The Inner Circle

 View Only
Expand all | Collapse all

How to ask CSPs whether they provide SAML with IDaaS providers and source IP address restriction using CAIQ?

  • 1.  How to ask CSPs whether they provide SAML with IDaaS providers and source IP address restriction using CAIQ?

    Posted Jan 22, 2023 01:00:00 AM
    I would like to recommend my client to use CAIQ or CAIQ-Lite as a questionnaire for CSPs.

    My client may want to confirm whether CSPs provide SAML with major IDaaS providers. However, I could not find such a question in CAIQ V3 and V4.

    In addition, they may want to confirm whether CSPs provide a function to restrict access based source IP addresses. Also I could not find such a question in CAIQ V3 and V4.

    Do you find questions which include those questions I have in CAIQ V3 or V4? Should they create customized questionnaire to add such questions to CAIQ or CAIQ-Lite?

    ------------------------------
    Masahiro Haneda CCSK
    Security Consltant
    NRI SecureTechnologies Ltd.
    Tokyo
    ------------------------------


  • 2.  RE: How to ask CSPs whether they provide SAML with IDaaS providers and source IP address restriction using CAIQ?

    Posted Jan 24, 2023 02:06:00 AM
    Edited by Lefteris Skoutaris Jan 24, 2023 02:09:10 AM
    Hi Masahiro,
    Thank you for posting.

    CCMv4 control specifications are formulated intentionally to be vendor and technology agnostic and therefore they are not tailored to a specific CSP or cloud service use case. Likewise, the CAIQv4 questionnaire is derived from the CCM control specifications and follows the same high level pattern. This is why there exists no such low level questions in the CAIQ that would point to a single implementation best practice. 

    Would strongly recommend that you share with CSP the CAIQv4 questionnaire, and kindly request that a sufficient implementation description is provided (see columns E and F of CAIQv4), especially when it comes to the questions you are referring to that are relevant to the Identity and Access Management (IAM) and Infrastructure and Virtualization Security (IVS) domains of the CCM.  The CSP should be able to describe their implementation-based approach (in form of text or URLs) to inform you if/how SAML/SSO, IP filtering/Firewalls, are implemented.

    Please note that CAIQ-Lite is based on CCMv3.0.1 and it is withdrawn and no longer supported. The CCM WG is currently working on the development of a lightweight version of CCMv4, from which eventually a "CAIQV4-Lite" is to be derived. Should be expected somewhere Q3-Q4 2023.

    In addition to the above, would like to let you know that CSA has an established chapter in APAC region and Japan.
    Please consider contacting my colleague Ekta Mishra ([email protected]) who can bring you in touch with the Japan chapter's leadership.

    Hope this helps.
    Happy to assist further should you have more questions.

    Best regards,


    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------



  • 3.  RE: How to ask CSPs whether they provide SAML with IDaaS providers and source IP address restriction using CAIQ?

    Posted Jan 29, 2023 03:51:00 PM
    Hi Eleftherios. Thank you for replying.

    Your comments have made me understand CAIQ more clearly. If I have more questions, I will ask the chapter in Japan.

    Best regards,




    ------------------------------
    Masahiro Haneda CCSK, CCSP and CISSP
    Security Consultant
    NRI SecureTechnologies Ltd.
    Tokyo
    ------------------------------