Strong Authentication from Cloud Controls Matrix framework

SAMMY works best on screens 1024px wide or larger.

Audit and Assurance
Application and Interface Security
Business Continuity Management and Operational Resilience
Change Management Policy and Procedures
People
Datacenter Security
Data Security and Privacy Lifecycle Management
Governance, Risk and Compliance
Human Resources
Identity and Access Management
Interoperability and Portability
Infrastructure and Virtualization Security
Logging and Monitoring
Security Incident Management, E-Discovery, and Cloud Forensics
Supply Chain Management, Transparency, and Accountability
Threat and Vulnerability Management
Universal Endpoint Management

Strong Authentication

IAM-14: Are processes, procedures, and technical measures for authenticating access to systems, application, and data assets including multifactor authentication for a least-privileged user and sensitive data access defined, implemented, and evaluated?

All individual, non-console administrative access and remote access to the systems and applications should be secured using multi-factor authentication. Multi-factor authentication should contain a minimum of two of the three authentication methods:
a. Something you know, such as a password or passphrase.
b. Something you have, such as a token device or smart card or digital certification*.
c. Something you are, such as a biometric.

Note: a digital certificate is a valid option for “something you have” as long as it is unique for a particular user)

Description

Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities.

Strong Authentication

IAM-14: Are digital certificates or alternatives that achieve an equivalent security level for system identities adopted?

Note: a digital certificate is a valid option for “something you have” as long as it is unique for a particular user)