Maksim Kabakou - Fotolia

Security Think Tank: How to keep on top of access control

In the modern business environment, what are the most common access control mistakes and how can these best be corrected?

Access control is becoming increasingly complex as workers become more mobile and access data on a multitude of devices. Managing identity and access is difficult and time-consuming, but there are three key areas where we can improve.

1. Joiners, movers and leavers process

One of the most common issues is that businesses often struggle to manage and fully implement a standardised, comprehensive process for joiners, movers and leavers. This can be increasingly challenging as more systems, devices and services are added to the network because they each require their own login credentials and authentication methods, such as passwords, biometrics and two-factor authentication.

This is exacerbated as more businesses opt for cloud services. Purchasing organisations may request their own personal access, but user access and administration may be performed by the cloud service provider and/or the purchaser.

An additional dimension – and one that is often forgotten – is customer access to corporate resources and associated management. Organisations must be able to revoke access quickly, but at the same time retain information about the accounts for legal or regulatory purposes.

Companies cannot rely on an ad-hoc system of assigning access control when and where it is required. They need to have in place defined guidelines for joiners, movers and leavers that cover internal, supplier and consumer access.

2. Not managing user rights

User rights must be managed as individuals move around an organisation and use more devices to access information. Typically, their accounts start to gain access to more systems and information which is never revoked.

As a result, individuals can see much more than was intended and, should their account be comprised, provide an attacker with greater access than might be realised. These types of account, where rights have accrued over time, are the ones hackers really want to compromise when trying to infiltrate a system.

This accrual of rights can be due to simple negligence or not having the correct practices in place to ensure supervision. Account access must be checked on a rolling basis, and companies should look at role-based access control.

3. Not managing ‘super user’ accounts

Super user accounts are the ‘crown jewels’ of identity and access. A significant number of organisations do not carry out simple security steps, such as changing account names from ‘administrator’ to less visible or guessable terms, nor do they track these accounts’ activity adequately.

Moving to one-time passwords for all actions may be excessive, but requiring two-factor authentication or similar mechanisms will help to protect these accounts and provide a way to track activity. The number of super user accounts across the organisation should be minimised, and monitoring their activity should be a priority.

It is clear that as security management evolves and new technology such as cloud computing becomes more prominent, every security professional will need to adapt. Access control is a key area that requires greater attention, and the three tips above should be kept at the forefront of security training to ensure data is accessible only by the right individuals.

Adrian Davis is managing director for Europe at (ISC)2. .....................................................................................................................

Read more on Hackers and cybercrime prevention