[Yandex Cloud documentation](../../index.md) > [Security in Yandex Cloud](../index.md) > [Yandex 360 protection and safe use standard, version 1.0.0](index.md) > All sections on one page

# Yandex 360 protection and safe use standard, version 1.0.0

## Introduction {#introduction}

This document offers recommendations for means of technical protection and helps you choose adequate information security measures when using Yandex 360 services.

The recommendations and security measures mentioned in this standard come with links to the APIs and solutions for setting up secure configurations using standard information security tools.

The standard describes the methods and means of verifying compliance with the recommendations, including:

* Yandex 360 UI
* [API Yandex 360](https://yandex.ru/dev/api360/doc/ru/)

### Scope {#scope}

These recommendations are addressed to administrators, technical specialists, and information security specialists responsible for the security of information systems built around Yandex 360 services.

The standard can be used as the basis for developing company-specific recommendations. Not all of the information security measures and recommendations from this document are applicable. Moreover, additional measures and recommendations that are not included in the current standard may be required.

### Standard structure {#structure}

The standard describes recommendations for the following security objectives:

* Account and access permission management.
* Two-factor authentication and account recovery.
* Monitoring and analysis of audit logs.
* Password policy and password management.
* Restricting access to external services and applications.
* Data protection and leak prevention.

### Requirements and preparation {#requirements}

Prior to the checks, make sure that:

* You have the necessary access permissions for the Yandex 360 APIs.
* You are familiar with the documentation for the APIs in question.
* You have access to audit logs and other necessary data.

You can automate the audit of compliance with all recommendations using Yandex 360 API-based scripts.

### Limitation of responsibility {#limitation-of-liability}

Yandex 360 uses the concept of shared responsibility. The limit of responsibility for security depends on the type of platform (SaaS model), built-in protection mechanisms, and policies made available by the provider.

As a service provider, Yandex is responsible for physical security of data centers, supporting a holistic fault-tolerant platform, network infrastructure protection, monitoring and analysis of system-level events, as well as implementation of the Security-by-Default mechanisms: data encryption, anti-spam and anti-DDoS tools, other inbuilt levels of protection.

The client (Organization 360 owner) contributes access setup and management functions: assigns roles (users, managers, admins), implements password policies, enables two-factor authentication, configures networking rules for services (e.g., Yandex Telemost), performs data processing and classification, backups and audits of objects within the organization.

The provider thus guarantees the infrastructure-level security and stability, whereas the client ensures reliable configuration, access control, and data protection within their SaaS organization.

### Terms and abbreviations {#terms}

This document uses the terms and definitions used in the Yandex 360 documentation, as well as generally accepted terms in the field of information security.

# Recommendations for authentication and access management

## Authentication and access management

### Number of organization administrators is minimal {#Y360-1}

**Y360-1**

[Organization 360](https://yandex.com/support/yandex-360/business/admin/ru/org-admin) is a logical container in the Yandex 360 infrastructure which consolidates a company’s employees, domains, groups, and services. You can manage the organization profile, change its owner, configure domains, and work with audit logs via the admin profile.

[Admins](https://yandex.com/support/yandex-360/business/admin/ru/admin) have the widest permissions within a Yandex 360 organization, including management of security settings, employee access, and integrations. With too many admins, the risk of compromising critical functions increases.

{% list tabs group=instructions %}

- Checking from the Yandex 360 console {#yandex-360-console}

  1. [Log in](https://admin.yandex.ru/) as the organization administrator.
  1. Go to the [Employees](https://admin.yandex.ru/users) page.
  1. The rows of users with admin permissions will indicate **Admin**, and their profile images will be marked with the relevant icon.

- Checking via the API {#API}

  To view a list of employees, use the [UserService_List](https://yandex.ru/dev/api360/doc/ru/ref/UserService/UserService_List) REST API method for the [UserService](https://yandex.ru/dev/api360/doc/ru/ref/UserService/) resource. To find users with admin permissions, filter the results by the `isAdmin: true` parameter.

