29 lines (19 loc) · 3.79 KB

Secure Endpoints

Objective

Implement increased levels of protection for management interfaces.

Applicable Service Models

IaaS, PaaS, SaaS

Mandatory Requirements	Validation
Implement access restrictions to ensure the use of GC issued and managed devices that are patched and managed, in accordance with GC Endpoint Management Configuration Requirements.	Confirm that administrative access to cloud environments is from approved and trusted locations and GC issued and managed devices that enforce the GC endpoint management configuration requirements. Demonstrate access configurations and policies are implemented for devices.

Additional Considerations

All administrative tasks should be undertaken on dedicated administrative workstations (Note: A dedicated administrative workstation is a secured physical (thick or thin) client workstation used to perform specific and sensitive administrative tasks or tasks requiring privileged access. This device must have no Internet access and services such as email and web browsing must be disabled and prohibited)

Confirm if dedicated administrative workstations are utilized to conduct all administrative activities

References

SPIN 2017-01, subsection 6.2.3
CSE Top 10 #2
Refer to the Recommendations for Two-Factor User Authentication Within the Government of Canada Enterprise Domain
Refer to the Directive on Service and Digital, Appendix G: Standard on Enterprise Information Technology Service Common Configurations - Endpoint Management Configuration Requirements
Refer to ITSP.50.104 Guidance on defence in depth for cloud-based services, subsection 4.9

Related security controls: AC3, AC-3(7), AC-4, AC5, AC6, AC6(5), AC6(10), AC19, AC20(3), IA2, IA2(1),IA2(11), IA4, IA5, IA5(1), SI-4, AU-6, AU-12