+IAM-06 Privileged Access Rights
---+IAM-06.01B
---+IAM-06.02B
---+IAM-06.03B
---+IAM-06.04B
---+IAM-06.05B
---+IAM-06.06B
---+IAM-06.07B
---+IAM-06.08B
---+IAM-06.09B
---+IAM-06.01AC
---+IAM-06.02AC
---+IAM-06.03AC
---+IAM-06.04AC

1. Übersicht

IAM-06 Privileged Access Rights

-

Bezeichnung	Standard
IAM-06.01B	Privileged access rights for internal and external personnel as well as technical users of the cloud service provider are assigned and changed in accordance with the policy for managing identities and access rights (cf. IAM-01) or a separate specific policy. Privileged access rights in the sense of the criterion are those that enable personnel of the cloud service provider to perform any of the following activities: 1. Read or write access to the cloud service customers data processed, stored or transmitted in the cloud service, unless such data is encrypted or the encryption can be deactivated for access by the cloud service provider; and 2. Changes to the operational and/or security configuration of the system components in the production environment, in particular the starting, stopping, deleting or deactivating of system components, if this can affect the confidentiality, integrity or availability of the cloud service customers data (also indirectly, e.g. by deactivating the logging and monitoring of security-relevant events).
IAM-06.02B	Privileged access rights are personalised, limited in time according to a risk assessment and assigned as necessary for the execution of tasks ('need-to-know-principle'). Privileged access rights in the sense of the criterion are those that enable personnel of the cloud service provider to perform any of the following activities: 1. Read or write access to the cloud service customers data processed, stored or transmitted in the cloud service, unless such data is encrypted or the encryption can be deactivated for access by the cloud service provider; and 2. Changes to the operational and/or security configuration of the system components in the production environment, in particular the starting, stopping, deleting or deactivating of system components, if this can affect the confidentiality, integrity or availability of the cloud service customers data (also indirectly, e.g. by deactivating the logging and monitoring of security-relevant events).
IAM-06.03B	Anonymous technical users are only accessed through authentication with a personalised identitiy. Privileged access rights in the sense of the criterion are those that enable personnel of the cloud service provider to perform any of the following activities: 1. Read or write access to the cloud service customers data processed, stored or transmitted in the cloud service, unless such data is encrypted or the encryption can be deactivated for access by the cloud service provider; and 2. Changes to the operational and/or security configuration of the system components in the production environment, in particular the starting, stopping, deleting or deactivating of system components, if this can affect the confidentiality, integrity or availability of the cloud service customers data (also indirectly, e.g. by deactivating the logging and monitoring of security-relevant events).
IAM-06.04B	Activities of users with privileged access rights are logged in order to detect any misuse of privileged access in suspicious cases. Privileged access rights in the sense of the criterion are those that enable personnel of the cloud service provider to perform any of the following activities: 1. Read or write access to the cloud service customers data processed, stored or transmitted in the cloud service, unless such data is encrypted or the encryption can be deactivated for access by the cloud service provider; and 2. Changes to the operational and/or security configuration of the system components in the production environment, in particular the starting, stopping, deleting or deactivating of system components, if this can affect the confidentiality, integrity or availability of the cloud service customers data (also indirectly, e.g. by deactivating the logging and monitoring of security-relevant events).
IAM-06.05B	The logged information is automatically monitored for defined events that may indicate misuse. Privileged access rights in the sense of the criterion are those that enable personnel of the cloud service provider to perform any of the following activities: 1. Read or write access to the cloud service customers data processed, stored or transmitted in the cloud service, unless such data is encrypted or the encryption can be deactivated for access by the cloud service provider; and 2. Changes to the operational and/or security configuration of the system components in the production environment, in particular the starting, stopping, deleting or deactivating of system components, if this can affect the confidentiality, integrity or availability of the cloud service customers data (also indirectly, e.g. by deactivating the logging and monitoring of security-relevant events).
IAM-06.06B	When such an event is identified, the responsible personnel is automatically informed so that they can timely assess whether misuse has occurred and take corresponding action. Privileged access rights in the sense of the criterion are those that enable personnel of the cloud service provider to perform any of the following activities: 1. Read or write access to the cloud service customers data processed, stored or transmitted in the cloud service, unless such data is encrypted or the encryption can be deactivated for access by the cloud service provider; and 2. Changes to the operational and/or security configuration of the system components in the production environment, in particular the starting, stopping, deleting or deactivating of system components, if this can affect the confidentiality, integrity or availability of the cloud service customers data (also indirectly, e.g. by deactivating the logging and monitoring of security-relevant events). Responsible personnel for events that may indicate misuse can be e.g. the personnel of the cloud service provider's security operations centre. Misused privileged access rights can be treated e.g. as a security incident, cf. SIM-01.