{% endlist %}

**How to implement:**

* Limit the number of admins to one (or the minimum required number).
* For other users with administrative tasks, use roles with restricted permissions. For more information, see [this guide](https://yandex.com/support/yandex-360/business/admin/ru/accounts).

### Second factor is used for domain users and Yandex ID users {#Y360-3}

**Y360-3**

To improve security of access to Yandex 360 corporate services, use two-factor authentication (2FA) for all domain users and Yandex ID users. This means, in addition to their password, a user will need a one-time code delivered by phone call or SMS to log in to their account. Such approach significantly reduces the risk of unauthorized access even if the password has been compromised.

{% list tabs group=instructions %}

- Checking from the Yandex 360 console {#yandex-360-console}

  1. [Log in](https://admin.yandex.ru/) as the organization administrator.
  1. Select **Login confirmation** in the **Security** menu.
  1. Specify the required settings:

      * **Enable for**: Specify `All employees` if you are enabling verification for the entire organization or `Selected employees` if you want to set it up individually.
      * **Warning period**: Time given to users to set up sign-in verification. After this period expires, employees will not be able to postpone its setup.

      {% note info %}

      The **Verification method** setting is non-editable. The priority method for code delivery is a phone call. SMS delivery is used only when phone calls are not available.

      {% endnote %}

  1. Click **Enable**.

  1. If you are enabling login confirmation for specific users, [select](https://yandex.ru/support/yandex-360/business/admin/ru/security/set-2fa#select-users) them.

  1. If you are enabling login confirmation for all organization users, you can forcibly terminate sessions of all user accounts.

- Checking via the API {#API}

  1. To get the 2FA setup status for an organization, use the [Domain2FAService_Get](https://yandex.ru/dev/api360/doc/ru/ref/Domain2FAService/Domain2FAService_Get) REST API method for the [Domain2FAService](https://yandex.ru/dev/api360/doc/ru/ref/Domain2FAService/) resource. Make sure 2FA is enabled for all domain users or selected employees according to your organization’s policy.

  1. To get the 2FA setup status for each domain user, use the [UserService_Get2fa](https://yandex.ru/dev/api360/doc/ru/ref/UserService/UserService_Get2fa) REST API method for the [UserService](https://yandex.ru/dev/api360/doc/ru/ref/UserService/) resource. Make sure the `twofaEnabled` parameter in the response body is set to `true`.

  1. To check that domain users are unable to postpone setting up a second factor, use the [Domain2FAService_Disable](https://yandex.ru/dev/api360/doc/ru/ref/Domain2FAService/Domain2FAService_Disable) REST API method for the [Domain2FAService](https://yandex.ru/dev/api360/doc/ru/ref/Domain2FAService/) resource. Make sure there are no users with active postponement of 2FA setup.

      {% note info %}

      For Yandex ID users, use the available verification options via Yandex ID.

      {% endnote %}

{% endlist %}

**How to implement:**

[Set up](https://yandex.ru/support/yandex-360/business/admin/ru/security/set-2fa#on) two-factor authentication for all employees using Yandex ID or Yandex 360 domain accounts. This is the minimum security standard to adopt in all organizations handling protected or critical information.

### Password policy is enabled in your organization {#Y360-6}

**Y360-6**

An organization must have an active password management policy which requires users to change their passwords at least every six months. This is an additional security measure in case 2FA is not implemented or is not enabled for all users.

{% list tabs group=instructions %}

- Checking via the API {#API}

  To get password policy parameters, use the [DomainPasswordsService_Get](https://yandex.ru/dev/api360/doc/ru/ref/DomainPasswordsService/DomainPasswordsService_Get) REST API method for the [DomainPasswordsService](https://yandex.ru/dev/api360/doc/ru/ref/DomainPasswordsService/) resource. Make sure the `enabled` parameter in the response body is set to `true` and the `changeFrequency` parameter value does not exceed 180 days.
  
