The Inner Circle

Expand all | Collapse all

CAIQ V4 - IAM-11.1 - clarification

  • 1.  CAIQ V4 - IAM-11.1 - clarification

    Posted Aug 11, 2021 08:34:00 AM
    Hello everyone,

    I looking for some help with understanding the question IAM 11.1. in the new CAIQ v4.

    The question is asking if a process or procedure exits for customer to participate in granting access to privilege access roles.

    1. I'm drafting implementation description for a traditional SaaS company where customers are managing their accesses through a team management functionality in the user interface.
    2. On the other hand, the company internally is handling granting privilege access roles (e.g. to servers) with multiple controls (from granting, logging to monitoring). Understandably, customers are not involved in this process.

    When reading the implementation guidelines for this control, I'm more inclined to describe our internal controls for handling privilege access roles (point 2). But then I feel like I'm no answering the questions itself, which is asking about customer participation. In a SaaS context, it is also confusing for me what process and procedure for customer participation is expected (is it point 1. user management in the SaaS service)?

    Many thanks!

    I'm copping below the exact working of the question and implementation guidelines:

    Are processes and procedures for customers to participate, where applicable, in granting access for agreed, high risk as (defined by the organizational risk assessment) privileged access roles defined, implemented and evaluated?

    Implementation guidelines:
    Access to privileged user IDs should be restricted to least privileges and business need to know. Require documented approval by authorized approvers specifying required privileges. All actions taken by any individual with root or administrative privileges should be logged. Use of and changes to privileged accounts, including elevation of privileges should be monitored for suspicious activity such as logon failures or attempts to escalate permissions using a SIEM solution.

    Zuzana Kontrikova

  • 2.  RE: CAIQ V4 - IAM-11.1 - clarification

    Posted Aug 16, 2021 06:18:00 AM
    Hi Zuzana,

    the control's security objective is that any horizontal or vertical access escalation to customer high risk data must be controlled and having the customer involved by granting that access in a proactive way (customers need be aware of such privileged access functions and have them approved a priori).

    The CCMv4 implementation guidelines provide assistance in that direction:

    • Access to privileged user IDs should be restricted to least privilege and business need to know.
    • Require documented approval by authorized parties specifying required privileges.
    • ...

    There is a Shared Security Responsibility aspect on this control that is distributed among the involved cloud parties, looking at it from all three SaaS, PaaS, IaaS perspectives. For instance, at the IaaS/PaaS level, customer data could be accessible at both physical and logical levels, hence the IaaS/PaaS provider is here responsible for enforcing this control, while the SaaS provider remains accountable to its customers that this is the case.

    When answering the CAIQ questions for IAM-11, and its SSRM field, implementation responsibility spans across all 3 cloud service models, and all involved parties have to be taken into account. Please also consult the CCMv4 controls applicability matrix, where 'typical' assignments to CCM controls' ownership per cloud model is provided.

    Hope this helps.

    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance

  • 3.  RE: CAIQ V4 - IAM-11.1 - clarification

    CSA Instructor
    Posted Aug 17, 2021 03:24:00 AM
    Would an example of this be a CRM system where certain people in certain roles have the capability to e.g.
    • edit master data
    • add/remove users and their privileges?
    In both cases, it feels like for the SaaS provider this leads to features to offer, which the customer can use in their controls.
    For the SaaS provider, this does not really look much like a control on their end.

    An example of such a feature is to provide the customer with a feed of privilege escalation attempts of their own users.

    Does this add to your perspective?

    Peter HJ van Eijk
    CCSK & CCAK trainer

  • 4.  RE: CAIQ V4 - IAM-11.1 - clarification

    Posted Aug 18, 2021 06:08:00 AM

    Thank you Lefteris, Peter. Your explanation helped!



    Zuzana Kontrikova