This article is part of our Essential Guide: How to deal with Identity and access management systems

Security Think Tank: Password management tops list of access control issues

In the modern business environment, what are the most common access control mistakes and how best are these corrected?

The IT security function has a significant number of people and systems to support in access control – not only employees, but often partners, suppliers and customers too. These systems are rarely only internal, but also can be cloud-based.

Password management must come top of the list as a leading access control mistake. Individuals find they have too many passwords to manage and frequently use the same password (or a small set of passwords) for multiple systems.

These passwords are rarely/never changed, and are often easy to guess or crack. Password keeper apps are readily available and individuals should take a look at these at their earliest opportunity.

In a corporate environment, enterprises will force users to change their passwords on a regular basis to a previously unused password. However, this can still result in easy-to-guess passwords.

Single or reduced sign-on (SSO/RSO) is another option when combined with two-factor authentication (2FA). 2FA is where a user knows something – such as their user ID and password – and has something – such as a one-time passcode generator – to confirm they are the valid user for that sign-in.

Users should only be given access to systems that they need to access, and at a level appropriate for their role. The Information Security Forum (ISF) Standard of Good Practice advocates that access privileges are approved by a sufficiently senior business representative.

Role-based access control is essential when operating in the cloud, and organisations typically deploy 2FA on access points here.

Read more from Computer Weekly’s Security Think Tank about how to fix common access control mistakes

Employee management is an easy area to make mistakes. As soon as an employee leaves the organisation, access should be revoked across all systems. But delays can occur, and a disgruntled former employee is not someone you want inside your network.

Again, the ISF’s Standard of Good Practice advocates the deployment of a process for terminating access privileges and also reviewing access control arrangements regularly.

Maxine Holt is principal analyst at the Information Security Forum (ISF).

Read more on Hackers and cybercrime prevention