6-5 Identity Management

A means of integrating identity management in the cloud with the cloud’s Identity Management solution is required. The user must be authenticated prior to access to cloud applications is provided. Cloud-based applications must be integrated into an identity management framework to avoid separate management of user identities in the cloud. The following items apply:

  1. Single Sign-On (SSO). Upon authentication through the cloud consumer’s identity management solution, users must be able to access all cloud services without further authentication.
  2. Strong Authentication. CPs must provide strong authentication using two-factor authentication techniques to support sensitive and critical applications.
  3. User Provisioning. CPs must deliver standards-based APIs to allow the provisioning of users, either individually or in bulk. As the number of cloud services to which the Postal Service subscribes to increases, the time spent on user maintenance will rapidly increase without the availability of interfaces that allow user management to be automated.
  4. Background Checks. Individuals employed with the CP with physical or logical access to sensitive or sensitive-enhance data must be properly vetted and screened periodically (at least every 5 years) to ensure trustworthiness.
  5. Access Policy Management. A standard policy management interface must be implemented under Postal Service control to permit creation, deletion and maintenance of access policies from a standardized management tool.