|
+IAM-07.03AC |
1. ÜbersichtIAM-07.03ACIf the performed access is supervised, the cloud service provider ensures that:1. The mechanisms used to perform the supervised access allow the supervising personnel to authorise or deny individual actions of the supervisee and ask for explanations in real time; 2. Any access rights that are granted as part of the supervised access are revoked at the end of the operation; 3. All operations that are performed as part of the supervised access are logged as administration actions; 4. The supervisee and the device used to perform the supervised access are authenticated by the supervision solution; 5. The operations that the supervisee proposes and the actions of the supervising personnel are logged by the supervision solution, including operations that were denied; and 6. Information flows towards the device of the supervisee are prevented by the supervision solution. Access to cloud service customer data also entails disclosure of data as part of investigation requests according to INQ-03. These are to be communicated to cloud service customers as far as it is legally not forbidden. The criterion aims at minimising the cloud service provider's capability to access cloud service customer data. Minimisation of the cloud service provider's possibility to access cloud service customer data is often a question related to the radius of the collusion circle. For example, if the four-eyes principle for access is applied and the access is being logged, then three people make up the collusion circle. In order to build trust into such access statements, the cloud service provider should describe in the system description the measures taken to enlargen the collusion circle. The cloud service provider should make details about how the supervised access is performed accessible to cloud service customers.
1.1 Referenzen1.2 Identifizierte Anforderungen1.2 Related Regulation2. Identifizierte Anforderungen
3. Related Regulations
|