Compliance Design Notes

Archetypes

Underassigned: Pre-defined mark for "understaffed", "staff shortage" or "vacancies", such as no manager for project, less than two members of critical team, etc. Can be used in pre-configured dashboard. (ISO 27001 5.2, 5.8, 8.6) ✓

Understaffed security: Pre-defined mark for staff shortage in security-related role or organization. Can be used in pre-configured dashboard. As opposed to regular Underassigned mark, this can be used in dashboards with higher severity, as security-related shortage is likely to pose high risk. (ISO 27001 5.2) ✓ (TODO: document)

Information security classification to mark all roles, apps and services that are related to information security. For roles and orgs there will be default minAssignee policy rule for Understaffed security mark. For orgs, we will need an "understaffing" rule for manager as well. Maybe we can add rule for additional approval of role assignment by the security office? At least document such scenario in docs. (ISO 27001 5.2)

Compliance dashboard ✓ (TODO: document)

Compliance reports

Pre-defined applicable policies:

minAssignee policy rule for owner in Business role archetype?

Default policy rule for roles checking whether role/app has an owner. TODO: which mark to use? Understaffed does not seem appropriate. Maybe Neglacted or Unowned?

Environment (devel/test/prod) demarcation for ServiceType (mostly applications). "displaying appropriate environment identification labels in menus to reduce the risk of error" [ISO27001 8.31]

Review database permissions. Can we make audit trail insert-only? (ISO27001 5.28)

Pre-define certification (campaigns and micro) for privileged access rights.

Object mark "suspicious", can be used to mark objects for later investigation. (ISO27001 5.27, 5.28, 5.29)

Create Teams top-level org and archetype? Pre-configure Cybersecurity team, as a target for some default rule. E.g. "Approval by security team" applicable policy, policy rule in Privileged classification (at least in example)?

Relations for read, write, admin. For fine-grain access control.

Extend application/asset schema. It should include: (ISO 27001 5.9,8.8)

Classification for Emergency access? Similar to privileged access.

Classify security-relevant roles "Information security responsibility" ✓

Marks

Password management

(!!!) Error messages and overall presentation of policy rule violations. Current error message looks like:

Classification Improvements (ISO 27001 5.13, 5.8, 8.2)

Policy rules

Marks

GUI

midScribe documentation (ISO27001 5.31)

Negative assignment ("exception from rule") (ISO27001 6.4)

Approval improvements

Notifications

Acceptable use (ISO 27001 5.10, 8.2)

Certifications

Lifecycle state model

Making sure that certain requirements are fulfilled before assignment is assigned or activated. (ISO 27001 5.12, 5.13, 5.14, 5.20)

Make sure we can read and use last login from the resources (e.g. report unused accounts/users)

Make sure we can read number of failed login attempts from the resources (CZ NIS 2)

Sync mechanism or mapping that is summarizing (adding up) values from projections, e.g. total number of failed login attempts across all accounts.

Application inventory / assets

Shared accounts (ISO 27001 5.16 (b))

Risk model

Support for passkeys and other non-password credentials? (ISO 27001 5.17) (ISO 24760)

Step-up authentication and/or re-authentication in midPoint GUI. E.g. allow user to access end-user GUI with just a password. Require second factor (or re-entry of password) when entering administration zone. Clear indication in the GUI that we have administration privileges now. (ISO27001 8.2, 8.5)

"Comparative" mappings: mappings that can detect and report that a value was changed on resource. They do not necessarily change the value. This can be used for preparing midPoint deployment, assessing the changes that midPoint would do (note: this can be partially provided by similations). It may be used to detect and report policy violations (on ongoing basis). It may be used to detect local changes by system administrator. (ISO 27001 8.9)

Risk control related to external identities (social login) (ISO 27001 5.16, 5.19, 5.17)

Alerting: ability to send alerts (high-priority notifications) to users, and also to other systems (SIEM, threat detection): a.k.a. "risk signals" - use Shared Signals? Extend notification for user alerting? (ISO 27001 8.5)

Improve instructions on initial password delivery and self-service password reset

Flexible auth: limit connection times, e.g. allow login only during work hours.

