Hi Zuzana,
the control's security objective is that any horizontal or vertical access escalation to customer high risk data must be controlled and having the customer involved by granting that access in a proactive way (customers need be aware of such privileged access functions and have them approved a priori).
The CCMv4 implementation guidelines provide assistance in that direction:
- Access to privileged user IDs should be restricted to least privilege and business need to know.
- Require documented approval by authorized parties specifying required privileges.
- ...
There is a Shared Security Responsibility aspect on this control that is distributed among the involved cloud parties, looking at it from all three SaaS, PaaS, IaaS perspectives. For instance, at the IaaS/PaaS level, customer data could be accessible at both physical and logical levels, hence the IaaS/PaaS provider is here responsible for enforcing this control, while the SaaS provider remains accountable to its customers that this is the case.
When answering the CAIQ questions for IAM-11, and its SSRM field, implementation responsibility spans across all 3 cloud service models, and all involved parties have to be taken into account. Please also consult the CCMv4 controls applicability matrix, where 'typical' assignments to CCM controls' ownership per cloud model is provided.
Hope this helps.
Lefteris
------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------
Original Message:
Sent: Aug 11, 2021 02:00:35 AM
From: Zuzana Kontrikova
Subject: CAIQ V4 - IAM-11.1 - clarification
Hello everyone,
I looking for some help with understanding the question IAM 11.1. in the new CAIQ v4.
The question is asking if a process or procedure exits for customer to participate in granting access to privilege access roles.
- I'm drafting implementation description for a traditional SaaS company where customers are managing their accesses through a team management functionality in the user interface.
- On the other hand, the company internally is handling granting privilege access roles (e.g. to servers) with multiple controls (from granting, logging to monitoring). Understandably, customers are not involved in this process.
When reading the implementation guidelines for this control, I'm more inclined to describe our internal controls for handling privilege access roles (point 2). But then I feel like I'm no answering the questions itself, which is asking about customer participation. In a SaaS context, it is also confusing for me what process and procedure for customer participation is expected (is it point 1. user management in the SaaS service)?
Many thanks!
Zuzana
***********************************************************************************************
I'm copping below the exact working of the question and implementation guidelines:
Question:
Are processes and procedures for customers to participate, where applicable, in granting access for agreed, high risk as (defined by the organizational risk assessment) privileged access roles defined, implemented and evaluated?
Implementation guidelines:
Access to privileged user IDs should be restricted to least privileges and business need to know. Require documented approval by authorized approvers specifying required privileges. All actions taken by any individual with root or administrative privileges should be logged. Use of and changes to privileged accounts, including elevation of privileges should be monitored for suspicious activity such as logon failures or attempts to escalate permissions using a SIEM solution.
------------------------------
Zuzana Kontrikova
------------------------------