  **Response example:**

   ```json
   {"changeFrequency":180,"enabled":true}
   ```
  
  If `enabled: false` or `changeFrequency > 180`, the policy does not comply with Y360-6.

{% endlist %}

**How to implement:**

[Set](https://yandex.ru/dev/api360/doc/ru/ref/DomainPasswordsService/DomainPasswordsService_Update.html) the password policy parameters so that password expiration period does not exceed 180 days and check that users can actually change their passwords.

### Organization owner’s account has recovery tools {#Y360-9}

**Y360-9**

Make sure to set up access recovery options for the organization owner’s account:

  1. Associated phone number (secure phone) for recovery via SMS or phone call.
  1. Two-factor authentication (2FA) to enforce using a second factor.
  
      Specifics:
  
      * For domain users, you can check 2FA via the API.
      * For `@yandex.ru` accounts, you need to perfrom the check manually (the API is not available).

{% list tabs group=instructions %}

- Checking from the Yandex 360 console {#yandex-360-console}

  1. [Log in](https://admin.yandex.ru/) as the organization administrator.
  1. In the security settings, manually check that:
      * There is an associated phone number.
      * 2FA is activated.

- Checking via the API {#API}

  1. To make sure the organization owner’s account has access recovery options configured, use the [UserService_Get](https://yandex.ru/dev/api360/doc/ru/ref/UserService/UserService_Get) REST API method for the [UserService](https://yandex.ru/dev/api360/doc/ru/ref/UserService/) resource. Make sure the `has_security_phone` and `2fa_enabled` parameters in the response body are set to `true`.
  
  1. To check global 2FA settings in an organization, use the [Domain2FAService_Get](https://yandex.ru/dev/api360/doc/ru/ref/Domain2FAService/Domain2FAService_Get) REST API method for the [Domain2FAService](https://yandex.ru/dev/api360/doc/ru/ref/Domain2FAService/) resource. Make sure the `enabled` parameter in the response body is set to `true 2FA`.

{% endlist %}

**How to implement:**

{% list tabs group=instructions %}

- Yandex 360 console {#yandex-360-console}

  1. [Log in](https://admin.yandex.ru/) as the organization administrator.
  1. Select **Login confirmation** in the **Security** menu.
  1. Specify the required settings:
        
      * **Enable for**: Specify `All employees`.
    
  1. Click **Enable**.
  
  For Yandex accounts, transfer the organization ownership to a domain user.

- API {#API}

  To enable 2FA for a domain account, use the [Domain2FAService_Enable](https://yandex.ru/dev/api360/doc/ru/ref/Domain2FAService/Domain2FAService_Enable) REST API method for the [Domain2FAService](https://yandex.ru/dev/api360/doc/ru/ref/Domain2FAService/) resource.

{% endlist %}

# Session and cookie security recommendations

## Session and cookie security

### Cookie lifetime is limited according to the information security policy of your organization {#Y360-2}

**Y360-2**

You can select the time interval before employees need to log in again. By default, session cookie lifetime is unlimited. Set this value to comply with your organization's information security policy. You can do this with an API request. For more information on how to change session cookie lifetime, see [this article](https://yandex.ru/dev/api360/doc/ref/DomainSessionsService/DomainSessionsService_Update.html).

{% list tabs group=instructions %}

- Checking via the API {#API}

    To check the current lifetime value of cookie sessions, use the [DomainSessionsService_Get](https://yandex.ru/dev/api360/doc/ru/ref/DomainSessionsService/DomainSessionsService_Get) REST API method for the [DomainSessionsService](https://yandex.ru/dev/api360/doc/ru/ref/DomainSessionsService/) resource. The `authTTL` parameter in the response body gives the sessions' expiration time in seconds. If `authTTL` equals 0, the lifetime is unlimited.

{% endlist %}

**Guides and solutions to use:**

Set the cookie lifetime parameter to not more than 7 days (604,800 seconds). This will reduce the risks due to potentially compromised sessions and unauthorized access.

