What I tell my CCSK classes is that for SaaS, the entitlement matrices are the interface between operational risk and the application.
For example, in an invoicing process, a risk analysis has identified the possibility of an employee to commit fraud. That is operational risk. To control that, we would implement 4 eyes principles or something like that. That translates into entitlements for the 2 pairs of eyes involved.
It would still be a matrix, as that is the general model.
For IaaS and PaaS you would have a similar approach, i.e. it would be an operational risk if developers could modify something in production without going through the CICD pipeline.
------------------------------
Peter HJ van Eijk
Cloudtrainer
------------------------------
Original Message:
Sent: Feb 20, 2020 02:50:28 PM
From: Kaela Knoblich
Subject: How do you manage access controls?
What is the best way to internally manage who has authorization to certain resources or functions? In Domain four it talks about internal controls based on the entitlement matrix, but I am curious if there are other ways to manage people and the authorization levels they have.
------------------------------
Kaela K.
------------------------------