I am having a hard time understanding exactly what complementary user entity controls are and how to identify them. I was wondering if someone could shed some light on this for me.
@travis_fahlgren - Complementary User Entity Controls (CUEC) are all controls within the service organization's processes that rely on the user entity for implementation and function.
For example, let's take AWS and Tugboat Logic. Tugboat Logic is the User Entity and AWS is the Service Organization. Tugboat Logic ensures that its employees with privileged access to AWS have their accounts provisioned and de-provisioned in a timely manner. We make sure that we enable disk encryption, etc. For AWS to fulfill its security control objectives, the end users of their systems need to do their part. Those are the CUECs.
In a way, CUECs are a way to clarify who is responsible for what.
Hope that helps!
It looks like you're new here. If you want to get involved, click one of these buttons!