ISO/IEC 27001 Control 8.9: Configuration management

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

MidPoint is an essential component for security configuration management.

MidPoint contains user information that is continually synchronized and kept up-to-date, provisioning this information to applications. Moreover, midPoint can detect unauthorized changes in the application user and access databases, such as orphaned or unexpected accounts. MidPoint can detect accounts that are not linked to any physical person, application and service, which are likely misconfiguration or configuration leftovers, posing unnecessary risks. Such accounts can be automatically handled using synchronization reactions in detective or reactive fashion, e.g. reporting or automatically disabling such accounts. Account re-activation can be detected and corrected, such as re-activation of accounts belonging to former employees. Similarly, midPoint can detect unused accounts. Such mechanisms are especially useful when dealing with non-human identities, such as technical and service accounts used by applications and services. MidPoint can use mappings to correct inconsistent data in user profiles, such as fraudulent changes in user titles, work positions, descriptions and similar user profile data. Authorizations can be used inside midPoint to to make sure access control policies are changed only by authorized users. Role-based access control (RBAC) can be used to manage roles and responsibilities for configuration management, as suggested by the control. MidPoint can be used to report and minimize privileged access in applications. Application inventory functionality can store application ownership and responsibility information, making sure that all application have active owners. This information ca be used in processes, e.g. approval of access by application owner. All changes of access control policies, user data and synchronization configurations and actions are recorded in midPoint audit trail.

User database and access control policies are essential parts of security configuration. As the primary purpose of midPoint is management of identities, user databases and access control policies, it is an essential component for cybersecurity-related configuration management. Moreover, midPoint has numerous detection, management and reporting capabilities that significantly contribute to configuration management.