Page 1065 - Cloud computing: From paradigm to operation
P. 1065
Security 7
Implementation guidance for cloud services
Cloud service customer Cloud service provider
(no additional implementation guidance) The cloud service provider should provide functions for
managing the access rights of the cloud service
customer's cloud service users, and specifications for
the use of these functions.
Other information for cloud services
The cloud service provider should support third-party identity and access management technologies for its
cloud services and the associated administration interfaces. These technologies can enable easier integration
and easier user identity administration between the cloud service customer's systems and the cloud service,
and can ease the use of multiple cloud services, supporting such capabilities as single sign-on.
9.2.3 Management of privileged access rights
Control 9.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply. The following sector-specific guidance also applies.
Implementation guidance for cloud services
Cloud service customer Cloud service provider
The cloud service customer should use sufficient The cloud service provider should provide sufficient
authentication techniques (e.g., multi-factor authentication techniques for authenticating the cloud
authentication) for authenticating the cloud service service administrators of the cloud service customer to
administrators of the cloud service customer to the the administrative capabilities of a cloud service,
administrative capabilities of a cloud service according according to the identified risks. For example, the cloud
to the identified risks. service provider can provide multi-factor authentication
capabilities or enable the use of third-party multi-factor
authentication mechanisms.
9.2.4 Management of secret authentication information of users
Control 9.2.4 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply. The following sector-specific guidance also applies.
Implementation guidance for cloud services
Cloud service customer Cloud service provider
The cloud service customer should verify that the cloud The cloud service provider should provide information
service provider's management procedure for allocating on procedures for the management of the secret
secret authentication information, such as passwords, authentication information of the cloud service
meets the cloud service customer's requirements. customer, including the procedures for allocating such
information and for user authentication.
Other information for cloud services
The cloud service customer should control the management of secret authentication information by using its
own or third party identity and access management technologies.
9.2.5 Review of user access rights
Control 9.2.5 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply.
9.2.6 Removal or adjustment of access rights
Control 9.2.6 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply.
1057
