Principle of Standards-Based Solutions: Add a guiding principle to your framework stating that you prioritize solutions that adhere to relevant industry standards.
Control Objective Language: When defining control objectives related to identity and access management (IAM), phrase them in terms of standards rather than specific products.
Example (Bad - Vendor-Specific): “Use Azure Active Directory for user authentication and authorization.”
Example (Good - Standards-Based): “Implement an identity and access management system that supports federated identity using SAML 2.0 or OpenID Connect.”
Implementation Guidance: In the “Implementation Guidance” section, list the relevant standards and then provide examples of tools that support those standards.
Monitoring and Auditing: In the “Monitoring and Auditing” section, specify that compliance with the relevant standards should be regularly audited.
Here’s how you could address OAuth, Azure Entra, Google IAM, AWS IAM, and Okta in a standards-based way within your framework:
Control Objective: “Implement a secure and standardized authentication and authorization system for all cloud and on-premises resources.”
Related Policies: Information Security Policy, Access Control Policy, Data Privacy Policy
OAuth 2.0: (IETF RFC 6749) - An authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. This is the core standard for modern delegated authorization.
OpenID Connect (OIDC) 1.0: An identity layer on top of OAuth 2.0. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user. OIDC is built on OAuth 2.0 and adds the identity piece.
SAML 2.0: (Security Assertion Markup Language) - An XML-based standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is often used in enterprise single sign-on (SSO) scenarios.
SCIM 2.0: (System for Cross-domain Identity Management) - An open standard for automating the exchange of user identity information between identity domains, or IT systems. SCIM simplifies user provisioning and de-provisioning.
FIDO2: (Fast IDentity Online) - A set of open authentication standards that enable passwordless authentication using security keys and biometrics.
“Choose an identity provider (IdP) and service providers (SPs) that support OAuth 2.0 and OpenID Connect for modern application authorization and authentication.”
“For enterprise single sign-on (SSO) scenarios, consider using SAML 2.0.”
“Use SCIM for automated user provisioning and de-provisioning.”
“Implement multi-factor authentication (MFA) that conforms to NIST 800-63B guidelines.”
“Consider FIDO2 for passwordless authentication.”
Identity Providers (IdPs): Azure Entra, Google Identity Platform, AWS IAM Identity Center (successor to AWS SSO), Okta, Ping Identity, Auth0, Keycloak (open source).
Libraries and SDKs: Numerous open-source libraries and SDKs are available for implementing OAuth 2.0 and OIDC in various programming languages.
“Regularly audit IdP and SP configurations to ensure they comply with OAuth 2.0, OIDC, and SAML 2.0 standards.”
“Monitor authentication and authorization logs for suspicious activity.”
“Verify that MFA is enforced for all users, especially privileged accounts.”
Control Objective: “Implement a robust IAM system that enforces the principle of least privilege and provides centralized management of identities and access across all environments.”
Related Policies: Information Security Policy, Access Control Policy
NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations (provides a comprehensive catalog of security controls).
ISO/IEC 27001: Information security management systems — Requirements.
CIS Controls: Center for Internet Security Controls (a prioritized set of security best practices).
“Use Role-Based Access Control (RBAC) to grant permissions based on job roles.”
“Implement a strong password policy that meets NIST 800-63B guidelines.”
“Regularly review and remove unnecessary user accounts and permissions.”
“Implement privileged access management (PAM) controls for sensitive accounts.”
“Use a centralized identity provider to manage user identities and access across multiple cloud providers and on-premises systems.”
“Use Just-In-Time (JIT) access where possible.”
Cloud-Native IAM Services: Azure Entra, Google Cloud IAM, AWS IAM.
Third-Party IAM Solutions: Okta, Ping Identity, CyberArk, SailPoint.
“Monitor failed login attempts, and review changes to minimize risk.”
“Regularly review user access rights and permissions.”
“Audit IAM system configurations to ensure compliance with policies and standards.”
“Monitor for unauthorized access attempts and privilege escalation.”
(C) API Security
Control Objective: Secure APIs using industry-standard protocols.
Relevant Standards:
OAuth 2.0: Use for API authorization
OpenID Connect (OIDC): Use for API authentication
JWT (JSON Web Token): (IETF RFC 7519) A compact, URL-safe means of representing claims to be transferred between two parties. JWTs are commonly used as access tokens in OAuth 2.0 flows.
Mutual TLS (mTLS): Use mutual TLS for client authentication, providing an extra layer of security beyond standard TLS.
By structuring your framework in this way, you provide clear, actionable guidance that is aligned with industry best practices and adaptable to different technology choices. This makes your framework much more valuable and enduring.