Principle 4 - Assured Identity

Detail

Access to all service interfaces (for consumers and providers) should be constrained to authenticated and authorised individuals.

Services should support enterprise-wide accountability and the highest achievable levels of non-repudiation by making use of existing assured unique user, device or process identities wherever they are available and may be considered suitably trustworthy, including the consumption of any associated managed access permissions which are appropriate.

Decision Evaluation Criteria:

• Has the service identified what level of assured identity is required for user access
• Has the service identified what level is assured identity is required for administration and operations access
• Has the service identified what level is assured identity is required for system processes
• Are staff trained and aware of their responsibilities not to share credentials
• Does architectural design documentation & decisions that determine or describe user, device or process identities in the context of the service provided should provide analysis and rationale, demonstrates that they:
• • are trustworthy
• • are as unique as possible in the context of the whole enterprise
• • may be authenticated to a level which is commensurate with the accountability and non-repudiation needs of the service
• • can be reliably associated with access permissions which will effectively support any access control decisions
• • do not needlessly duplicate assured identities or access permissions available via existing providers (even if reliably linked)

Basis

• NIST 32 - Authenticate users & processes to ensure access controls, decisions both within and across domains
• NIST 33 - Use unique identities to ensure accountability
• GDS CSP 10 - Identity and Authentication
• OWASP 2 - Detail authentication verification requirements
• OWASP 4 - Detail access control verification requirements