SC-11 - Trusted Path

Control requirements

SC-11 - 0

The information system establishes a trusted communications path between the user and the following security functions of the system: [IBM Assignment: ISV-defined security functions to include at a minimum, information system authentication and re-authentication].

Additional IBM Cloud for Financial Services specifications

• This control is required for ISVs.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

• Connecting application provider to the management VPC
• Consumer connectivity to workload VPC
• Creating and connecting the management and workload VPCs

IBM Cloud for Financial Services profile

The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.

• Check whether App ID email dispatchers are using HTTPS only
• Check whether Cloud Object Storage is accessible only through HTTPS
• Check whether Application Load Balancer for VPC is configured to convert HTTP client requests to HTTPS
• Check whether App ID webhooks are using HTTPS only
• Check whether account has at least one VPN or Direct Link configured
• Check whether App ID redirect URIs are using HTTPS only
• Check whether Cloud Internet Services (CIS) has TLS mode set to End-to-End CA signed
• Check whether Application Load Balancer for VPC pool uses the HTTPS protocol for HTTPS listeners
• Check whether Application Load Balancer for VPC uses HTTPS (SSL & TLS) instead of HTTP

NIST supplemental guidance

Trusted paths are mechanisms by which users (through input devices) can communicate directly with security functions of information systems with the requisite assurance to support information security policies. The mechanisms can be activated only by users or the security functions of organizational information systems. User responses via trusted paths are protected from modifications by or disclosure to untrusted applications. Organizations employ trusted paths for high-assurance connections between security functions of information systems and users (e.g., during system logons). Enforcement of trusted communications paths is typically provided via an implementation that meets the reference monitor concept.