Enterprise-grade user account protection: Protecting local user accounts for compliance and operational continuity

As enterprises scale their digital operations, securing user accounts becomes critical to prevent operational disruptions, reputational damage, and compliance risks. Dynatrace protects that local user accounts with enterprise-grade security measures, enabling you to focus on innovation without worrying about account takeovers or compliance gaps.

The critical role of user account protection in enterprise security

Most enterprises rely on federated identity providers (IdPs), such as Azure AD or Okta, for user authentication and authorization. Utilizing federated identities is also the most common method for securely accessing Dynatrace. However, hybrid setups that combine federated identities with local Dynatrace accounts are frequently employed in specific scenarios, including:

• External collaborators: Contractors, partners, or users from other organizations who need temporary access.
• Short-lived access: Project-based or engagement-specific accounts that don't justify full IdP integration.
• Administrative or super-user accounts: Critical roles that require guaranteed access, independent of SAML federation, for operational continuity.

These local accounts can be vulnerable to attacks if not properly secured. Dynatrace addresses these risks with robust security measures tailored to protect local user identities.

How Dynatrace safeguards local user accounts

Dynatrace User Account Protection (UAP) is a critical pillar in safeguarding your most valuable asset, your data. While our fine-grained authorization framework ensures that every user only accesses the data they're entitled to, UAP complements this by securing the identities behind those permissions. Together, these measures form a unified approach to data protection and compliance: robust access policies prevent unauthorized visibility, and strong account security prevents unauthorized entry. By combining fine-grained access controls with user account protection, Dynatrace delivers a secure, compliant, and trustworthy observability experience.

^{Figure 2. Account protection comparison: local users vs. federated users}

Dynatrace offers a comprehensive suite of features to safeguard local user accounts stored in the Dynatrace Identity Provider (IdP):

Password policy

Strong password policies are crucial for minimizing the risk of unauthorized access and safeguarding sensitive data. To prevent brute-force attacks, every password must meet strict requirements: it should be a minimum of 12 characters and can be up to 120 characters in length. Additionally, passwords must contain a mix of character types, including at least one uppercase letter, one lowercase letter, one numeral, and one special character.

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) significantly reduces the risk of account compromise, safeguarding both individual accounts and the overall environment. Dynatrace provides multiple MFA features to enhance protection. Users can enable login MFA with time-based one-time passwords, which are configured through their preferred authenticator app and required as a second factor during login. For environment access, administrators can enforce MFA to ensure only verified users can access critical resources.

This environment protection can be achieved through an MFA-authenticated session or step-up authentication, where a one-time password is sent to the user via email as an additional verification step. These measures provide a robust defense against unauthorized access.

User account takeover prevention

Dynatrace continuously monitors and prevents suspicious login attempts. These proactive measures make it harder for attackers to exploit accounts, providing early warnings to users:

• Login throttling: Limits repeated failed login attempts; users can retry after a short timeout (typically 3-5 minutes).
• reCAPTCHA integration: Adds human verification for email and password entry, making automated brute-force attacks costly and difficult.
• Suspicious login notifications: Users receive email notifications if unusual authentication activity is detected.

Best practices to secure your Dynatrace user accounts

To provide robust security for user accounts, enterprises should adopt a combination of proactive measures and continuous monitoring.

Key best practices:

• Apply environment MFA: Protect critical information by enforcing multi-factor authentication at the environment level.
• Encourage MFA for non-federated users: Ensure that non-federated users turn on MFA with TOTP for an additional layer of security.
• Restrict access to the account management portal: Limit access to federated users only, as improper group mapping can introduce risks.
• Monitor user activity and token usage: Regularly track user activity and the use of tokens to detect anomalies or inactive accounts.

Implementing these practices will enhance your overall account security and mitigate potential risks.

Protect your user accounts

Dynatrace provides real, enterprise-grade protection for local user accounts, enabling you to stay ahead of modern security threats. For more details on how to set it up properly, please go to our user and group management documentation.