ENISA Indispensable baseline security requirements for the procurement of secure ICT products and services
Work in progress! |
ENISA Indispensable baseline security requirements for the procurement of secure ICT products and services is practical, technologically neutral document with clear, simple and sector-agnostic minimum necessary indispensable requirements for secure ICT products and services. Any ICT product or service that fails to be compliant with one or more of the minimum security requirements should be considered as insecure, and therefore it should not be purchased or put in operation on the European digital single market. It focuses on a few indispensable conditions, commonly agreed among experts and based on standards and best practices.
ENISA baseline requirements are based on generally accepted principles for secure software development, such as secure by design, secure by default and least privilege.
MidPoint Compliance
MidPoint is fully compliant with ENISA indispensable baseline security requirements for the procurement of secure ICT products and services. Following sections provide explanation and describe specific mechanisms.
Security by Design
MidPoint is a leading identity governance and administration (IGA) platform. As such, midPoint is a foundation stone for cybersecurity practices in almost every organization. Therefore, midPoint supports cybersecurity mechanisms of other applications, systems and services.
Naturally, midPoint itself is designed with security in mind since the very beginning. MidPoint architecture divides the system to subsystems and components with clearly defined responsibilities. The architecture is reflected in midPoint source code.
Following features demonstrate adherence to security by design principle:
-
Flexible authentication mechanism can be used to set up complex authentication schemes for access to midPoint, including multi-factor authentication. Moreover, its primary purpose is to set up authentication schemes for special situations, such as registraion and password reset scenarios.
-
Authorization mechanism can be used to control access to data and functionality on a very fine-grained level, using authorization statements that are naturally integrated with role-based access control (RBAC) framework. Authorization framework is also used to support delegated administration scenarios, allowing implementation of least privilege principle.
-
Role-based access control (RBAC) framework is integrated deeply in the very fabric of midPoint code and data structures. RBAC framework formed a foundation of midPoint code from its very beginning. RBAC and its principles are supporting many midPoint functionalities, including advanced features.
-
Policy rules can be used to enforce high-level governance policies over midPoint data and other low-level policies (such as RBAC), such as policies for segregation of duties or information classification.
-
Expression profiles can be used to limit the flexibility of expression languages, limiting them to secure operations.
-
Auditing mechanisms record all operations in midPoint, including all actions of midPoint administrators and all configuration changes. Audit trail data are stored in open, structured and documented format, available for integration with other system (such as SIEM). Historic and provenance information are also recorded in meta-data.
While midPoint is a comprehensive and very flexible platform, individual features can be activated or deactivated using authorization mechanism, thus reducing the functionality to necessary minimum.
MidPoint does not contain any malware, spyware, hidden functionalities, un-documented backdoors or any other unapproved or unwanted functionalities such as non-authorised data forwarding.
Least Privilege
Least privilege principle is at the very core of midPoint, both internally as an application and externally, as an identity governance and administration (IGA) platform.
Authorization mechanism can be used to control access to data and functionality on a very fine-grained level, which allows to grant users access to the very minimal set of data and functionalities. Authorization statements are naturally integrated with role-based access control (RBAC) framework, allowing design of roles that perfectly match responsibilities of every user. Authorization framework, together with RBAC is used to support delegated administration scenarios. Dynamic, policy-based RBAC is used to automatically assign and unassign roles based on the organizational assignment of the user, user attributes, responsibilities and other characteristics, automatically reducing user privileges when not needed.
Access certification mechanism can be used to systematically review user privileges, reducing them as necessary.
MidPoint administration user interface can be used to manage user accounts, as well as roles and privileges. This functionality is also provided by RESTful application programming interface (API). The functionality also includes management of technical and service accounts. MidPoint provides password management features with support for password policies.
Strong Authentication
Flexible authentication mechanism can be used to set up complex authentication schemes for access to midPoint, including multi-factor authentication. As the name suggests, authentication schemes can be flexibly adjusted for various scenarios to fit specific needs of each individual organization.
Privileges of every individual user can be controlled using authorization mechanism, which includes service accounts. As long as service accounts are not explicitly authorized to access user interface, they will not be allowed interactive log-on.
Asset Protection
Authorization mechanism is used to control access to data stored in midPoint repository on a very fine-grained level. Authorizations are enforced independently on several levels, bound to midPoint architecture and component structure.
Passwords are stored in midPoint in hashed or encrypted forms only. Unique cryptographic key is generated for every deployment at the first start of the system, stored in local Java key store. Standard cryptographic libraries and algorithms of Java platform are used for cryptographic operations.
Supply Chain Security
MidPoint is distributed from Evolveum web site, protected by standard HTTPS mechanism, providing transfer protection as well as assurance of origin.
MidPoint distribution files are signed using standard Java platform method (JAR signing). Authenticity of the files is checked at the start of the system.
Moreover, complete source code of midPoint is publicly available, published on reputable platform (github), which can be used for independent checks of the code, as well as build artifacts.
Documentation Transparency
Complete documentation of midPoint is publicly accessible on docs.evolveum.com, Evolveum documentation site. This includes installation documentation, reference documentation, architectural documentation, developer documentation, even a publicly accessible book about use of midPoint.
The documentation is updated for each release of midPoint. Source code of midPoint documentation is available too, providing access to full documentation change history.
Moreover, complete source code of midPoint is publicly available under an open source license, allowing unlimited access to knowledge about internal workings of midPoint.
Quality Management
Security of midPoint code is regularly monitored, including monitoring of security and vulnerability of midPoint dependencies (libraries and components used by midPoint). This process is partially automated. Regular upgrade and update of dependencies is a native part of midPoint development process. MidPoint has well-established development and support mechanism, including public roadmap and predictable schedule of releases with matching support programs. Security advisories are published whenever security issue is discovered. New maintenance version of midPoint is released when necessary.
Dedicated security guide is publicly available, describing security properties of midPoint. MidPoint was subject of several penetration tests and security scans, results of which were incorporated into midPoint development. MidPoint was part of European Union Free and Open Source Software Auditing (EU-FOSSA2) project.
Service Continuity
MidPoint has well-established development and support mechanism, including public roadmap and predictable schedule of releases with matching support programs. Support lifetime of each release is clearly stated for each release. Maintenance versions are released as necessary, especially as a reaction to security issues. Fixes for security issues are prioritized, and are immediately made available for all midPoint users regardless of their support program. Responsible disclosure practices are documented in midPoint security guide.
EU Jurisdiction
MidPoint is developed completely in European Union. MidPoint development, distribution, support and all related activities are completely guided by EU law.
Data Usage Restriction
MidPoint is an on-premise software product. All data stored in midPoint are maintained within the system, unless midPoint is explicitly configured by the operator to do otherwise. MidPoint is not collecting or forwarding any data, except those channels that are explicitly configured by operator.
Applicability
This description applies to midPoint 4.9 and later versions.