This document outlines recommended security best practices for deploying and operating BillRun in production environments.
These guidelines apply to both standalone and enterprise deployments, with additional considerations for Enterprise Edition features.
Security is a shared responsibility between BillRun and the deploying organization. Proper configuration, access control, and operational discipline are essential to maintaining a secure system.
For production and regulated environments, it is strongly recommended to use external authentication providers (SSO) such as OpenID Connect.
Benefits include:
- Centralized identity management.
- Enforced organizational password policies.
- MFA enforcement outside of BillRun.
- Reduced credential exposure.
When external authentication is enabled:
- BillRun does not store user passwords.
- Authentication relies on signed, time-bound tokens.
- User access is governed by mapped roles and permissions.
If local authentication is required:
- Enforce strong password policies.
- Disable or remove unused local accounts.
- Restrict local authentication to trusted networks.
- Avoid using local authentication for privileged users in production.
¶ Authorization and Role Management
- Assign users the minimum permissions required to perform their role.
- Avoid granting administrative access unless strictly necessary.
- Separate operational roles (billing, CRM, finance, support).
For external authentication:
- Explicitly validate role claims received from the Identity Provider.
- Avoid implicit or default role assignment.
- Regularly audit role mappings against organizational policy.
¶ Network and Transport Security
- Enforce HTTPS for all BillRun endpoints.
- Use TLS certificates issued by a trusted CA.
- Disable weak TLS versions and ciphers.
- Restrict access to BillRun services using firewalls or security groups.
- Expose only required ports to the public internet.
- Isolate database and internal services from public access.
¶ Secrets and Configuration Management
- Never commit secrets (client secrets, database credentials, API keys) to source control.
- Store secrets using secure mechanisms (environment variables, secret managers, vaults).
- Restrict access to configuration files at the OS level.
- Periodically rotate:
- OIDC client secrets.
- Database credentials.
- Service-to-service tokens.
- Immediately rotate credentials after suspected compromise.
¶ Auditability and Traceability
¶ Authentication and Access Logs
- Enable logging for authentication events.
- Track successful and failed login attempts.
- Retain logs according to compliance requirements.
- Log configuration changes affecting authentication and authorization
- Maintain traceability for:
- Role changes.
- Permission updates.
- Provider configuration changes.
¶ Deployment and Infrastructure Security
- Maintain strict separation between:
- Development
- Staging / Pre-Production
- Production
- Never reuse credentials across environments.
¶ Patch and Update Management
- Keep BillRun and all dependencies up to date.
- Apply security patches promptly.
- Regularly review third-party component advisories.
¶ Backup and Recovery
- Perform regular backups of:
- Configuration
- Databases
- Critical metadata
- Encrypt backups at rest.
- Periodically test restore procedures.
- Ensure backup access is tightly controlled.
These best practices support alignment with common compliance frameworks, including:
- SOC 2
- ISO 27001
- Internal security audits
Final compliance responsibility remains with the deploying organization and its policies.