Level 2


Description:

This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.  


Priority: High 


Domain: IDENTIFICATION AND AUTHENTICATION (IA) 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM) 


Services Associated with Azure:

  • Azure Active Directory (Azure AD)
  • Azure Active Directory B2C
  • Azure Active Directory Domain Services
  • Azure AD Privileged Identity Management
  • Azure Multi-Factor Authentication
  • Azure Conditional Access
  • Azure Information Protection
  • Azure Identity Protection
  • Azure Key Vault
  • Azure Security Center


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Identity & Access Management (IAM) practices are implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of configuration settings 


Possible Technology Considerations:

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC) 


What needs to be answered:

Does the company specify a degree of complexity including minimum requirements for each type? Does the company require a different password when new passwords are created? 

 

Checks for AWS

  • Enforce Password Complexity and Change
    Description: This check ensures that organizations enforce minimum password complexity and require the change of characters when new passwords are created. Password complexity refers to the requirements for the composition of passwords, such as the use of a combination of uppercase and lowercase letters, numbers, and special characters. Requiring the change of characters means that a certain number of characters must be changed when creating a new password, compared to the previous password. These measures help strengthen password security and mitigate the risk of unauthorized access through brute force attacks. Organizations should establish password complexity policies and define the minimum complexity requirements and password change frequency based on industry best practices and security guidelines.
     


Checks for Azure

  • Enforce Password Complexity
    Description: This check ensures that organizations enforce minimum password complexity requirements for user accounts in Azure. Password complexity requirements typically include rules such as a minimum length, the use of uppercase and lowercase letters, numbers, and special characters. By enforcing password complexity, organizations can enhance the security of user accounts and mitigate the risk of unauthorized access through brute force attacks.
  • Enforce Password Change
    Description: This check verifies that organizations require users to change their passwords periodically in Azure. Requiring password changes at regular intervals helps prevent the prolonged use of the same password, reducing the risk of unauthorized access due to compromised or guessed passwords. Organizations should establish password change policies and define the frequency at which users need to change their passwords based on security requirements and industry best practices.


More Details: Comprehensive password policies are in place via the company cybersecurity handbook and employee training.