Authentication and access control
Questions 40 to 45 — use a strong approach for identity management — see if the provider audits user accounts and has access controls and passwords for authentication that meet your security needs.
Questions 40 to 45 — authentication and access control
Table 1 lists who is responsible for answering each question. There are multiple questions that both your government organisation and the service provider need to answer.
Context and help for questions 40 to 45
Record your answers to these questions in either:
- the Excel version — risk assessment tool for public cloud services
- your organisation’s document for recording risk assessments.
Questions to answer
- Does the government organisation have a strategy for identity management that supports adopting and using public cloud services?
- If yes — does the public cloud service support the government organisation’s strategy for identity management?
- Is there an effective internal process that ensures that identities are managed throughout their life cycles?
- Is there an effective audit process that is actioned at regular intervals to make sure that user accounts are appropriately managed and protected?
- Have the controls required to manage the risks associated with the ubiquitous access — that is, from any location and using different devices — provided by public cloud been identified?
- Does the public cloud service meet those control requirements?
- Are all passwords encrypted, especially system or service administrators, in accordance with the complexity requirements in the New Zealand Information Security Manual (NZISM)?
- Is there a higher level of assurance required that the party asserting an identity is the authorised user of the account when authenticating to the service?
- Example — is multi-factor authentication necessary?
| Entity | Questions to answer |
|---|---|
| Government organisation | 40, 41, 42, 43, 43a, 44, 45 |
| Service provider | 40a, 41, 42, 43, 44, 45 |
Where to find the service provider’s answers
You can get the answers to the service provider’s questions from a combination of:
- direct communication with the provider
- the provider’s policies and audit reports on their website
- previous assessments by other government organisations.
If you do not have the service provider’s answers
If you need higher assurance for the information, consider a different public cloud service if:
- the provider does not give you their answers or other information you need for your risk assessment
- you cannot get acceptable third-party assurance
- there are no ways to lessen the risk of this incomplete information.
Independent assurance reports — NZISM
Context and help for questions 40 to 45
The following guidance gives you context and help for answering questions about authentication and access control.
How public cloud affects identity and access management
As the number of public cloud services your organisation is using increases, so too does the administrative overhead for identity management.
Example of needing to create many usernames and passwords
Your government organisation adopts multiple public cloud services.
Without a strong approach to identity management, each of those public cloud services could require the user to create another username and password.
Have an approach to identity and access management
Make sure your government organisation has an approach to identity and access management that:
- supports your organisation’s adoption and use of public cloud services
- takes into account security controls and risks.
Broad network access
The broad network access characteristic of public cloud services creates more need for government organisations to have strong management practices for identity life cycles.
Users can typically access the information held in a public cloud service from any location. This can present a significant risk as employees or contractors may still be able to access the service after they have stopped being employed by your organisation.
Essential characteristics of cloud services
Manage the life cycle of identities
Government organisations should maintain a strong process for managing the life cycle of identities that makes sure that:
- permissions are approved at the right level within your organisation
- role-based access control is detailed enough to properly control permissions
- users are only granted the permissions they need to perform their duties
- users do not accumulate permissions when they change roles within your organisation
- user accounts are removed in a timely manner when someone’s employment ends.
Audit user accounts regularly
Government organisations should regularly audit user accounts for the permissions granted to them.
Remove:
- accounts that are no longer needed
- permissions that are not needed for performing their duties.
Security controls for bring-your-own-device
Users can also access the information held in a public cloud service from many different devices — sometimes called bring-your-own-device (BYOD). Government organisations must carefully consider the security risks and controls needed to protect their information in BYOD situations.
Example setting restrictions for BYOD situations
Your government organisation adopts a SaaS-based service for customer relationship management (CRM).
For security controls, you may determine that you need to restrict access to specific features and functionality — such as downloading customer records or saving reports. You can restrict these for when users access the CRM service:
- when they’re working offsite
- using a device that is not owned and managed by your organisation.
Passwords for authentication
Government organisations need to see whether:
- passwords are a sufficient level of assurance that the person authenticating to the service is the owner of the user account, or
- they need stronger authentication — for example, multi-factor authentication.
Access controls and passwords — NZISM
Utility links and page information
Last updated
