Control 5.17 : Authentication Information

Summary

The allocation and management of authentication information should be controlled by a formal management process. This ensures that the secrets used to verify identities (passwords, tokens, keys) are handled securely throughout their lifecycle to prevent unauthorized access.

Applicability

In-Scope: Mandatory for protecting the integrity of the login process. It is essential for enforcing strong security standards and preventing credential-based attacks, which are the most common entry points for breaches.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Password Policy: Use Entra ID Password Policies to enforce complexity and prevent the use of easily guessed or previously breached passwords.

• Modern Authentication: Transition to Passwordless Authentication (e.g., Microsoft Authenticator, FIDO2) to reduce the reliance on traditional passwords.

• Management: Implement Self-Service Password Reset (SSPR) to provide a secure, automated way for users to manage their secrets without helpdesk intervention.

Evidence Checklist

• Authentication Policy: Documented rules for password complexity, rotation (if applicable), and the use of MFA.

• System Configurations: Screenshots of Entra ID settings showing the enforcement of secure authentication methods.

• User Guidance: Evidence that users have been instructed on how to protect their authentication information.

Practical Audit Advice

Here are some questions the auditor might ask:

• How does the organization ensure that default or temporary passwords are changed immediately upon the first login?

• What is the process for revoking or changing authentication information when a compromise is suspected?

• Can you demonstrate how you enforce strong authentication for all users accessing sensitive data?

• How are secrets (like API keys or service principal certificates) managed and rotated within the Microsoft environment?