BIO 09.04.01

Authentication Strengths Design

📅 2025-10-30
⏱️ 7 minuten lezen
🔴 Must-Have

💼 Management Samenvatting

Standaardiseer op Authentication Strengths om CA-eisen te koppelen aan gewenste authenticatieniveaus (bijv. phishing-resistent).

Aanbeveling
IMPLEMENTEER AUTHENTICATION STRENGTHS
Risico zonder
High
Risk Score
7/10
Implementatie
16u (tech: 8u)
Van toepassing op:
Azure AD
Conditional Access

Zonder deze beveiligingsmaatregel kunnen er significante security risks ontstaan die leiden tot data compromise, compliance overtredingen en reputatieschade voor de organisatie. Door gebruik te maken van authentication strengths kun je herbruikbare authenticatie-vereisten definiëren en centraal beheren. in plaats van in elke CA policy afzonderlijk te specificeren welke MFA-methoden zijn toegestaan, creëer je named authentication strengths (bijv. Phishing-resistant MFA) en verwijs je hiernaar in CA. Dit reduceert complexiteit, verhoogt consistentie en maakt control schaalbaar.

PowerShell Modules Vereist
Primary API: Microsoft Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.Identity.SignIns

Implementatie

Dit control implementeert security best practices via Azure Policy, ARM templates of Microsoft Intune om cloud resources en endpoints te beschermen volgens actuele compliance frameworks. Creëer authentication strengths via Azure AD Conditional Access policies die specifieke authenticatie-methoden groeperen. Voorbeelden: (1) Phishing-resistant is FIDO2/WHfB/CBA; (2) Strong MFA is Authenticator push/TOTP; (3) Basic is passwordless of MFA any. Koppel strengths aan gevoelige resources via CA.

Vereisten

  1. Azure AD P1/P2
  2. FIDO2/WHfB/CBA uitgerold
  3. CA policies die strengths ondersteunen

Implementatie

Gebruik PowerShell-script authentication-strengths.ps1 (functie Invoke-Remediation) – Deployment van strengths.

  1. Definieer strengths in Azure AD
  2. Update CA policies om strengths te gebruiken i.p.v. "require MFA"
  3. Test: resource-toegang met juiste prompt

Monitoring

Gebruik PowerShell-script authentication-strengths.ps1 (functie Invoke-Monitoring) – Controleren.

  1. Sign-in logs: method used
  2. Adoptie van phishing-resistant methoden
  3. Policy match statistics

Compliance en Auditing

  1. BIO 09.04.01
  2. ISO 27001 A.5.17
  3. NIS2 art. 21

Remediatie

Gebruik PowerShell-script authentication-strengths.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Authentication Strengths Design .DESCRIPTION Implementation for Authentication Strengths Design .NOTES Filename: authentication-strengths.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/identity/authentication-strengths.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "Authentication Strengths Design" $CISControl = "1.1.x" $BIOControl = "9.04" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "authentication-strengths" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
High: Inconsistent CA implementations = weak auth methods voor critical resources mogelijk. Policy sprawl, gaps in coverage. Authentication Strengths = reusable consistent requirements. Het risico is medium - policy consistency.

Management Samenvatting

Authentication Strengths: Reusable auth requirement definitions (Phishing-resistant, MFA, Passwordless) assigned to CA policies. Prevents policy sprawl, ensures consistency. Example: "Phishing-resistant" strength = FIDO2/WHfB only. Vereist: Azure AD P1. Activatie: Entra ID → Protection → Auth strengths → Define + Assign to CA. Gratis (P1 included). Implementatie: 16 uur (define strengths + refactor CA policies). Scalable policy management - recommended mature CA deployments.