{% list tabs group=instructions %}

- API {#API}

    To update the cookie session lifetime value, use the [DomainSessionsService_Update](https://yandex.ru/dev/api360/doc/ru/ref/DomainSessionsService/DomainSessionsService_Update) REST API method for the [DomainSessionsService](https://yandex.ru/dev/api360/doc/ru/ref/DomainSessionsService/) resource.

    **Response example:**

    ```json
    {
    "authTTL": 604800
    }
    ```
    
    Where `authTTL` is time in seconds (in this example, set to 7 days).

{% endlist %}

# Best practices for monitoring and audit

## Monitoring and audit

### Organization users who last logged in more than 30 days ago are blocked {#Y360-5}

**Y360-5**

To minimize the risks of unauthorized access, you should regularly audit user activity. We recommend blocking or deleting accounts that were inactive for more than 30 days. This especially concerns organizations with high turnover of staff, contractors, or temporary employees.

Before implementing this measure, make sure the session cookie lifetime in your organization is limited according to the **Y360-2** standard. This is required for accurate evaluation of user activity.

{% list tabs group=instructions %}

- Checking via the API {#API}

  To get a list of events in the organization’s audit log, use the [get-logs](https://yandex.ru/dev/api360/doc/ru/audit-logs/get-logs) REST API method for the [audit-logs](https://yandex.ru/dev/api360/doc/ru/audit-logs/) resource. Make sure the `occurred_at` parameter value in the response body does not exceed 30 days.

{% endlist %}

**How to implement:**

For added security, we recommend blocking or deleting user accounts that were inactive for more than 30 days, provided you comply with the **Y360-2** standard for session cookies.

[How to block or unblock an employee](https://yandex.com/support/yandex-360/business/admin/ru/users#block-user).

[How to delete an employee account](https://yandex.com/support/yandex-360/business/admin/ru/users#sec_delete).

### Monitoring of audit log events is set up {#Y360-11}

**Y360-11**

This recommendation mandates collection and analysis of audit log events in order to detect potentially dangerous actions and anomalies in the system. Such events may include information about access to files, user activity, system logins, and other actions.

Admins and managers can use audit logs to look into:

1. Events in services:

    * How employees log in to their accounts, e.g., the time and device of their login.
    * Actions employees take with emails and files in their Mail and Disk. For example, you can find out who has moved an email or file.

1. Events in the organization’s profile:

    * Changes in the organization’s profile. For example, you can view what changed in a user’s data and who made those changes.
    * Past searches of other admins in the [email archive](https://yandex.com/support/yandex-360/business/admin/ru/mail/email-archiving/) and how they set up [email rules](https://yandex.com/support/yandex-360/business/admin/ru/mail/rules).

{% list tabs group=instructions %}

- Checking from the Yandex 360 console {#yandex-360-console}

  1. [Log in](https://admin.yandex.ru/) as the organization administrator.
  1. In the left-hand menu, select **Audit logs**.
    
      If you see the **Connect** button, your configuration does not comply with Y360-11.

{% endlist %}

**How to implement:**

To ensure system security, [enable](https://yandex.com/support/yandex-360/business/admin/ru/admin-audit-log#turn-on) collection and analysis of audit log events. This will allow you to timely detect and respond to potential threats.

# Recommendations for data encryption and protection

## Data encryption and protection

### Every domain user has a linked phone number (secure phone) {#Y360-4}

**Y360-4**

For added security, domain users must have a mobile phone number (**secure phone**) linked to each account. In addition to reliable authentication and account recovery, this will also enable two-factor authentication (2FA).

{% list tabs group=instructions %}

- Checking from the Yandex 360 console {#yandex-360-console}

  1. Go to the [Phones](https://id.yandex.com/security/phones) page.
   
      The page will display several numbers if a phone number different from main one was specified in a different Yandex service.

- Checking via the API {#API}

  To get the 2FA setup status for each domain user, use the [UserService_Get2fa](https://yandex.ru/dev/api360/doc/ru/ref/UserService/UserService_Get2fa) REST API method for the [UserService](https://yandex.ru/dev/api360/doc/ru/ref/UserService/) resource. In the response, check that the `hasSecurityPhone` field is set to `true`.
  
