Understanding and implementing the 14 Cloud Security Principles – Part 9: secure user management
In our latest blog post covering the 14 Cloud Security Principles and the National Cyber Security Centre’s (NCSC) guidance on how to configure, deploy and use cloud services securely, it’s time to look at principle number 9: secure user management.
What is secure user management?
Secure user management refers to the organising and managing of the various the interfaces and procedures that form a key element of the security barrier around your cloud services. They are there to prevent unauthorised access and alteration of your company’s resources, applications and data.
In order to maintain a secure service, any user you want to allow ‘secure user management’ privileges to will need to be fully authenticated before they are able to carry out management activities, report faults or request any changes you, or they as instructed, may wish to make to the service.
This may be done via a web portal or phone or email and it is imperative that your service provider ensures any management request is performed over a secure and authenticated channel. If not, imposters may be able to execute privileged actions and challenge the security of the service itself and business data.
In relation to secure user management there are two goals to achieve. “You should be confident that:
- you are aware of all of the mechanisms by which the service provider would accept management support requests from you (telephone, web portal, email etc.)
- only authorised individuals from your organisation can use those mechanisms to affect your use of the service”
At the same time, you must also be aware that many cloud services are managed via web applications or APIs. Users must be adequately separated within such management interfaces as one user may be able to affect the service or even modify the data of another. Limiting permissions of individual users to just those who are absolutely necessary can help to limit any potential damage from malicious users or compromised devices and this can be achieved by implementing role-based access.
When looking at limiting permissions and role-based access, there are three goals to reach. “You should:
- have confidence that other users cannot access, modify or otherwise affect your service management
- manage the risks of privileged access using a system such as the ‘principle of least privilege’
- understand how management interfaces are protected and what functionality they expose”
If you have any specific queries concerning secure user management or any of the other Cloud Security Principles we have discussed in previous posts, feel free to contact us – we’ll be more than happy to help.
Next up: Identity and authentication