Resource wizard improvements to warn about incomplete and insecure resource configurations. E.g. weak password for admin account, not using TLS, etc. We probably need support for that in the connector? The connector may do more, such as check if directory is world-readable, whether admin account is used directly, check whether administrator passwords were changed (are not factory-default), etc. (ISO 27001 8.9)

requestable should not be a flag, it should be a classification. If we do that, we can set up a policy for it, e.g. each requestable role must have an approver. We might be able to do that with a global policy rule for now.

Addition to focusType in inducement: focusArchetype to limit application of inducement to certain archetypes, e.g. applications.

Initial configuration wizard, executed at first login of administrator after installation.

Mark reference to compliance frameworks (e.g. ISO or NIS2) in midPoint objects (e.g. reports). Could be used by GUI to display "This is part of NIS2 compliance". Also mark references to legislation/regulations in custom objects (e.g. classification levels). Use for searching, demonstrating which mechanisms are used for compliance. (ISO27001 5.31)

Mark reference to business processes or capabilities ("business reference"?). This could be used to list all configurations that relate to a particular process, e.g. when that process is reviewed or audited. Can the "business process" be modeled as service, using assignments as references? How does it relate to midScribe? (ISO27001 5.31)

Compliance checklist: dashboard-like page, that checks for presence of configuration for individual compliance frameworks. (ISO27001 5.31) E.g. it can check for:

Self-certification. User has to certify its own assignments. User has to confirm that he still needs the privilege. Maybe as a "zero" stage of regular certification?

Emergency mode (see Incident response in notes below). (ISO27001 5.24, 5.29)

Temporary retention of privileges: temporarily keep user privileges (assignments) after organizational change. E.g. temporarily keep assignment to old organizational unit, to make sure all inducements are applied. Motivation: a person may still need to help with his old responsibilities after re-org. (ISO27001 6.5)

Per-role notification: we want to send notification to selected group of users when this role is assigned/unassigned. E.g. we want to notify all partners that we have new salesperson. Even more importantly, we want to notify partners when a salesperson leaves. (ISO27001 6.5)

Device management

Break-glass privileges: allow selected users to gain privileges by "breaking glass", an action in GUI initiated by the user. After "breaking glass", emergency privileges are assigned to the user for a limited duration. The "break glass" operation is recorded in the audit trail, metadata, and alarm is raised → priority notifications are issued to relevant "overseers" (e.g. security team). We usually do not want any complicated authentication for the "break glass" operation, we want to it be simple, easy to operate under stress or in panic (availability takes priority over confidentiality/consistency).

On-demand privileges (just-in-time privileges): allow selected users to gain privileges by "activating" them in midPoint GUI. Activation of the privileges may require additional authentication of the user, e.g. use of additional authentication factor. Activation of the privileges assigns the privileges to user for a limited period of time.

Track login and logout times, to determine duration of access. Can be used to estimate effort spent in systems. E.g. to detect under-maintained operating systems and apps.

Analyze/record usage frequency for accounts? E.g. used every day, once per week, once per year …​

Detect account usage anomalies by watching last login time. E.g. log-on at night.

Analyze history/frequency of failed login attempts, to detect password-based attacks. Look at all failed login timestamps together, e.g. to detect password spraying attacks.

Analyze password change history/frequency - can we determine anything interesting from that?

Risk management

Certification hint: show that the assignment is giving an account that was not used for a long time. Could show usage frequency as well.

