 2-3 maximum
- IP restrictions - add extra layer for sensitive roles
Related Topics
- Administrator Role - Admin security
- Auditing - Activity tracking
- Role Restrictions - Data restrictions