Is it possible to block the access to selected devices?
Is there a two-factor authentication mechanism in connection with clients to the system?
Is there any Identity and access management is in use by the system?
Does the product includes user management mechanisim?
Does the product implement user/password policy?
What type of authentication do you use for your web services?