  {% note info %}

  For users with a Yandex ID account, this verification mechanism will be implemented at a later stage.

  {% endnote %}

{% endlist %}

**How to implement:**

It is the administrator's duty to have the users' phone numbers [linked](https://yandex.com/support/id/ru/authorization/phone.html) to their domain accounts. This is done to strengthen security and prevent unauthorized access.

### If there is an existing DLP system in place, configure it for Yandex 360 services {#Y360-14}

**Y360-14**

To protect corporate information and minimize the risk of data leaks, we recommend setting up the DLP (Data Loss Prevention) system in Yandex 360 services. DLP automatically detects sensitive information, such as passwords, tokens, secret keys, personal data, etc., and prevents it getting in the hands of unauthorized recipients.

{% list tabs group=instructions %}

- Checking via the API {#API}

  To check if there is a rule for incoming and outgoing mail to be forwarded to a DLP address, use the [RoutingService_GetRules](https://yandex.ru/dev/api360/doc/ru/ref/RoutingService/RoutingService_GetRules) REST API method for the [RoutingService](https://yandex.ru/dev/api360/doc/ru/ref/RoutingService/) resource. Make sure that one of the rules (the first or required one) has the `forward` action to forward emails to a dedicated DLP address (`dlp@domain.ru` or similar).

  **Response example:**

  ```bash
  {
    "terminal": false,
    "condition": {},
    "actions": [
      {
        "data": {"email": "dlp@domain.ru"},
        "action": "forward"
      }
    ],
    "scope": {"direction": "outbound"}
  }
  ```

  Also check the `incoming mail forwarding` setting: we recommend forwarding all correspondence for extended control.

  **How to implement:**

  1. Consider setting up forwarding of outgoing (and, optionally, incoming) mail to a dedicated _DLP mailbox_ for automated analysis:
      * Check if there is a forwarding rule with the help of the `GET https://api360.yandex.net/admin/v1/org/{ORGANIZATION}/mail/routing/rules` API request.
      * Make sure that one of the rules has the `forward` action to forward emails to a dedicated DLP address, e.g., `dlp@domain.ru`.
  1. Make sure the DLP mailbox can be accessed externally:
      * Create a dedicated user for integration of the DLP platform with the mailbox.
      * Set up an app-specific password or OAuth access for this user.
  1. Check if email scans are on for:
      * Passwords and password reset requests.
      * Access tokens.
      * SSH, PKI, or VPN private keys.
      * Personal or confidential data (if this is part of the policy).

{% endlist %}

# Tips for integration and third-party services

## Integrations and third-party services

### The organization does not use portal accounts {#Y360-7}

**Y360-7**

The organization does not allow personal accounts with `@yandex.ru` email addresses, as it is not possible to centrally manage security policies for such accounts. Organization ownership must be delegated exclusively to domain users.

{% list tabs group=instructions %}

- Checking via the API {#API}

  To get a list of employees, use the [UserService_List](https://yandex.ru/dev/api360/doc/ru/ref/UserService/UserService_List) REST API method for the [UserService](https://yandex.ru/dev/api360/doc/ru/ref/UserService/UserService_List) resource. Make sure the `email` parameter in the response body does not end with `@yandex.ru`. Personal accounts do not pass the **Y360-7** check.

{% endlist %}

**Guides and solutions to use**:

We recommend avoiding the use of personal `@yandex.ru` portal accounts in the corporate environment. Instead, delegate organization ownership to domain users to enable centralized security policy management and controlled access to corporate resources.

### The organization uses SSO based on a SAML-compatible IdP {#Y360-8}

**Y360-8**

The organization use single sign-on (SSO) access implemented through an external SAML-compatible identity provider (IdP). Domain users must not coexist with SSO accounts. If you do not have a dedicated IdP, you can use Yandex Identity Hub. To do so, create a SAML application in Yandex Identity Hub and configure it both on the Yandex Identity Hub side and the service provider side.

