ISO/IEC 27001 Control 5.15: Access control
Control
Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.
Necessity of MidPoint
MidPoint is necessary to implement this control properly.
MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.
Implementation Overview
The policy-driven role-based access control mechanism of midPoint can be used as a solid framework for a topic-specific policy on access control, especially the Policy-driven RBAC mechanism.
Implementation Details
Policy-driven role-based access control mechanism (PD-RBAC) implemented by midPoint is an essential mechanism for establishing a comprehensive, dynamic and practical access control framework. Roles can be assigned to users automatically (based on rules), manually, or by using an access request process. There may be several types (archetypes) of roles, such as application roles, business roles and technical roles. They can be composed into an RBAC hierarchy, including (inducing) privileges of lower-level roles in higher-level roles. Roles determine entitlements, used to enforce access control rules on a fine level. Entitlement concept can be used to model system-specific privileges, groups or other access control means, which can be automatically controlled by midPoint. Role wizard can be used by owners of information to set up appropriate roles for controlling access to the information. The concept of application can be used to specify application-specific access control rules and policies. Roles, entitlements, applications and resources are key concepts of access control model, which together form very powerful and flexible access control structures. Organizational structures can be directly used for access control as well, including (inducing) access required by an organizational unit directly in the organizational unit definition. Policy rules can be used to set up additional access control policies, as well as constraints on access control model (such as exclusion or requirement constraints). Information classification mechanism can also contribute to access control, setting additional rules and parameters. For special cases requiring complex and flexible configurations, parametric roles and meta-roles can be used. Segregation of duties (SoD) mechanism as well as other policy rules can be an integral part of access control policy, observing applicable legislation and contractual obligations. SoD mechanisms provide "segregation of access control functions", as required by the control. Access request process with appropriate approvals can be used to allow access in a controlled manner, certification mechanism can be used to review the access. Generic synchronization can be used to automatically create application roles from resource entitlements (e.g. Active Directory groups). Alternatively, resource entitlements (e.g. groups) can be automatically created for application roles. Changes in access control policy are recorded in the audit trail.
Implementation Notes
-
This is an "umbrella" control, setting a general access control requirements, referencing numerous other controls to fill in the details. Implementation details are provided in the description of referenced controls. See the list of related controls for more information.
-
Access control rules can be applied both to human users, and non-human identities. Application of access control to non-human identities is essential for establishing a full-scale "zero trust" approach.
-
The control description mentions "roles" and RBAC as a suggestion for an access control mechanism. It also mentions elements of dynamic access control, which is represented in midPoint by the policy-driven RBAC concept.
-
Control description asks for consistency between access rights and classification (controls 5.12, 5.13), which is given in midPoint by employing policy rules in classifications.
-
Role wizard, together with delegated administration capabilities, can be essential tools to delegate definition of role-based policies to the business users. MidPoint's ability to pre-define policies (a.k.a. "applicable policies") can be used to pre-package policy elements for business people to attach to roles they prepare.
-
Simulation capability is a powerful tool to predict changes in access control policy, avoiding costly and dangerous disasters.
-
Access request and certification functionality is primarily related to control 5.18 (Access rights).
Rationale
The main functionality of midPoint is focusing on the access control. This is a crucial problem domain that midPoint is addressing. Without using midPoint or equivalent platform, it may be nearly impossible for organizations to be compliant with this control at scale. MidPoint can be the "one tool" needed to correctly manage access control policy from one place and it can provide proof regarding access control policy and the implemented reality.
Documentation
Version | Title | Description |
---|---|---|
4.9 | MidPoint Organizational Structure Introduction | Use of organizational structure as access control mechanism. |
Entitlements and Associations | Use of entitlements for access control. | |
MidPoint Role-Based Access Control Mechanism | Use of role-based access control (RBAC) as an access control mechanism. | |
Roles, Metaroles and Generic Synchronization | Use of meta-roles for access control. | |
Information Classification and Clearances | Setting up additional policies for access control, based on classifications. | |
Policy-Driven Role-Based Access Control | Policy-driven RBAC as an access control mechanism that is based on roles and it includes dynamic policy elements | |
Policy Rules | Use of policy rules to set up rules and constraints for access control model. | |
Development | MidPoint Organizational Structure Introduction | Use of organizational structure as access control mechanism. |
Entitlements and Associations | Use of entitlements for access control. | |
MidPoint Role-Based Access Control Mechanism | Use of role-based access control (RBAC) as an access control mechanism. | |
Roles, Metaroles and Generic Synchronization | Use of meta-roles for access control. | |
Information Classification and Clearances | Setting up additional policies for access control, based on classifications. | |
Policy-Driven Role-Based Access Control | Policy-driven RBAC as an access control mechanism that is based on roles and it includes dynamic policy elements | |
Policy Rules | Use of policy rules to set up rules and constraints for access control model. | |
4.8 | Policy-Driven Role-Based Access Control | Policy-driven RBAC as an access control mechanism that is based on roles and it includes dynamic policy elements |
Related Features
-
Information classification (planned)
-
Policy (concept) (planned)
Related Controls
-
ISO/IEC 27001 5.10: Acceptable use of information and other associated assets
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements
-
ISO/IEC 27001 5.2: Information security roles and responsibilities
-
ISO/IEC 27001 8.27: Secure system architecture and engineering principles
-
ISO/IEC 27001 8.31: Separation of development, test and production environments
-
ISO/IEC 27001 8.34: Protection of information systems during audit testing