IA-09-727 Service Identification and Authentication

Service Identification and Authentication

Service Identification and Authentication
Identification and Authentication
February 13, 2018

Each service process operating on an Agency-owned information resource shall be assigned a unique access identifier (user name) and authenticator (password or hardware token) by which all processes belonging to that service will be ran. Any output from the service shall be cryptographically signed (TLS server certificate, code signing certificate, etc.) whenever possible. All public facing web services shall operate over HTTPS with valid certificates owned/managed by the Agency.

Information systems are not able to determine in a dynamic manner, if external providers and associated services are authentic
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards].
Information or code signing, provenance graphs, and/or electronic signatures indicating or including the sources of services.
No statewide control