Implemented OC5 comments proposals (b3a48948) · Commits · STAN4CRA / EN 304 621 Network Management Systems

EN-304-621.md

+13 −12

Original line number	Diff line number	Diff line
		@@ -811,7 +811,7 @@ If the source identity is a company internal directory, the content needs to be
		These requirements apply to all network management systems, regardless of the product's use case and without variation for different tiers or risk.

		- [REQ-AUTH-0]: The product shall support identity management through at least one of the following approaches: (a) integration of the NMS into an external state-of-the-art Identity Management System, (b) integration of an external Identity Management System into the NMS, or (c) a dedicated Identity Management module built into the NMS.
		- [REQ-AUTH-1]: Product shall use multi-factor authentication to confirm the identity of a natural user.
		- [REQ-AUTH-1]: Product shall use multi-factor authentication to confirm the identity of a natural user appropriate to the intended and reasonably foreseeable use.
		- [REQ-AUTH-2]: Product shall limit a natural user's authorisation validity of a session via a configuarble setting that shall be initially limited to one by by factory default.

		Depending on the product desing, the identity management referred in [REQ-AUTH-0] can be either part of the deliverable product, part of the deployment context as outside source or both, if redundancy is needed.
		@@ -833,20 +833,21 @@ The product can serve traffic that is not meant to be identified.
		For example, an in-home router often trusts that the physical access to its port is enough to identify the subscriber line.
		In addition, the managed device can have a configuration port, management API, firmware update channel, or debugging access, which are classified as privileged.

		- [REQ-AUTH-3]: RBAC design shall follow the best practices of the deployment context.
		- [REQ-AUTH-4]: The RBAC design and application in the product shall be documented.
		- [REQ-AUTH-5]: All privileged interfaces shall implement RBAC.
		- [REQ-AUTH-6]: All access to administrative interfaces, control functions, and sensitive operations shall be subject to strong authentication of users, services, or integrated components.
		- [REQ-AUTH-7]: Privileged interfaces shall be protected with [5.2.4 State-of-the-art cryptographic libraries].
		- [REQ-AUTH-8]: The product shall report all relevant events related to authorisation including, but not limited to, successful and unsuccessful use of identity, object access, policy change, privileged function use, data access and deletions, data changes and permission changes.
		- [REQ-AUTH-9]: Audit events shall include the source of the identity.
		- [REQ-AUTH-3]: When a user or system identity has been authenticated, the product shall apply authorization controls based on assigned roles or equivalent access-control attributes.
		- [REQ-AUTH-4]: The authorization model shall enforce separation of privileges appropriate to the intended and reasonably foreseeable use of the product.
		- [REQ-AUTH-5]: The technical documentation shall describe the authorization model implemented by the product.
		- [REQ-AUTH-6]: The product shall implement and document authorization controls, like RBAC, suitable for privileged interfaces and sensitive operations.
		- [REQ-AUTH-7]: All access to administrative interfaces, control functions, and sensitive operations shall be subject to strong authentication of users, services, or integrated components.
		- [REQ-AUTH-8]: Privileged interfaces shall be protected with [5.2.4 State-of-the-art cryptographic libraries].
		- [REQ-AUTH-9]: The product shall report all relevant events related to authorisation including, but not limited to, successful and unsuccessful use of identity, object access, policy change, privileged function use, data access and deletions, data changes and permission changes.
		- [REQ-AUTH-10]: Audit events shall include the source of the identity.

		#### Machine users

		- [REQ-AUTH-10]: The product shall not implement a design where default machine user credentials are used.
		- [REQ-AUTH-11]: The product shall support machine credential rotation.
		- [REQ-AUTH-12]: The product shall implement passwordless authentication for machine users such as certificates or tokens.
		- [REQ-AUTH-13]: The served API desing shall support minimal access grants for the machine user if applicable.
		- [REQ-AUTH-11]: The product shall not implement a design where default machine user credentials are used.
		- [REQ-AUTH-12]: The product shall support machine credential rotation.
		- [REQ-AUTH-13]: The product shall implement passwordless authentication for machine users such as certificates or tokens.
		- [REQ-AUTH-14]: The served API desing shall support minimal access grants for the machine user if applicable.