How to "regularly review" service accounts? How to "verify configuration settings, evaluate password strengths and assess activities performed"? Can we use certifications? We should detect unused accounts. (ISO 27001 8.9)

Recording results of deletion, i.e. proof that information was deleted - in metadata? "recording the results of deletion as evidence". We cannot use audit, as audit has limited lifetime, and the deleted information is stored there. We want proof/record that something was deleted without revealing its value. (ISO 27001 5.34, 8.10)

Support for data masking: anonymisation/pseudonymization. E.g. export of data to test/devel environment where names and personal numbers are "masked", replaced with fake values. The idea is that developers/testers may test on data with real volume and structure (e.g. group memberships), without revealing user personal data. Maybe have "masking personas" that contain fake data, so the fake names can be consistent across testing systems? NOTE: This may be much harder than it seems. (ISO 27001 8.11, 8.31, 8.33)

Data leakage detection: detect that someone else than midPoint stored sensitive data in user profiles. E.g. look for identifiers (SSN, national ID) or data (date of birth, age, gender) in user profiles. (ISO 27001 8.12)

Mark data items (schema) that contain sensitive information. Maybe store sensitivity of information in the metadata as well. This could be used by policy rules, e.g. to prevent mapping from leaking sensitive data to low-classification application. This could be used by erasure process of lifecycle, to automatically erase all sensitive information when user gets to archived state. (ISO 27001 5.12, 5.13, 8.12)

Restore of target system data from midPoint cache: use cached information to restore data of a broken target system after a failure. (ISO 27001 8.13)

Explore use of Shared Signals for alerting and integration. (ISO 27001 8.16)

Which passwords of service accounts do we need to change when an admin leaves? Which passwords he created or had access to? (ISO27001 8.20, 8.21)

Conditional roles for SoD: some assignments/inducements can be deactivated (using condition) when a conflicting role is assigned. (ISO27001 5.3)

Application inventory and physical world: Physical server should have the highest classification among all the applications/assets that run on it. How can we model this in midPoint (ISO 27001 5.9)

Certification: show history (audit trail) since the last certification

Reference IAM architecture, how midPoint fits in, how it should be used. (ISO 27001 8.27)

How applications should be integrated with midPoint (or other IGA platform), manual for application developers. APIs, use of connectors, etc. (ISO 27001 8.26, 8.27, 8.28, 8.29)

Application roles must have inducement to application. Do we have this documented? Is it documented well? Emphasized enough?

Audit: appropriate settings for audit log retention. Safe storage of audit trail, ensure non-tampering. Also: safe archival of audit trail. (ISO27001 5.28)

Log collection: use log server to centrally collect the logs (ISO27001 5.28)

Conduct controlled (manually initiated) full synchronization of all systems after an incident. Purpose: make sure there are no extra accounts or privileges, either created by an attacker, or leftovers from incident response. (ISO27001 5.24, 5.27, 5.28, 5.29)

Mark privileged access (ISO27001 8.2)

Avoid use of shared accounts (root) at all costs (ISO27001 5.16, 5.17, 8.2)

Use of entitlements for granting privileged access (e.g. ability to sudo) instead of giving access to privileged accounts (root). (ISO27001 8.2)

Certify all requested and manually assigned access. Combine micro-cert and campaigns. Set up micro-cert for privileged access on org change (can this be a default config?). (ISO27001 8.2)

Use personas for administrators, set a stronger password policy for admin personas. Use special intent and naming convention for admin accounts. (ISO27001 8.2)

Use password sync, make the password same on all resources - contrary to (ISO 27001 5.17 (D)). Explain why this makes sense intra-organization. Use admin personas to have different password for administration tasks.

Approve addition of privileged access (inducement) to active role. Approval by "Security team?"

Dedicated directories (LDAP/AD) for privileged users, e.g. to use for UNIX/SSH auth, RDP, VPN, etc. Requiring stronger passwords and MFA. Limiting access to directory by non-privileged users (less information for attacker).

User inducements in business roles and (especially) orgs to build up policy. Do not use autoassignments.

Deliver "welcome" message for new users, including information about policies and acceptable use. Deliver especially to external e-mail addresses (suppliers, contractors). (ISO 27001 5.10, 5.19)

Deliver "acceptable use" statement to user when account is created on a system (notifications). (ISO 27001 5.10)

Special approval of role by security officer (5.2)

Enforce owner for each asset (application) (5.2)

Report security roles and their assignments (5.2)

Use of personas for administrators. Use special intent and naming convention for admin accounts. (Add to "Managing privileged access" example?) (ISO27001 8.2)

Management of service accounts for applications, link them to applications, use application inventory. Quickly disable the accounts on incident/malware to isolate the application. Supports "zero trust" concept. (ISO27001 8.7)

Classifications based on TLP protocol (ISO27001 5.12, 5.13)

SANS classification scheme (ISO27001 5.12, 5.13)

Concrete and complete examples on password management, including initial password delivery and self-service password reset (ISO27001 5.17)

Personas or separate accounts for testing (ISO27001 8.4)

Prohibit direct access of suppliers to sensitive systems. Suppliers do not have managed devices, we have to assume they are not secure. We do not want to grant them VPN access. We will only allow SSH/RDP access. Use classification/clearances for this (in reverse), e.g. do not allow VPN access for anyone who is allowed to use non-managed device (which is in fact SoD).

All policies (ISO 27001 5.1)

All policy violations (ISO 27001 5.1)

All special cases (approved exceptions from policy rules) (ISO 27001 5.1?, 5.2)

Report security roles and their assignments (5.2)

Report all security roles that are not properly staffed (5.2) ✓

SoD policies: all roles with SoD exclusions. All SoD policy rules. Nice to have: all roles that are subject to SoD policy rules (even indirectly). (ISO 27001 5.3)

SoD violations (ISO 27001 5.3)

SoD exceptions (approved violations) (ISO 27001 5.3)

Suspicious objects (mark) (ISO27001 5.27, 5.28, 5.29) ✓

Roles without owners. ✓ Application roles without owners. Business roles without owners. Etc. (ISO 27001 5.2)

Applications without owners. (ISO 27001 5.2, 5.9, 8.8) ✓

Applications without classification. (ISO 27001 5.9, 5.12, 5.13, 5.14)

Requestable roles without approvers. (ISO 27001 5.2, 5.15, 5.18)

Active projects without managers (ISO 27001 5.8)

Staff shortage (dashboard): projects and teams with vacancies at important positions. (ISO 27001 5.2, 5.8, 8.6)

Understaffed security positions: use Understaffed security mark.

Neglected roles and apps (roles/apps without owner).

Orphaned accounts (ISO 27001 5.16)

Identities with privileged access

Number of active users (dashboard only?) (ISO 27001 5.16)

Number of archived users (dashboard only?) (ISO 27001 5.16)

Dormant users / sleepers (users without any privileges) (ISO 27001 5.16)

Temporarily inactive users (exclude archived users) (ISO 27001 5.16)

"Standing privilege" - manual assignments, including access request (ISO 27001 5.15, 5.18)

Privilege assignments to review - manual assignments that were not certified recently (ISO 27001 5.18)

Suspicious objects (ISO27001 5.27, 5.28, 5.29)

Manual data overrides (fixed HR errors)

Users without organizational assignments (no org, no project, …​)

Number of all accounts (all resources) (ISO 27001 5.32)

Number of active accounts (all resources) (ISO 27001 5.32)

Number of active accounts per resource (e.g. for license management) (ISO 27001 5.32)

Unused accounts. Accounts not used for X months. (ISO 27001 5.32, 8.9)

Unused accounts per application. Number/percentage of unused accounts per application. Average usage frequency per application (e.g. users accessing the app once per week on overage) (ISO 27001 5.32, 8.9)

Accounts that were never used (never logged in).

Organizational units without managers

Number of job titles

Top job titles

Number of locations

Largest locations by number of users

Users with large number of failed logins

Number of roles by type (ISO 27001 5.1, 5.15, 5.18)

Access included in roles (%) (ISO 27001 5.1, 5.15, 5.18)

Identities with access from roles (%) (ISO 27001 5.1, 5.15, 5.18)

Unused roles (roles without active assignment) (ISO 27001 5.1, 5.15, 5.18)

Idea: some role hierarchy metric? How many roles are included in other roles?

All accounts created/deleted on resource (ISO 27001 5.10, 5.16, 5.18)

Roles assigned/unsassigned, automatically/manually (ISO 27001 5.10, 5.16, 5.18)

Password changes

Access requests

Authentications (to midPoint)

REST service access

Provisioning operations

Service (application) accounts with passwords that were not changed in a looong time (e.g. 5 years)

High-risk roles

High-risk users

Application that were not used recently.

Vastly over-provisioned applications. Applications that are used only by a small fraction of users that have access to them.

"License management" as formal feature? (ISO 27001 5.11, 5.32)

Should we pre-configure top-level org "Suppliers", to allow creating of supplier organization entries? (ISO 27001 5.19)

Running an action for all users of an application, e.g. notifying them about an incident, forcing them to change passwords.

We really should recommend to always use midPoint with SSO/AM, and MFA, which avoids lots of password problems.

Incident response

ISO 27001 is often referencing "assets", which in our parlance refers to application. This makes the policies quite application-centric, rather than role-centric. E.g. approval by application owners, rather than role owner.

Methodology: Locations as orgs. Strongly recommend use of org-based locations (possibly hierarchical), can be used to directly assign policies using inducements.

What is "assset", definition of "asset"

TLP protocol (ENISA-baseline)

Store classification in audit log in a searchable way (ISO27001 5.12, 5.13, 5.14)

Information Classification and Clearances

Compliance (old page, needs update)

Document project management idea

Document application inventory idea

Link features to IGA capabilities

ISO27001 controls: show "Implementation plan" section (when we are ready)

Link ISO27001 controls to IGA capabilities?

Show ISO27001 control category, type (e.g. #preventive), concepts and other attributes? Is it legal? (copyright)

Highlight ISO27001 controls that are closely related to IGA (capability==#Identity_and_access_management?)

Secure coding practices (ISO 27001 8.28)

Security testing practices (ISO 27001 8.29)

How to make "SoD policy" report? TODO: We need more specific use-cases (look for roles with policies? look for users influenced by policies?)

How to determine classification of a role from classifications of sub-roles and applications? Similar mechanism should be used to determine risk levels.

Licence management as a feature? (ISO 27001 5.11) What do we need to do? License archetype?

Certification for classifications: replacing assignment of classification, instead of removing it?

Can we query for active assignments? We want direct assignments, therefore roleMembershipRef will not work. Can assignment effectiveStatus help? TODO: Need more specific use cases.

Can we make sure we have active user as owner/manager? E.g. whan owner/manager is org unit, we want at lest one active user in the org unit.

Reports and archetypes: Are archetypes good method to sort reports? E.g. "privileged users" report is a compliance report, yet it is also a dashboard report and collection report. Later: 4.10 (Advanced analytics).

Better support for MFA - integration with SSO/AM. How are we going to approach it? Examples with selected SSO/AM systems? How we can do adaptive auth? How we can do authentication step-up? (ISO 27001 5.8: "the level of confidence or assurance required towards the claimed identity of entities in order toderive the authentication requirements") (ISO 27001 5.8, 8.5)

Check that we display previous login time and number of previous failed logins after login procedure is completed (ISO27001 8.5 "considering")

Find a good term for "lazy" users, users that were not using system for a long time. Maybe "dormant"?

Idea: Can we determine app/account usage frequency/intensity from watching changes in last login value?

Counts: number of accounts per user, number of application per user, number of assignment/roles per user. How to search them? (give me all users with more than 10 accounts) How to sort lists? Do we need to store them?

How to deal with existing policy violations?

Can midPoint detect that disabled orphaned account was re-enabled? Can we react? Can we report it?

Certification "manual mode": Do not make any automatic changes (e.g. revoke), do all changes manually. Only report where the situation need to be remedied. Remediation is manual. Can we do this in 4.9? (ISO 27001 5.9)

New abstract role subtype "Policy"? midPoint 4.9

Should we mark Superuser role as privileged by default? It is privileged, technically. However, may it somehow deform the reports? YES!