Skip to content
English
Back to adoptech.co.uk
  • There are no suggestions because the search field is empty.

CAF - B2.a Identity verification, authentication and authorisation

This article provides additional information on how you can meet the requirement for the CAF control - B2.a Identity verification, authentication and authorisation

Identity Verification

A rigorous identity verification process should be followed to ensure that only individually authenticated and authorised users can access systems that support managed services.

  • Before staff are granted access, identity should be verified through:

    • confirmation of identity documents

    • background screening

    • employment validation

  • Accounts should only be created once identity validation is complete and approved.

  • Client users should also undergo a formal identity verification process, agreed with the client, before access is granted.

    Authentication and Access Provisioning

    • Access to internal and client systems should be provisioned through a central identity provider such as:

      • Microsoft Entra ID (Azure AD)

      • Okta

      • JumpCloud

    • All users must receive unique, individual accounts — shared accounts are prohibited.

    • Least privilege should be enforced to ensure users only receive access required for their job role.

    • Strong authentication should be mandatory for all systems, using solutions such as:

      • Microsoft Authenticator

      • Duo Security

      • Okta Verify

    Privileged tasks should only be carried out from secure, trusted devices (e.g. PAWs or locked-down admin environments) managed via:

    • Microsoft Intune

    • VMware Workspace ONE

    • Datto RMM

    • NinjaOne

    Device Trust and Access Controls

    • Logical access should be restricted to trusted, compliant devices using tools such as:

      • Intune

      • Jamf

      • Kandji

      • Cisco Meraki

      • SentinelOne

      • CrowdStrike

    • Default passwords, keys and tokens should be changed before deployment.

    • Password requirements, rotation policies and protection mechanisms should be enforced in line with the organisation’s Password Policy.

    • Where supported, certificate-based or PKI authentication should be implemented, and key/certificate lifecycles should be managed to ensure authenticity, integrity and timely renewal or revocation.

    Ongoing Access Reviews

    • User access, system roles and device permissions should be reviewed at least every six months, and automatically when staff:

      • join

      • leave

      • move roles

    • Unnecessary access should be removed promptly.

    • Any anomalies should be investigated.

    Maintaining Strong Authentication Policies

    Authentication methods, MFA requirements, conditional access rules and device trust policies should be routinely updated to reflect:

    • current best practice

    • new security guidance

    • emerging threats

    • operational changes

    Ensuring Secure Access to Critical Systems

    This structured approach ensures access to critical systems remains:

    • tightly controlled

    • strongly authenticated

    • aligned with cyber security best practice

    • effective for organisations delivering managed services