@@ -794,7 +794,8 @@ These requirements are generally binding, and there is no low-medium-high tierin
The identity management is an essential piece in the larger puzzle of cybersecurity. A secure product is required to confirm the identity and authority of all users performing an action. If the system fails to identify such actions and authority, or fails to track who executed commands, the system can easily fall into a state of chaos.
The identity management is an essential piece in the larger puzzle of cybersecurity. A secure product is required to confirm the identity and authority of all users performing an action. If the system fails to identify such actions and authority, or fails to track who executed commands, the system can easily fall into a state of chaos.
An identity management system provides for the authentication of each user. It provides the assurance of that an entity has authorization and has provided the correct information to the product to perform a specific action.<ahref="#_ref_i.12">[i.12]</a> Only a well maintianed trusted source list can provide functional authentication.
An identity management system provides for the authentication of each user. It provides the assurance of that an entity has authorization and has provided the correct information to the product to perform a specific action.[\[i.12\]](#_ref_i.12)
Only a well maintianed trusted source list can provide functional authentication.
If the source authentication is a company internal directory, the content needs to be up to date and reflect the status of persons granted current access.
If the source authentication is a company internal directory, the content needs to be up to date and reflect the status of persons granted current access.
@@ -804,12 +805,16 @@ These requirements apply to all network management systems, regardless of the pr
-**[REQ-AUTH-1]:** Product shall use multi-factor authentication to confirm the identity of a natural user.
-**[REQ-AUTH-1]:** Product shall use multi-factor authentication to confirm the identity of a natural user.
-**[REQ-AUTH-2]:** Product shall limit a natural user's authorisation validity of a session via a configuarble setting that shall be initially limited to one by by factory default.
-**[REQ-AUTH-2]:** Product shall limit a natural user's authorisation validity of a session via a configuarble setting that shall be initially limited to one by by factory default.
Depending on the product desing, the identity management referred in [REQ-AUTH-0] can be either part of the deliverable product, part of the deployment context as outside source or both, if redundancy is needed.
For forencis needs, is important to include the source of the identity into the authoritative event monitoring data.
**NOTE REQ-AUTH-0: Should clarify that an identity management system can be part of product or part of system
Integration to 3rd. party identiy management systems is preferred due to high likelihood of other integrations that invalidates the users credentials faster, when changes are made due to credential misuse or person leaving the company for example.
**NOTE Authoring may be required here address default issue per comment 166**
If the same system is used to grant the user access roles, for example through group memebership, the implementation needs to be reviewed in the deployment context if it meets the target security requirements.
When the identity of a user is established, the system grants the user access rights based on the users' role.The system can have multiple distinct roles, each are tailored to the users' perceived needs.
When the identity of a user is established, the system grants the user access rights based on the users' role.
There are many possible roles, with examples such as: monitoring data reader, interconnectivity administrator, or administrator. If the product's deployment context calls for an all-powerful superuser, this can be accomplished either with a single role with numerous responsibiltiies or by aggregating many available roles to that single user.
The system can have multiple distinct roles, each are tailored to the users' perceived needs.
There are many possible roles, with examples such as: monitoring data reader, interconnectivity administrator, or administrator.
If the product's deployment context calls for an all-powerful superuser, this can be accomplished either with a single role with numerous responsibiltiies or by aggregating many available roles to that single user.
In many systems identity information includes a group assignment matched to a role inside the system.
In many systems identity information includes a group assignment matched to a role inside the system.
Role Based Access Control design and depth is outside of the scope of this standard, but the product must use some form of RBAC.
Role Based Access Control design and depth is outside of the scope of this standard, but the product must use some form of RBAC.
@@ -824,11 +829,10 @@ In addition, the managed device can have a configuration port, management API, f
-**[REQ-AUTH-5]:** All privileged interfaces shall implement RBAC.
-**[REQ-AUTH-5]:** All privileged interfaces shall implement RBAC.
-**[REQ-AUTH-6]:** All access to administrative interfaces, control functions, and sensitive operations shall be subject to strong authentication of users, services, or integrated components.
-**[REQ-AUTH-6]:** All access to administrative interfaces, control functions, and sensitive operations shall be subject to strong authentication of users, services, or integrated components.
-**[REQ-AUTH-7]:** Privileged interfaces shall be protected with [5.2.4 State-of-the-art cryptographic libraries].
-**[REQ-AUTH-7]:** Privileged interfaces shall be protected with [5.2.4 State-of-the-art cryptographic libraries].
-**[REQ-AUTH-8]:** Audit events shall include the source of the identity if multiple sources are used.
<mark>TODO: define usage of machine credentials better, consider the cli over ssh controlled scenario</mark>
<mark>TODO: define usage of machine credentials better, consider the cli over ssh controlled scenario</mark>
<mark>TODO: evaluate if a large enterprise needs to have 3rd. party IdP as an integrateable option</mark>
### 5.2.7 Remote Data Processing Systems
### 5.2.7 Remote Data Processing Systems
<mark>AMS: August and Daniel are working on this. Skip for now.</mark>
<mark>AMS: August and Daniel are working on this. Skip for now.</mark>
