Identity and access management

This section describes Itron's policy for establishing an access control, identification, and authentication standard for the Itron Azure environment and the outcomes it hosts, for establishing best practices for user account management, identification and authentication into Itron information assets, and remote access. This policy applies to all staff, contracts, or third-party owners, operators and users who access or use the Itron Azure environment and the outcomes it hosts. This policy applies to all Itron Azure environment assets including all software, applications, and services, data, and infrastructure.

The infrastructure team, developer teams, and users of the Itron Azure environment are responsible for ensuring they adhere to procedures and controls that demonstrate compliance with this policy. Teams are responsible for assigning resources necessary to achieve compliance. Itron management commits to actively supporting the teams with complying with this policy by ensuring the policy is reviewed and approved, responsibilities are defined, and resources and budget are available. Any Itron employee being in scope found to have violated this policy may be subject to disciplinary action. The severity of the incident shall govern the severity of the action taken (from a verbal warning up to termination).

For more information about Itron's Microsoft Entra ID integration, see the AAD Integration Help.

Policy

Itron adheres to formal, documented access control, identification, and authentication procedures for the Itron Azure environment that facilitate the implementation of the access control, identification, and authentication policy and associated access control, identification, and authentication controls. The access control, identification, and authentication procedures document addresses scope, roles, responsibilities and the access control, identification and authentication processes and procedures necessary to ensure the protection of the privacy, security, and confidentiality of Itron Azure environment assets and data, and the prevention of unauthorized access to the Itron Azure environment and the outcomes it supports. This policy is based on the NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations Rev 4 Access Control (AC) and Identification and Authentication (IA) control family guidelines.

Account management

Itron implements account management for the Itron Azure environment to:

  • Identify the account types required (for example, individual, group, system, or guest).

  • Assign Access Managers for accounts.

  • Establish conditions for group/role membership.

  • Identify authorized users of Itron Azure environment assets and specify their access privileges and group/role memberships.

  • Require appropriate approvals for requests to create accounts.

  • Create, activate, modify, disable, and remove accounts.

  • Monitor the use of accounts.

  • Notify Access Managers when access needs change or when accounts are no longer needed due to role changes or termination.

  • Disable accounts of terminated or transferred users.

  • Disable temporary or emergency accounts after use.

  • Authorize access to Itron Azure environment assets and/or group/role membership based on a valid access authorization and intended system usage.

Accounts are reviewed at least annually for compliance with account management requirements.

Access enforcement

All routes of access to the Itron Azure environment enforce approved authorizations, in accordance with the access control, identification, and authentication policy, for all users and all actions.

Information flow enforcement

The Itron Azure environment enforce approved authorizations for controlling the flow of information within the Itron Azure environment and between interconnected systems.

Separation of duties

Itron separates the duties of individuals accessing the Itron Azure environment to reduce the risk of malevolent activity without collusion, by separating sensitive or privileged duties and activities from regular activities, across multiple individuals, roles, or accounts. The separation of duties of individuals is documented. The implementation of Itron Azure environment access authorizations supports the separation of duties.

Least privilege

Itron employs the principle of least privilege, allowing users or processes only the authorized accesses which are necessary to accomplish their assigned tasks. Itron restricts the use, authorization, and availability of utility programs that can override system and application controls.

Unsuccessful sign in attempts

All routes of access to the Itron Azure environment enforce a limit of consecutive invalid sign in attempts by a user during an organization-defined time period. When the maximum number of attempts is surpassed, either the account is locked until released by an administrator, or the next sign in prompt is delayed for an organization-defined time period.

Session lock and termination

Further access to the Itron Azure environment is prevented by initiating a session lock after organization-defined inactivity. The session lock is retained until the user re-establishes access using established identification and authentication procedures. The Itron Azure environment automatically terminates a user session after a user signs out willingly.

Permitted actions without identification or authentication

No actions are allowed on the Itron Azure environment without identification and authentication.

Remote access

Itron documents allowed methods of remote access to the Itron Azure environment. Itron establishes usage restrictions and implementation guidance for each allowed method of remote access to the Itron Azure environment. Itron authorizes remote access to the Itron Azure environment before allowing such connections. Itron monitors for unauthorized remote access to the Itron Azure environment.

Access control for mobile devices

Itron establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for controlling access from mobile devices to the Itron Azure environment. Itron authorizees the connection of mobile devices to the Itron Azure environment. Itron monitors for unauthorized connection of mobile devices to the Itron Azure environment. Itron Security maintains a mobile device policy.

Data mining protection

The Itron Azure environment is wired to Itron Security's security information and event management (SIEM) mechanism to adequately detect and protect against data mining.

Identification and authentication (organizational users)

All organizational users of the Itron Azure environment (or processes acting on behalf of organizational users) are uniquely identified and authenticated.

Device identification and authentication

All system devices (meters, routers, and concentrators) connecting to the Itron Azure environment are uniquely identified and authenticated prior to the establishment of a network connection.

Identifier management

Itron manages Itron Azure environment identifiers by:

  • Receiving authorization from designated organizational officials to assign an individual, group, role, or device identifier.

  • Selecting an identifier that uniquely identifies an individual, group, role, or device.

  • Assigning the identifier to the intended individual, group, role, or device.

  • Preventing reuse of the identifier whilst it is assigned to an active individual, group, role, or device.

Authenticator management

Itron manages Itron Azure environment authenticators by:

  • Verifying the identity of the individual, group, role, or device receiving the authenticator prior to providing the new secret authentication information.

  • Providing temporary, secure, and unique authentication information upon initial user registration.

  • Requiring users to change passwords on the first sign in.

  • Ensuring authenticators have sufficient strength for their intended use and are secure.

  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators.

  • Requiring individuals to use safeguards to protect authenticators from unauthorized use (for example, avoiding keeping a record of authentication or changing authenticators after any indication of possible compromise).

  • Establishing multi-factor authentication for privileged accounts.

  • Establishing replay-resistant mechanisms for privileged accounts.

Authenticator feedback

Authenticators (for example, passwords or API keys) are obscured during the authentication process, to protect the information from possible exploitation or use by unauthorized individuals.

Identification and authentication (non-organizational users)

All non-organizational users (customers) of Itron Azure environment (or processes acting on behalf of non-organizational users) are uniquely identified and authenticated.