Example IAM controls – Identity and Access Management Controls

Example IAM controls

The primary focus of this book is on IT general controls that can be applied to IaaS and PaaS service models. In most cases, these controls will also be relevant to SaaS service models; however, the breadth and depth of fully assessing controls for SaaS are not covered in this book. As mentioned in Chapter 2, Effective Techniques for Preparing to Audit Enterprise Cloud Environments, there are several frameworks that can be used as guidelines for a list of controls and test procedures when defining the scope of your audit. Here, we’ll highlight a few example controls from the Center for Internet Security (CIS) and the Cloud Security Alliance (CSA) that are relevant to assessing IAM features within enterprise cloud environments.

CIS control benchmarks

As mentioned in Chapter 2, Effective Techniques for Preparing to Audit Enterprise Cloud Environments, the CIS benchmarks not only provide a list of general IT controls (not cloud-specific) but also map them to other common security and regulatory control frameworks, as well as offer vendor-specific control frameworks. Here, we’ll note a few of the applicable general controls as mentioned in CIS. Please note this is not an exhaustive list of applicable controls but is an example reference only. Determination of all applicable controls will need to be based on system architecture and integration, business risk management goals, and enterprise operational procedures:

• CIS Control 4 Sub-Control 4.7—Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other preconfigured vendor accounts.

• CIS Control 5 Sub-Control 5.1—Establish and Maintain an Inventory of Accounts: Establish and maintain an inventory of all accounts managed in the enterprise.

• CIS Control 5 Sub-Control 5.2—Use Unique Passwords: Use unique passwords for all enterprise assets. Best-practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA.

• CIS Control 5 Sub-Control 5.3—Disable Dormant Accounts: Delete or disable any dormant accounts after a period of 45 days of inactivity.

• CIS Control 6 Sub-Control 6.5—Require MFA for Administrative Access: Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.

• CIS Control 6 Sub-Control 6.8—Define and Maintain Role-Based Access Control: Define and maintain role-based access control (RBAC) by determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties.

• CIS Control 13 Sub-Control 13.5—Manage Access Control for Remote Assets: Manage access control for assets remotely connecting to enterprise resources.

To find a comprehensive list of CIS benchmark controls, go to https://www.cisecurity. org/benchmark.

Now that we’ve taken a look at some example controls from CIS that could be applicable to both on-premise and cloud environments, let’s take a look at controls from the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM).

CCM

Within the CSA CCM v4.0 framework, controls that would be relevant to the technical assessment of IAM functions mentioned in the remaining sections would primarily fall under the control domain of IAM; however, there are also applicable controls under other control domains. Examples of CCM controls an IT auditor should reference for IAM include those found in the following list:

• Control ID IAM-03—Identity Inventory: Manage, store, and review information on system identities and level of access

• Control ID IAM-05—Least Privilege: Employ the least-privilege principle when implementing information system access

• Control ID IAM-08—User Access Review: Review and revalidate user access for least privilege and separation of duties (SoD) with a frequency that is commensurate with organizational risk tolerance

• Control ID IAM-14—Strong Authentication: Define, implement, and evaluate processes, procedures, and technical measures for authenticating access to systems, applications, and data assets, including MFA for at least privileged user and sensitive data access

• Control ID IAM-15—Passwords Management: Define, implement, and evaluate processes, procedures, and technical measures for the secure management of passwords

• Control ID LOG-11—Transaction/Activity Logging: Log and monitor key life-cycle management events to enable auditing and reporting on the usage of cryptographic keys

• Control ID STA-07—Supply Chain Inventory: Develop and maintain an inventory of all supply chain relationships

You can access more on the CCM matrix from CSA at https://cloudsecurityalliance. org/artifacts/cloud-controls-matrix-v4/. Please note that the matrix is periodically updated, so be sure you are accessing the latest version.

Now that we’ve taken a look at some example IT general controls from common frameworks that would apply to IaaS and PaaS enterprise cloud environments, let’s take a look at some of the options where these controls may be configured or reviewed. In general, each of the cloud providers has a dedicated administrative area for configuring IAM controls. To understand more about where key configurable cloud IAM options exist, let’s review some of the administration settings for each of the cloud providers in more detail.