For more information, see [Creating a SAML application in Yandex Identity Hub](../../organization/operations/applications/saml-create.md).

**How to implement:**

We recommend using single sign-on (SSO) through a SAML-compatible IdP for centralized access management and enhanced security. This will simplify the authentication process for users and streamline the management of access to the organization's resources.

### Checking issued OAuth tokens and their permissions available when setting up the application {#Y360-10}

**Y360-10**

This control involves checking that all issued OAuth tokens comply with the principle of least privilege, there are no tokens with excessive permissions, and that only trusted applications and users get to own the tokens. You do this to maintain security and manage access to the services, in particular to:
  * Ensure compliance with the principle of least privilege.
  * Make sure there are no tokens with excessive permissions (e.g., `mail:full_access` or `cloud:admin`).

{% list tabs group=instructions %}

- Performing a check in the Yandex 360 console {#yandex-360-console}

  To check the list of connected applications:

    1. [Log in](https://admin.yandex.ru/) as the organization administrator.
    1. Go to **Security** → **Service applications**.
    1. View the list of all registered applications.
    1. Cross-reference each application with your internal registry of trusted integrations, check for mismatches and suspicious integrations.

  To check scopes:

    1. For each application, copy its Client ID.
    1. Navigate to `https://oauth.yandex.com/client/<client_id>/info`, where `client_id` is the application ID.

    1. Check the page for:
        * Scopes requested by the application.
        * Whether the application has access to sensitive data (mail, calendar, contacts, etc.).
        
    1. Compare the requested permissions against the application's actual needs, check for excessive or suspicious permissions.

  To check authentication:

    1. [Log in](https://admin.yandex.ru/) as the organization administrator.
    1. Go to **Security** → **Devices and activity**.
    1. View the list of active user sessions looking for:
        * Employees with third-party apps connected.
        * Inactive or suspicious sessions.

    1. Optionally, you can:
        * Terminate unnecessary or outdated sessions.
        * Notify users they need to revise their accesses.

  To disconnect applications you do not need:

    1. [Log in](https://admin.yandex.ru/) as the organization administrator.
    1. Go to **Security** → **Service applications**.
    1. Deactivate or remove all unapproved, outdated, or unused applications.
    1. Make sure you leave only applications that:
        * Are officially approved.
        * Satisfy the principle of least privilege.
        * Have no excessive permissions.

- Checking via the API {#API}

  1. To get a list of service applications and their scopes, use the [ServiceApplicationsService_Get](https://yandex.ru/dev/api360/doc/ru/ref/ServiceApplicationsService/ServiceApplicationsService_Get) REST API method for the [ServiceApplicationsService](https://yandex.ru/dev/api360/doc/ru/ref/ServiceApplicationsService/) resource.

  1. To shorten the list of service applications, use the [ServiceApplicationsService_Create](https://yandex.ru/dev/api360/doc/ru/ref/ServiceApplicationsService/ServiceApplicationsService_Create) method for the [ServiceApplicationsService](https://yandex.ru/dev/api360/doc/ru/ref/ServiceApplicationsService/) resource.

  1. To test actual access using a short-lived token, do the following:

      Issue a temporary token for a particular user and check that the operations succeed only within the granted permissions:
      
      ```bash
      curl --location \
      --request POST 'https://oauth.yandex.ru/token' \
      --header 'Content-Type: application/x-www-form-urlencoded' \
      --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
      --data-urlencode 'client_id=<OAuth_service_app_client_id>' \
      --data-urlencode 'client_secret=<OAuth_service_app_client_secret>' \
      --data-urlencode 'subject_token=<user_id>' \
      --data-urlencode 'subject_token_type=urn:yandex:params:oauth:token-type:uid'
      ```

      Where:
        * `OAuth_service_app_client_id`: Client ID of the service app.
        * `OAuth_service_app_client_secret`: Client secret of the service app.
        * `user_id`: User ID.
        * `user_email`: User email in `username@domain.ru` format.

