Level 2

Description:   

System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.



Priority: High   

Domain:  SYSTEM AND COMMUNICATIONS PROTECTION (SC)

Category Baseline Security Configurations 


Services Associated with AWS:   

  • AWS Identity and Access Management (IAM), AWS Virtual Private Cloud (VPC), AWS EC, Amazon RDS, Amazon WorkSpaces
  • AWS Identity and Access Management (IAM), AWS Cognito, AWS SSO
  • AWS Identity and Access Management (IAM), AWS WAF, AWS Shield, Amazon Route 


Services Associated with Azure: 

  • Azure Policy 
  • Azure Virtual Machines (VMs) 
  • Azure Key Vault 
  • Azure Active Directory (Azure AD) 


Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of configuration settings 


Possible Technology Considerations : 

  • Secure Baseline Configurations (SBC)
  • Identity & Access Management (IAM)
  • Privileged Access Management (PAM) 


What needs to be answered :  

Are there controls to ensure that administration privileges are not available to general users? Is user functionality separated from system management functionality? 

Checks for AWS 

  • Separation of User and System Management Functionality
    Description: This check ensures that user functionality is separated from system management functionality. This includes using different computers, different central processing units, different instances of operating systems, different network addresses, or virtualization techniques.
  • Separate Authentication for User and System Resources
    Description: This check verifies that separate authentication methods are used for users of system resources and those accessing web administrative interfaces. This helps maintain the separation between user and system management functionality.
  • Isolation of Administrative Interfaces
    Description: This check ensures that administrative interfaces are isolated on different domains and with additional access controls, thus maintaining the separation between system and user functionality.     

Checks for Azure 

  • Separation of User and System Management Functionality
    Description: This policy check ensures that user functionality is separated from system management functionality. It includes using different computers, different central processing units, different instances of operating systems, different network addresses, or virtualization techniques to maintain the segregation.
  • Separate Authentication for User and System Resources
    Description: This policy check verifies that separate authentication methods are used for users of system resources and those accessing web administrative interfaces. It helps to ensure that users have different access privileges for normal resources and administrative interfaces, maintaining the separation between user and system management functionality.
  • Isolation of Administrative Interfaces
    Description: This policy check ensures that administrative interfaces are isolated on different domains and equipped with additional access controls. This setup maintains the separation between system and user functionality, preventing general users from accessing privileged administrative interfaces.


More Details:   

User functionality separate from system management functionality.