IAM-14: Strong Authentication

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: IAM-02: Credential Lifecycle / Provision Management, IAM-05: Segregation of Duties.

Control Statement

Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities.

Implementation Guidance

All individual, non-console administrative access and remote access to the systems and applications should be secured using multi-factor authentication. Multi-factor authentication should contain a minimum of two of the three authentication methods:

  1. Something you know, such as a password or passphrase.
  2. Something you have, such as a token device or smart card or digital certification*.
  3. Something you are, such as a biometric.

* Note: a digital certificate is a valid option for “something you have” as long as it is unique for a particular user)

Auditing Guidance

  1. Determine if processes, procedures and technical measures for authenticating access to systems, applications and sensitive data are defined and maintained.
  2. Determine if processes, procedures and technical measures for authenticating access to systems, applications and sensitive data include organization-defined requirements for specific use cases of multifactor authentication, digital certificates and/or alternative security measures.
  3. Determine if processes, procedures and technical measures for authenticating access to systems, applications and sensitive data are implemented and consistently followed in practice.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.