Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

VNF Security Requirements

VNF Requirements Jira


IAM Update for Frankfurt

Identity Lifecycle Management

...

NO CHANGE - Requirement: R-46908
The VNF MUST, if not integrated with the Operator’s Identity and Access Management system, comply with “password complexity” policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: (1) be a minimum configurable number of characters in length, (2) include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special, (3) not be the same as the UserID with which they are associated or other common strings as specified by the environment, (4) not contain repeating or sequential characters or numbers, (5) not to use special characters that may have command functions, and (6) new passwords must not contain sequences of three or more characters from the previous password.

CHANGE - Requirement: R-814377 (VNFRQTS-837)
The VNF MUST have the capability of allowing the Operator to create, manage, and automatically provision user accounts using an Operator approved identity lifecycle management tool using a standard protocol, e.g., NETCONF API.

...

REMOVE - Requirement: R-71787 (VNFRQTS-841)
Each architectural layer of the VNF (eg. operating system, network, application) MUST support access restriction independently of all other layers so that Segregation of Duties can be implemented.

...

The VNF MUST, if not integrated with the Operator’s Identity and Access Management system, support the ability to lock out the userID after a configurable number of consecutive unsuccessful authentication attempts using the same userID. The locking mechanism must be reversible by an administrator and should be reversible after a configurable time period.

CHANGE - Requirement: R-78010 (VNFRQTS-838)
The VNF MUST integrate with standard identity and access management protocols such as LDAP, TACACS+, Windows Integrated Authentication (Kerberos), SAML federation, or OAuth 2.0.

...

The VNF MUST support LDAP in order to integrate with an external identity and access manage system. It MAY support other identity and access management protocols.

REMOVE - Requirement: R-85419 (VNFRQTS-839)
The VNF SHOULD support OAuth 2.0 authorization using an external Authorization Server.

...

The VNF MUST NOT identify the reason for a failed authentication, only that the authentication failed.

CHANGE - Requirement: R-479386 (VNFRQTS-840)
The VNF MUST NOT display “Welcome” notices or messages that could be misinterpreted as extending an invitation to unauthorized users.

...