Maksim Kabakou - Fotolia
Access control is becoming increasingly complex as workers become more mobile and access data on a multitude of devices. Managing identity and access is difficult and time-consuming, but there are three key areas where we can improve.
1. Joiners, movers and leavers process
One of the most common issues is that businesses often struggle to manage and fully implement a standardised, comprehensive process for joiners, movers and leavers. This can be increasingly challenging as more systems, devices and services are added to the network because they each require their own login credentials and authentication methods, such as passwords, biometrics and two-factor authentication.
This is exacerbated as more businesses opt for cloud services. Purchasing organisations may request their own personal access, but user access and administration may be performed by the cloud service provider and/or the purchaser.
An additional dimension – and one that is often forgotten – is customer access to corporate resources and associated management. Organisations must be able to revoke access quickly, but at the same time retain information about the accounts for legal or regulatory purposes.
Companies cannot rely on an ad-hoc system of assigning access control when and where it is required. They need to have in place defined guidelines for joiners, movers and leavers that cover internal, supplier and consumer access.
2. Not managing user rights
User rights must be managed as individuals move around an organisation and use more devices to access information. Typically, their accounts start to gain access to more systems and information which is never revoked.
As a result, individuals can see much more than was intended and, should their account be comprised, provide an attacker with greater access than might be realised. These types of account, where rights have accrued over time, are the ones hackers really want to compromise when trying to infiltrate a system.
Read more about how to fix common access control mistakes
- Security Think Tank: Human factor key to access control.
- Security Think Tank: Password management tops list of access control issues.
- Security Think Tank: Policies and procedures vital for successful access control.
- Security Think Tank: Top five access control mistakes.
- Security Think Tank: Access control is key to protecting against cyber attacks.
This accrual of rights can be due to simple negligence or not having the correct practices in place to ensure supervision. Account access must be checked on a rolling basis, and companies should look at role-based access control.
3. Not managing ‘super user’ accounts
Super user accounts are the ‘crown jewels’ of identity and access. A significant number of organisations do not carry out simple security steps, such as changing account names from ‘administrator’ to less visible or guessable terms, nor do they track these accounts’ activity adequately.
Moving to one-time passwords for all actions may be excessive, but requiring two-factor authentication or similar mechanisms will help to protect these accounts and provide a way to track activity. The number of super user accounts across the organisation should be minimised, and monitoring their activity should be a priority.
It is clear that as security management evolves and new technology such as cloud computing becomes more prominent, every security professional will need to adapt. Access control is a key area that requires greater attention, and the three tips above should be kept at the forefront of security training to ensure data is accessible only by the right individuals.