+IAM-08 Authentication Mechanisms
---+IAM-08.01B
---+IAM-08.02B
---+IAM-08.03B
---+IAM-08.04B
---+IAM-08.05B
---+IAM-08.06B
---+IAM-08.07B
---+IAM-08.02AS
---+IAM-08.03AS
|
1. Übersicht
IAM-08 Authentication Mechanisms
-
| Bezeichnung |
Standard |
|
IAM-08.01B
|
System components in the cloud service provider's area of responsibility that are used to provide the cloud service authenticate users of the cloud service provider's internal and external personnel as well as system components that are involved in the cloud service provider's automated authorisation processes.
|
|
IAM-08.02B
|
The cloud service provider enforces multi-factor authentication (MFA) for all access to the production environment. This requirement applies to both human users and automated processes, ensuring that only authorised entities can access systems and data in the production environment.
Multi-factor authentication implies that different sources for identity verification are used. This applies both to human users and automated processes. Human users may use different factors like a password and a hardware token. Multi-factor authentication for automated processes implies using independent sources for identity verification like e.g. cryptographic keys and a short term token from another source.
|
|
IAM-08.03B
|
Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the policies and procedures for the use of cryptographic mechanisms (cf. CRY-01).
|
|
IAM-08.04B
|
The authentication requirements are derived from a risk assessment and documented, communicated and provided in an authentication policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. The authentication policy describes at least the following aspects:
1. The selection of appropriate mechanisms for every level of risk and each identity type;
2. The protection of credentials that the authentication mechanisms use, including the confidentiality of personal or shared authentication information and non-sharing of credentials;
3. The generation and distribution of credentials for any new identity;
4. The non-reuse of credentials;
5. Rules on the storage of credentials;
6. Rules for renewing credentials, including periodic renewals and renewals in case a credential is lost or compromised; and
7. Rules on the required strength of credentials, including trade-offs between entropy and ability to memorise where applicable, as well as mechanisms for communicating and enforcing these rules.
|
|
IAM-08.05B
|
The cloud service provider determines by means of a risk assessment (cf. OIS-07) the risk that the authentication mechanisms integrated into the system components under its responsibility used to provide the cloud service become outdated. Based on the results of the risk assessment, the cloud service provider implements appropriate measures for exchanging outdated authentication mechanisms or the system components into which they are integrated.
|
|
IAM-08.06B
|
Any authentication mechanism integrated into the system components used to provide the cloud service has a mechanism for disabling an identity after a predefined number of unsuccessful authentication attempts.
|
|
IAM-08.07B
|
The cloud service provider implements measures which require that users can only access non-personal identities assigned to multiple persons after they have already been authenticated with their identity assigned to a single person.
|
|
IAM-08.02AS
|
The cloud service provider enforces multi-factor authentication (MFA) for all access to any environment. This requirement applies to both human users and automated processes, ensuring that only authorised entities can access systems and data in all of the environments.
These environments include production, development, test and staging environments.
|
|
IAM-08.03AS
|
Within an environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the policies and procedures for the use of cryptographic mechanisms (cf. CRY-01).
These environments include production, development, test and staging environments.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|