IAM-06.07B	In the event of proven misuse of privileged access rights, disciplinary measures are taken in accordance with HR-04. Privileged access rights in the sense of the criterion are those that enable personnel of the cloud service provider to perform any of the following activities: 1. Read or write access to the cloud service customers data processed, stored or transmitted in the cloud service, unless such data is encrypted or the encryption can be deactivated for access by the cloud service provider; and 2. Changes to the operational and/or security configuration of the system components in the production environment, in particular the starting, stopping, deleting or deactivating of system components, if this can affect the confidentiality, integrity or availability of the cloud service customers data (also indirectly, e.g. by deactivating the logging and monitoring of security-relevant events).
IAM-06.08B	For containers and images, activities of users with privileged access are logged according to OPS-10. Privileged access rights in the sense of the criterion are those that enable personnel of the cloud service provider to perform any of the following activities: 1. Read or write access to the cloud service customers data processed, stored or transmitted in the cloud service, unless such data is encrypted or the encryption can be deactivated for access by the cloud service provider; and 2. Changes to the operational and/or security configuration of the system components in the production environment, in particular the starting, stopping, deleting or deactivating of system components, if this can affect the confidentiality, integrity or availability of the cloud service customers data (also indirectly, e.g. by deactivating the logging and monitoring of security-relevant events).
IAM-06.09B	Access to the cloud service provider's administration interfaces requires the use of multi-factor authentication. Privileged access rights in the sense of the criterion are those that enable personnel of the cloud service provider to perform any of the following activities: 1. Read or write access to the cloud service customers data processed, stored or transmitted in the cloud service, unless such data is encrypted or the encryption can be deactivated for access by the cloud service provider; and 2. Changes to the operational and/or security configuration of the system components in the production environment, in particular the starting, stopping, deleting or deactivating of system components, if this can affect the confidentiality, integrity or availability of the cloud service customers data (also indirectly, e.g. by deactivating the logging and monitoring of security-relevant events).
IAM-06.01AC	The cloud service provider maintains an inventory of the identities with privileged access rights under its responsibility. This inventory is kept up-to-date. Privileged access rights in the sense of the criterion are those that enable personnel of the cloud service provider to perform any of the following activities: 1. Read or write access to the cloud service customers data processed, stored or transmitted in the cloud service, unless such data is encrypted or the encryption can be deactivated for access by the cloud service provider; and 2. Changes to the operational and/or security configuration of the system components in the production environment, in particular the starting, stopping, deleting or deactivating of system components, if this can affect the confidentiality, integrity or availability of the cloud service customers data (also indirectly, e.g. by deactivating the logging and monitoring of security-relevant events).
IAM-06.02AC	The cloud service provider maintains a list of the personnel that is responsible for an identity assigned to a non-human entity within the cloud service provider's scope of responsibility. This list is reviewed every six months and in case of significant changes to the cloud service. Privileged access rights in the sense of the criterion are those that enable personnel of the cloud service provider to perform any of the following activities: 1. Read or write access to the cloud service customers data processed, stored or transmitted in the cloud service, unless such data is encrypted or the encryption can be deactivated for access by the cloud service provider; and 2. Changes to the operational and/or security configuration of the system components in the production environment, in particular the starting, stopping, deleting or deactivating of system components, if this can affect the confidentiality, integrity or availability of the cloud service customers data (also indirectly, e.g. by deactivating the logging and monitoring of security-relevant events). If a review is caused by significant changes to the cloud service, only the parts of the list that are affected by the change need to be included in the review.
IAM-06.03AC	For privileged users, phishing-resistant multi-factor authentication such as FIDO2 security keys or comparable mechanisms using public key cryptography and domain binding are implemented. Privileged access rights in the sense of the criterion are those that enable personnel of the cloud service provider to perform any of the following activities: 1. Read or write access to the cloud service customers data processed, stored or transmitted in the cloud service, unless such data is encrypted or the encryption can be deactivated for access by the cloud service provider; and 2. Changes to the operational and/or security configuration of the system components in the production environment, in particular the starting, stopping, deleting or deactivating of system components, if this can affect the confidentiality, integrity or availability of the cloud service customers data (also indirectly, e.g. by deactivating the logging and monitoring of security-relevant events).
IAM-06.04AC	Privileged access rights are enforced through a privileged access management (PAM) solution with support for 'just-in-time' elevation and 'just-enough' access. Privileged access rights in the sense of the criterion are those that enable personnel of the cloud service provider to perform any of the following activities: 1. Read or write access to the cloud service customers data processed, stored or transmitted in the cloud service, unless such data is encrypted or the encryption can be deactivated for access by the cloud service provider; and 2. Changes to the operational and/or security configuration of the system components in the production environment, in particular the starting, stopping, deleting or deactivating of system components, if this can affect the confidentiality, integrity or availability of the cloud service customers data (also indirectly, e.g. by deactivating the logging and monitoring of security-relevant events).

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html

Impressum