Identity and Access Management on Sinetris's viewpoints

Frameworks

2025-03-17T10:39:53+00:00

2025-03-17T10:39:53+00:002025-03-17T10:39:53Zhttps://sinetris.info/topics/iam/grc/frameworks/#atom

Requirements and Regulations

GDPR: General Data Protection Regulation
BaFin: Bundesanstalt für Finanzdienstleistungsaufsicht

English translation: Federal Financial Supervisory Authority
MaRisk: Mindestanforderungen an das Risikomanagement

English translation: Minimum Requirements for Risk Management
BAIT: Bankaufsichtliche Anforderungen an die IT

English translation: Supervisory Requirements for IT in Financial Institutions
ISO/IEC 27001: Information security management systems - Requirements
ISO/IEC 24760: IT Security and Privacy - A framework for identity management
KRITIS: Kritische Infrastrukturen

English translation: Critical Infrastructures
MiCA: Markets in Crypto-Assets Regulation
DORA: Digital Operational Resilience Act

Good reads and presentations

BAIT: Clearer Guidelines as a Basis for More Effective Implementation

Compliance as Code

2025-03-17T10:45:42+00:00

2025-03-17T10:45:42+00:002025-03-17T10:45:42Zhttps://sinetris.info/topics/iam/grc/compliance-as-code/#atom

Standards

SCAP: Security Content Automation Protocol
OSCAL: Open Security Controls Assessment Language
BPMN: Business Process Model and Notation
DMN: Decision Model and Notation

Guidelines

ComplianceAsCode: The ComplianceAsCode project

Previously known as SCAP Security Guide (SSG)

Tools

OpenSCAP: open source security compliance toolkit

NIST certified for SCAP 1.2
Trestle: Manage compliance as code using NIST’s OSCAL standard
Open Policy Agent (OPA): Declarative Policies

Context-aware, Expressive, Fast, Portable
OPAL: Open Policy Administration Layer

Good reads and presentations

OSCAL Mini Workshop Series

Disaster Recovery

2025-03-17T10:53:28+00:00

2025-03-17T10:53:28+00:002025-03-17T10:53:28Zhttps://sinetris.info/topics/iam/grc/disaster-recovery/#atom

Have a Plan B for disaster recovery

During a disaster recovery you want to be fast to respect your RTO.

It is possible, for example, to restore the operation of a service using snapshots (both volumes and instances).

Restoring snapshots may fail for unforeseen reasons (e.g., you need to restore the service on a different cloud provider), so you should make sure that you can restore from scratch (ability to recreate the service, use database dump, etc.).

Accessibility

2025-03-17T10:43:09+00:00

2025-03-17T10:43:09+00:002025-03-17T10:43:09Zhttps://sinetris.info/topics/iam/grc/accessibility/#atom

Accessibility Directives and Guidelines

European Commission - Web Accessibility: Overview of the European Commission Web Accessibility Directive
- EN 301 549: Accessibility requirements for ICT products and services
WAI: W3C Web Accessibility Initiative
- WCAG: Web Content Accessibility Guidelines
- ARIA: Accessible Rich Internet Applications suite of web standards
- ACT: Accessibility Conformance Testing
- EARL: Evaluation and Report Language
- policies: Web Accessibility Laws & Policies

Access Management

2024-07-15T16:27:00+00:00

2024-07-15T16:27:00+00:002024-07-15T16:27:00Zhttps://sinetris.info/topics/iam/iga/access-management/#atom

Why you need access management

Some important points are:

It allows to properly document granted access history for auditing and security purposes
- Who had access to a specific system, what kind of access, why, at any point in time
- What did they access, when, and why (via integration with SIEM systems)
- When they are doing operations on a system, this allow to check if they are allowed
Monitor drifting between desired state and actual state and what caused it
Keeping track of users accesses allow to better refine them
- Did they had granted more access than needed for their work?
  
  Grant them access based on principle of least privilege

Advices

2023-07-16T18:20:00+00:00

2023-07-16T18:20:00+00:002023-07-16T18:20:00Zhttps://sinetris.info/topics/iam/iga/considerations/#atom

Assets and people

Ensure to have proper Orphan Account Monitoring (for example, people leaving the company) and delegation (for example, people in sick or parental leave) for people assigned to managing assets (Asset Owners, Application Administrators, Infrastructure Administrators, etc). Take into consideration that people might be out of office because in vacation, out sick, at a conference, etc.

Identity Lifecicle Management

2023-07-16T18:20:00+00:00

2023-07-16T18:20:00+00:002023-07-16T18:20:00Zhttps://sinetris.info/topics/iam/iga/identity-lifecicle-management/#atom

HR-Driven Identity Lifecycle

The HR department is the one that knows who is joining, who is leaving, who is moving to another job within the company, who is on vacation, sick leave, parental leave, etc. Their system should expose for each employee at least the name that should be used for them within the company (might be diﬀerent from their legal name, which is only required by HR to sign contracts), the start and end dates (if applicable) of the contract, department, role, line manager, and absences.

Identity Security

2023-07-16T18:20:00+00:00

2023-07-16T18:20:00+00:002023-07-16T18:20:00Zhttps://sinetris.info/topics/iam/iga/identity-security/#atom

Orphan Account Monitoring

It’s important to find missing identity associations or assets assigned to wrong identities (for example off-boarded employees).

Examples:

An account is associated to an asset but is not assigned to any identity
- All accounts should be associated with one (and only one ) identity.
- If the system allow only one account (for example only one admin), access to that account should happen trough a system that keep track of all actions (see PAM and Just-in-time credentials).
- If credentials to the account are shared it will be hard to know who performed an action.
Asset role (for example Owner or Admistrator) assigned to an Identity that left the company
Employee assigned to a line manager that transferred to a different department

Adaptive Authentication

Varying authentication methods based on runtime evaluation of risk factors.