PR.AC-1: Identity and credential management

Requirement

Identities and credentials for authorised devices and users shall be managed.

Guidance

A password policy is a set of rules designed to enhance ICT/OT security by encouraging organisations to:

• Change all default passwords
• Ensure that no-one works with administrator privileges when performing daily tasks
• Keep a limited and updated list of system administrator accounts
• Enforce password rules, e.g. passwords must be longer than a state-of-the-art number of characters with a combination of character types and changed periodically or whenever there is any suspicion of compromise
• Use only individual accounts and never share passwords
• Immediately disable unused accounts
• Rights and privileges are managed by user groups

Our Implementation

All users are assigned unique identities via individual accounts across all platforms. Google Workspace serves as the primary identity provider, with Google SSO enforced on 20 of 27 tracked systems. MFA is enforced at the Google account level, providing MFA coverage across all SSO-integrated services. Default passwords are changed on all systems, and no shared credentials are used. API-key-only services (OpenRouter, Mistral, Qdrant, Exa.ai) are limited to backend service accounts with restricted scope.

For the NextSDS product, customer authentication uses Supabase Auth with UUID-based identities and passwordless magic links for account setup. No hardcoded credentials exist in application code.

Gaps / Planned improvements:

• 6 services flagged as "MFA needs review" — API-key-only and legacy email/password accounts (NEX-344)
• SSO migration pending for legacy personal/email accounts (NEX-344)
• No separate admin accounts — all team members use personal accounts with admin privileges (NEX-346)

Evidence

• Access Matrix

Cross-references