		<mark>TODO: define usage of machine credentials better, consider the cli over ssh controlled scenario</mark>

Original line number	Diff line number	Diff line
		@@ -811,7 +811,7 @@ If the source identity is a company internal directory, the content needs to be
		These requirements apply to all network management systems, regardless of the product's use case and without variation for different tiers or risk.

		- [REQ-AUTH-0]: The product shall support identity management through at least one of the following approaches: (a) integration of the NMS into an external state-of-the-art Identity Management System, (b) integration of an external Identity Management System into the NMS, or (c) a dedicated Identity Management module built into the NMS.
		- [REQ-AUTH-1]: Product shall use multi-factor authentication to confirm the identity of a natural user.
		- [REQ-AUTH-1]: Product shall use multi-factor authentication to confirm the identity of a natural user appropriate to the intended and reasonably foreseeable use.
		- [REQ-AUTH-2]: Product shall limit a natural user's authorisation validity of a session via a configuarble setting that shall be initially limited to one by by factory default.

		Depending on the product desing, the identity management referred in [REQ-AUTH-0] can be either part of the deliverable product, part of the deployment context as outside source or both, if redundancy is needed.
		@@ -833,20 +833,21 @@ The product can serve traffic that is not meant to be identified.
		For example, an in-home router often trusts that the physical access to its port is enough to identify the subscriber line.
		In addition, the managed device can have a configuration port, management API, firmware update channel, or debugging access, which are classified as privileged.

		- [REQ-AUTH-3]: RBAC design shall follow the best practices of the deployment context.
		- [REQ-AUTH-4]: The RBAC design and application in the product shall be documented.
		- [REQ-AUTH-5]: All privileged interfaces shall implement RBAC.
		- [REQ-AUTH-6]: All access to administrative interfaces, control functions, and sensitive operations shall be subject to strong authentication of users, services, or integrated components.
		- [REQ-AUTH-7]: Privileged interfaces shall be protected with [5.2.4 State-of-the-art cryptographic libraries].
		- [REQ-AUTH-8]: The product shall report all relevant events related to authorisation including, but not limited to, successful and unsuccessful use of identity, object access, policy change, privileged function use, data access and deletions, data changes and permission changes.
		- [REQ-AUTH-9]: Audit events shall include the source of the identity.
		- [REQ-AUTH-3]: When a user or system identity has been authenticated, the product shall apply authorization controls based on assigned roles or equivalent access-control attributes.
		- [REQ-AUTH-4]: The authorization model shall enforce separation of privileges appropriate to the intended and reasonably foreseeable use of the product.
		- [REQ-AUTH-5]: The technical documentation shall describe the authorization model implemented by the product.
		- [REQ-AUTH-6]: The product shall implement and document authorization controls, like RBAC, suitable for privileged interfaces and sensitive operations.
		- [REQ-AUTH-7]: All access to administrative interfaces, control functions, and sensitive operations shall be subject to strong authentication of users, services, or integrated components.
		- [REQ-AUTH-8]: Privileged interfaces shall be protected with [5.2.4 State-of-the-art cryptographic libraries].
		- [REQ-AUTH-9]: The product shall report all relevant events related to authorisation including, but not limited to, successful and unsuccessful use of identity, object access, policy change, privileged function use, data access and deletions, data changes and permission changes.
		- [REQ-AUTH-10]: Audit events shall include the source of the identity.

		#### Machine users

		- [REQ-AUTH-10]: The product shall not implement a design where default machine user credentials are used.
		- [REQ-AUTH-11]: The product shall support machine credential rotation.
		- [REQ-AUTH-12]: The product shall implement passwordless authentication for machine users such as certificates or tokens.
		- [REQ-AUTH-13]: The served API desing shall support minimal access grants for the machine user if applicable.
		- [REQ-AUTH-11]: The product shall not implement a design where default machine user credentials are used.
		- [REQ-AUTH-12]: The product shall support machine credential rotation.
		- [REQ-AUTH-13]: The product shall implement passwordless authentication for machine users such as certificates or tokens.
		- [REQ-AUTH-14]: The served API desing shall support minimal access grants for the machine user if applicable.


		<mark>TODO: define usage of machine credentials better, consider the cli over ssh controlled scenario</mark>