Home · Synthesis · cl-cloud-iam

Cloud Identity and Access Management — federation, vulnerability testing, monitoring

CSA CCM v4 ISO 27001 ISO 27017 NIST CSF 2.0 MeitY CSP SEBI Cloud

Primary statement

Cloud IAM operates as ISO 27001 A.5.23 cloud services management + CSA TVM-03 cloud penetration testing + CSA LOG-04 cloud-specific detections + CSA LOG-01 cloud logging coverage + ISO 27017 CLD.9.5.1 tenant isolation. Cloud IAM is the new perimeter; identity is the new firewall.

Audit-fatigue payoff

A unified cloud IAM architecture — federation + MFA + privileged access + cloud-specific monitoring + tenant isolation — satisfies cloud IAM requirements across all 6 contributing frameworks.

Strictness matrix

Scope

Scope: acquisition, use, management, and exit from cloud services. Lifecycle scope — not just operations. Ceiling source: iso27001:A.5.23 Rationale: ISO 27001 A.5.23 lifecycle scope is the broadest cloud services scope.

Threshold

Threshold: cloud penetration testing at least annually by qualified third party + after significant architectural change. Annual binary cadence. Ceiling source: csa_ccm:CSA.TVM-03 Rationale: CSA TVM-03 annual cloud pen test is the audit-defensible threshold.

Method

Method: cloud IAM federation + MFA + privileged access + cloud-specific detection rules (credential compromise, resource hijacking, lateral movement) + cloud logging coverage (LOG-01 control plane + data plane + network) + tenant isolation (ISO 27017 CLD.9.5.1) + annual cloud pen test. Ceiling source: csa_ccm:CSA.LOG-04 Rationale: CSA LOG-04 cloud-specific detections + LOG-01 logging coverage are uniquely strict.

Frequency

Cloud pen test: annual + on architectural change. Cloud detection rule tuning: continuous. IAM review: quarterly per cl-access-rights. Ceiling source: csa_ccm:CSA.TVM-03 Rationale: Annual cloud pen test is the audit-defensible cadence.

Evidence

Evidence: cloud IAM federation + cloud pen test reports + cloud-specific detection rule inventory + cloud logging configuration + tenant isolation evidence + sample detection alerts traced to response. Ceiling source: csa_ccm:CSA.LOG-04 Rationale: CSA LOG-04 evidence with cloud-specific detections is the audit anchor.

Auditor test pattern

Step 1: Inspect cloud IAM federation. Step 2: Inspect annual cloud pen test report. Step 3: Verify cloud-specific detection rules (credential compromise, resource hijacking). Step 4: Verify cloud logging coverage (control plane + data plane + network). Step 5: Verify tenant isolation.

Common findings

Common findings: (1) Cloud pen test annual but generic, not cloud-specific; (2) Cloud-specific detections absent; (3) Logging covers some planes but not network flows; (4) Tenant isolation accepted on CSP attestation without verification.