Skip to main content

Authentication and access control

Questions 40 to 45 — use a strong approach for identity management — see if the provider audits user accounts and has access controls and passwords for authentication that meet your security needs.

Questions 40 to 45 — authentication and access control

Table 1 lists who is responsible for answering each question. There are multiple questions that both your government organisation and the service provider need to answer.

Context and help for questions 40 to 45

Record your answers to these questions in either:

Questions to answer

  1. Does the government organisation have a strategy for identity management that supports adopting and using public cloud services?
    1. If yes — does the public cloud service support the government organisation’s strategy for identity management?
  2. Is there an effective internal process that ensures that identities are managed throughout their life cycles?
  3. Is there an effective audit process that is actioned at regular intervals to make sure that user accounts are appropriately managed and protected?
  4. Have the controls required to manage the risks associated with the ubiquitous access — that is, from any location and using different devices — provided by public cloud been identified?
    1. Does the public cloud service meet those control requirements?
  5. Are all passwords encrypted, especially system or service administrators, in accordance with the complexity requirements in the New Zealand Information Security Manual (NZISM)?
  6. Is there a higher level of assurance required that the party asserting an identity is the authorised user of the account when authenticating to the service?
    • Example — is multi-factor authentication necessary?

Table 1: Who answers each question

Entity Questions to answer
Government organisation 40, 41, 42, 43, 43a, 44, 45
Service provider 40a, 41, 42, 43, 44, 45

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

  • direct communication with the provider
  • the provider’s policies and audit reports on their website
  • previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

  • the provider does not give you their answers or other information you need for your risk assessment
  • you cannot get acceptable third-party assurance
  • there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — NZISM

Context and help for questions 40 to 45

The following guidance gives you context and help for answering questions about authentication and access control.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

  • an all-of-government agreement
  • a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at

How public cloud affects identity and access management

As the number of public cloud services your organisation is using increases, so too does the administrative overhead for identity management.

Example of needing to create many usernames and passwords

Your government organisation adopts multiple public cloud services.

Without a strong approach to identity management, each of those public cloud services could require the user to create another username and password.

Have an approach to identity and access management

Make sure your government organisation has an approach to identity and access management that:

  • supports your organisation’s adoption and use of public cloud services
  • takes into account security controls and risks.

Identification management

Broad network access

The broad network access characteristic of public cloud services creates more need for government organisations to have strong management practices for identity life cycles.

Users can typically access the information held in a public cloud service from any location. This can present a significant risk as employees or contractors may still be able to access the service after they have stopped being employed by your organisation.

Essential characteristics of cloud services

Manage the life cycle of identities

Government organisations should maintain a strong process for managing the life cycle of identities that makes sure that:

  • permissions are approved at the right level within your organisation
  • role-based access control is detailed enough to properly control permissions
  • users are only granted the permissions they need to perform their duties
  • users do not accumulate permissions when they change roles within your organisation
  • user accounts are removed in a timely manner when someone’s employment ends.

Audit user accounts regularly

Government organisations should regularly audit user accounts for the permissions granted to them.


  • accounts that are no longer needed
  • permissions that are not needed for performing their duties.

Security controls for bring-your-own-device

Users can also access the information held in a public cloud service from many different devices — sometimes called bring-your-own-device (BYOD). Government organisations must carefully consider the security risks and controls needed to protect their information in BYOD situations.

Example setting restrictions for BYOD situations

Your government organisation adopts a SaaS-based service for customer relationship management (CRM).

For security controls, you may determine that you need to restrict access to specific features and functionality — such as downloading customer records or saving reports. You can restrict these for when users access the CRM service:

  • when they’re working offsite
  • using a device that is not owned and managed by your organisation.

Passwords for authentication

Government organisations need to see whether:

  • passwords are a sufficient level of assurance that the person authenticating to the service is the owner of the user account, or
  • they need stronger authentication — for example, multi-factor authentication.

Access controls and passwords — NZISM

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated