Manage Access
(Back)
Objective
Establish access control policies and procedures for management of all accounts.
Applicable Service Models
IaaS, PaaS, SaaS
Mandatory Requirements
Activity | Validation |
---|---|
<ul><li>Implement a mechanism to enforce access authorizations for all user accounts, based on criteria in the Directive on Service and Digital, Appendix G: Standard on Enterprise Information Technology Service Common Configurations, and in section 3 of the Account Management Configuration Requirements</li></ul> | <ul><li>Demonstrate access configurations and policies are implemented for different classes of users (non-privileged, and privileged users).</li><li>Confirm that the access authorization mechanisms have been implemented to: <ul> <li>Uniquely identify and authenticate users to the cloud service</li> <li>Validating that the least privilege role is assigned</li> <li>Validating that Role Based Access is implemented</li> <li>terminate role assignment upon job change or termination</li> <li>Perform periodic reviews of role assignment (minimum yearly)</li> <li>Disable default and dormant accounts</li> <li>Avoid using of user generic accounts.</li> </ul></li><li>Verify that a review of role assignment for root or global administrator accounts is performed at least every 12 months.</li></ul> |
<ul><li>Leverage role-based access and configure for least privilege doing so can include built-in roles or custom roles that have been established with only the minimum number of privileges required to perform the job function.</li></ul> | <ul><li>Demonstrate that built-in roles on cloud platforms are configured for least privilege. Custom roles can be used but a rationale should be documented and approved.</li></ul> |
<ul><li>Change default passwords in accordance with the GC Password Guidance.</li></ul> | <ul><li>Confirm that the default passwords have been changed for all the built-in accounts for the cloud service.</li></ul> |
<ul><li>Configure the default password policy in accordance with GC Password Guidance.</li></ul> | <ul><li>Demonstrate that password policy for the cloud platform has been configured according to the Password Guidance by:<ul><li>requiring passwords that are at least 12 characters long without a maximum length limit</li><li>countering online guessing or brute force of passwords using throttling, account lockout policies, monitoring and multi-factor authentication</li><li>protecting against offline attacks using effective hashing, salting and keyed hashing.</li></ul></li></ul> |
<ul><li>Implement password protection mechanisms to protect against password brute force attacks.</li></ul> | <ul><li>Confirm that mechanisms, such as throttling, account lock out policies, monitoring and risk-based authentication, to protect against password brute force attacks have been implemented.</li></ul> |
<ul><li>Establish a guest user access policy and procedures that minimize the number of guest users and that manage the life cycle of such accounts so that such accounts are terminated when they are no longer needed.</li><li>Note: a guest is someone who is not an employee, student or member of your organization (a guest does not have an existing account with the organization’s cloud tenant).</li></ul> | <ul><li>Confirm that only required guest user accounts are enabled (according to the business requirements of the service)</li><li>Provide a list of non-organizational users with elevated privileges.</li><li>Verify that reviews of guest access are performed periodically.</li></ul> |
Additional Considerations
Activity | Validation |
---|---|
<ul><li>Document a process for managing accounts, access privileges, and access credentials for organizational users and non-organizational users (if required), based on criteria listed in the Directive on Service and Digital, Appendix G: Standard on Enterprise Information Technology Service Common Configurations, and in section 3 of the Account Management Configuration Requirements. This process should be approved by the chief security officer (or their delegate) and by the designated official for cyber security.</li></ul> | <ul><li>Confirm that the access control procedure for management of administrative accounts has been documented for the cloud service. The access control procedure:<ul><li>should include provision for any guest accounts and custom accounts</li><li>must refer to the emergency break glass procedure</li></ul></li></ul> |
<ul><li>Enforce just-in-time access for privileged user accounts to provide time-based and approval-based role activation to mitigate the risks of excessive, unnecessary or misused access permissions.</li></ul> | <ul><li>Confirm just-in-time access for all privileged user accounts to provide time-based and approval-based role activation.</li></ul> |
<ul><li>Enforce attribute-based access control to restrict access based on a combination of authentication factors, such as devices issued and managed by the GC, device compliance, sign-in and user risks, and location</li></ul> | <ul><li>Provide evidence that attribute-based access control mechanisms are in place to restrict access based on attributes or signals, such as authentication factors, devices issued and managed by the GC, device compliance, sign-in and user risks, and location..</li></ul> |
<ul><li>Leverage tools, such as privilege access management systems, to enforce access control to privileged functions by configuring roles that require approval for activation</li><li>Choose one or multiple users or groups as delegated approvers</li></ul> | <ul><li>Provide evidence that all role activation for privileged user accounts require approval, and that privilege elevation is temporary (time-bound).</li></ul> |
References
- Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice, (SPIN) 2017-01, subsection 6.2.3
- Cyber Centre’s top 10 IT security actions, number 3
- User Authentication Guidance for Information Technology Systems (ITSP.30.031 v3)
- Guidance on Cloud Authentication for the Government of Canada (accessible only on the Government of Canada network)
- Recommendations for Two-Factor User Authentication Within the Government of Canada Enterprise Domain (accessible only on the Government of Canada network)
- Directive on Service and Digital, Appendix G: Standard on Enterprise Information Technology Service Common Configurations
- Account Management Configuration Requirements
- Guidance on Defence in Depth for Cloud-Based Services (ITSP.50.104), subsection 4.6
- Password Guidance
Related security controls from ITSG-33
AC‑2, AC‑2(1), AC‑2(7) AC‑3, AC‑3(7), AC‑3, AC‑4 AC‑5, AC‑6, AC‑6(5), IA‑2, IA‑2(1), IA‑2(8), IA‑2(11), IA‑4, IA‑5, IA‑5(1), IA‑5(6)
Page details
- Date modified: