01_Protect-user-accounts-and-identities.md

Protect user accounts and identities

(Back)

Objective

Protect user accounts and identities.

Applicable Service Models

Infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS)

Mandatory Requirements

Activity	Validation
Implement strong multi-factor authentication (MFA) for all user accounts. Use phishing resistant MFA where and when available. Note: User accounts and identities include: root or global administrator (as it has enhanced or the highest level of privilege over the control plane and addresses all aspects of access control). Other Administrative user accounts. Refer to Section 4 of the Directive on Service and Digital Appendix G: Standard on Enterprise Information Technology Service Common Configurations Account Management Configuration Requirements Regular user accounts	Confirm that MFA is implemented according to GC guidance through screenshots, compliance reports, or compliance checks enabled through a reporting tool for all user accounts. Confirm that digital policies are in place to ensure that MFA configurations are enforced. Confirm and report the count of registered root or global administrators (you should have at least two and no more than five).
Configure alerting to ensure the prompt detection of a potential compromise, in accordance with the GC Event Logging Guidance.	Confirm whether monitoring and auditing is implemented for all user accounts. Confirm that alerts to the authorized personnel have been implemented to flag misuse or suspicious activities for all user accounts.
Use separate dedicated accounts for highly privileged roles (for example, domain administrators, global administrators, and root and any domain administrator equivalent access) when administering cloud services to minimize the potential damage.	Provide evidence that there are dedicated user accounts for administration (for example, privileged access).

Additional Considerations

None

References

• Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) 2017-01, subsection 6.2.3
• Cyber Centre’s top 10 IT security actions, number 3
• Recommendations for Two-Factor User Authentication Within the Government of Canada Enterprise Domain (accessible only on the Government of Canada network)
• Government of Canada Multi-Factor Authentication (MFA) Considerations and Strategy for GC Enterprise IT Services
• Directive on Service and Digital, Appendix G: Standard on Enterprise Information Technology Service Common Configurations
• Account Management Configuration Requirements
• Event Logging Guidance
• Guidance on Defence in Depth for Cloud-Based Services (ITSP.50.104), subsection 4.6

Related security controls from ITSG-33

AC-2, AC-2(11), AC-3, AC-5, AC-6, AC-6(5), AC-6(10), AC-19, AC-20(3), IA-2, IA-2(1), IA-2(2), IA-2(3), IA-2(11), IA-5(8), SI-4, SI-4(5), SA-4(12), CM-5