Level 1


Description:

Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device.  [SP 800-63-3] provides guidance on digital identities.   


Priority: High 


Domain: IDENTIFICATION AND AUTHENTICATION (IA) 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM), Amazon Virtual Private Cloud (VPC), AWS Systems Manager, AWS CloudTrail 


Services Associated with Azure:

  • Azure Active Directory (Azure AD)
  • Azure Identity Protection
  • Azure Active Directory Identity Protection
  • Azure Active Directory B2C
  • Azure Active Directory Domain Services
  • Azure Multi-Factor Authentication (MFA)
  • Azure AD Privileged Identity Management (PIM)
  • Azure Key Vault
  • Azure Information Protection
  • Azure Security Center


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Identity & Access Management (IAM) practices are implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of AD settings, or other IAM interface 


Possible Technology Considerations:

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC) 


What needs to be answered:

Does the system make use of company-assigned accounts for unique access by individuals? If service accounts are necessary, are the accounts created by the central management and assigned using the account? Are company and service accounts managed centrally and deleted automatically when an individual leaves the company?

 

Checks for AWS

  • Identify System Users, Processes, and Devices
    Description: This check ensures that organizations have mechanisms in place to identify and distinguish system users, processes acting on behalf of users, and devices within their systems. Common identifiers such as user names, Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers are used to uniquely identify and track the activities of system users and devices. While shared system accounts may not have individual identifiers, organizations may require unique identification for individuals within group accounts or for detailed accountability. This requirement also includes identifying individual identifiers that are not necessarily associated with system accounts. Organizational devices are also identified, either by type, specific device, or a combination of both.


Checks for Azure

  • Enforce Multi-Factor Authentication (MFA) for User Accounts
    Description: This check ensures that multi-factor authentication (MFA) is enforced for user accounts in Azure. MFA adds an extra layer of security by requiring users to provide additional verification factors, such as a mobile app code or biometric authentication, in addition to their password.
  • Implement Role-Based Access Control (RBAC)
    Description: This check verifies that organizations have implemented role-based access control (RBAC) in Azure. RBAC allows organizations to assign specific roles and permissions to users, ensuring that individuals have the appropriate level of access based on their assigned responsibilities.
  • Regularly Review and Remove Unused User Accounts
    Description: This check emphasizes the need to regularly review and remove unused user accounts in Azure. When users leave the company or no longer require access, their user accounts should be deactivated or deleted promptly to minimize the risk of unauthorized access.
  • Enable Azure Active Directory (Azure AD) Identity Protection
    Description: This check ensures that Azure AD Identity Protection is enabled in Azure. Azure AD Identity Protection provides advanced security features, including risk-based conditional access policies and detection of suspicious user activities, to help protect against identity-related threats.
  • Centrally Manage and Monitor Service Accounts
    Description: This check highlights the importance of centrally managing and monitoring service accounts in Azure. Service accounts, which are used by applications and services to access resources, should be created, assigned, and monitored centrally to ensure proper access control and accountability.


More Details:  All users have company-issued accounts with unique identification. All accounts are managed by IT administration.