bharveyTX
commented
2 days ago This is a consideration for PP authors as the types of authentication mechanisms and cryptographic support are technology-type dependent. We will try to highlight this in our guidance for PP authors.
"...the TOE administrator (customer) is assumed to be tasked with safeguarding their applications, data, and configurations within the cloud environment. They actively manage security controls, such as authentication mechanisms, encryption protocols, and network access policies, to protect their assets and mitigate potential risks."
The CSP needs to make suitable authentication mechanisms, encryption protocols etc available for the customer to use. For example, if the CSP’s SaaS offering (e.g. web-based email) doesn’t support multifactor authentication for the customer’s userbase to login, the customer can’t easily remedy that.