      The response will contain a token for use in Yandex 360 API requests.

{% endlist %}

**How to implement:**

Apply the principle of least privilege to each service app. Maintain a registry (owner, purpose, minimal scopes). Revise at least once per quarter. Use short-lived tokens for one-off tasks, promptly revoke tokens you no longer need. For Disk, use narrow scope permissions where possible (e.g., `cloud_api:disk.app_folder` or `cloud_api:disk.read`).

### Authentication in external OAuth services is banned {#Y360-12}

**Y360-12**

To strengthen information security, we recommend you to ban your employees from authenticating in third-party OAuth services using their corporate accounts. This will prevent corporate OAuth tokens being forwarded to external apps, thus minimizing the risk of phishing, account compromise, and corporate data leaks through external services.

{% list tabs group=instructions %}

- Checking via the API {#API}

  To get the ban status, use the [OauthAccessRestrictionsService_Get](https://yandex.ru/dev/api360/doc/ru/ref/OauthAccessRestrictionsService/OauthAccessRestrictionsService_Get) REST API method for the [OauthAccessRestrictionsService](https://yandex.ru/dev/api360/doc/ru/ref/OauthAccessRestrictionsService/) resource.
  
  Analyze the response:

    * `"restricted": true`: Employees cannot authenticate in third-party services via Yandex 360.
    * `"restricted": false`: The ban needs to be set.

      To set the ban on authentication in external OAuth services, use the [OauthAccessRestrictionsService_Enable](https://yandex.ru/dev/api360/doc/ru/ref/OauthAccessRestrictionsService/OauthAccessRestrictionsService_Enable) REST API method for the [OauthAccessRestrictionsService](https://yandex.ru/dev/api360/doc/ru/ref/OauthAccessRestrictionsService/) resource.

{% endlist %}

**How to implement:**

* [Set](https://yandex.ru/dev/api360/doc/ru/ref/OauthAccessRestrictionsService/OauthAccessRestrictionsService_Get) the ban (`restricted = true`) for all employees with accounts in the corporate domain.
* Revisit this policy from time to time, especially after updates in the organization's management structure or bulk third-party app integrations.

### New service app connections are banned or limited to a list of trusted applications {#Y360-13}

**Y360-13**

To make your organization more protected, service app connections must be limited as much as possible: 
  * Either banned completely (default), or
  * Limited exclusively to a list of pre-approved, trusted applications authorized by your security or IT team. All unauthorized, unknown, or suspicious app must be off the list.

Service apps can request various scopes and interact with corporate resources. Uncontrolled service app integrations greatly increase the risks of data theft, unauthorized access, malware injection, and circumvention of perimeter security policies.

{% list tabs group=instructions %}

- Checking via the API {#API}

  To get the current list of service apps, use the [ServiceApplicationsService_Get](https://yandex.ru/dev/api360/doc/ru/ref/ServiceApplicationsService/ServiceApplicationsService_Get) REST API method for the [ServiceApplicationsService](https://yandex.ru/dev/api360/doc/ru/ref/ServiceApplicationsService/) resource. In the response body, find the `applications` array with objects formatted as follows:

  ```json
  {
    "id": "some_id",
    "scopes": [
      "scope1",
      "scope2"
    ]
  }
  ```

  Analyze the response:
    * Check if the apps are on your organization's internal whitelist of approved service apps.
    * Make sure there are no unknown, unused, or suspicious apps on the list.
    * Review the granted scopes and minimize excessive permissions.

  If no service apps are allowed, the list must be empty.

{% endlist %}

**Guides and solutions to use**:

* By default, [prohibit](https://yandex.ru/dev/api360/doc/ru/ref/ServiceApplicationsService/ServiceApplicationsService_Deactivate) users from connecting any service apps (whitelist only). Audit the list of connected service applications and their scopes on a regular basis.
* Have new connections approved by your information security team and tighten up access control.
* Promptly remove unknown or suspicious apps.