Maksim Kabakou - Fotolia
It is becoming more difficult to manage access to corporate IT resources as businesses become more mobile and reliant on cloud-based services. Here are the top five access control mistakes and guidelines on how to avoid them:
1. Trusting third parties
Top of the list is the unwavering faith that companies seem to place in third-party suppliers, who in some cases have lied through their teeth to win that latest tender at the best possible price.
Companies rarely seem to apply any common sense or due diligence when handing over credentials or allowing third parties direct access to their networks, and this can have severe consequences. Think Target, the US retailer that suffered a major security breach via a third-party air-conditioning maintenance company that was connected to its network.
But also think about offshored support companies, where all of a sudden you have a few thousand new friends on your network, completely outside of UK legal jurisdiction.
My advice is not to get into this position in the first place. CISOs should kick back hard on any suggestion that third parties should get credentials and network access, and ensure due diligence is carried out well before granting access to any third party, including big-name suppliers.
Remember: if something goes wrong in an outsourcing arrangement, it will still be your fault. You are fully accountable for any failings in the supply chain. Treat the supply chain as you would your own employees.
2. Allowing too much access
Getting access control right can be a laborious task – but don’t take shortcuts. Each and every user should be securely provisioned, assigned privileges according to their role or function, and given information on a need-to-know basis.
This includes system administrators. The job title kind of gives away what they do – they are here to administer systems. They are not here to look at every piece of information on your network and browse through your payroll system.
Read more about how to fix common access control mistakes
Surfing around your network is one thing, but bear in mind that if their machines become compromised or infected with malware, then guess what? The malware can see all the information on your network too, and will quite happily drop Cryptolocker onto your payroll server and earn a few bitcoins for its master.
My advice: if you are in any doubt as to who can access what, carry out an access control audit. It might take a short while, but it’s the only way to work out who has access to what. In parallel, look at defining role-based access control. Individuals should not have a custom set of permissions just based on who they are; they should inherit a pre-defined role.
3. I thought Bob still worked here
If someone leaves, disable their user account. Period. There is no excuse for accounts to exist on access control systems for people who no longer need to use them. If these accounts are used maliciously, it’s no longer Bob’s fault – he doesn’t work for you any more.
Work with your HR department on this one. Make sure there are clear channels to ensure that once people leave, their credentials are disabled – same day. You should also put a mop-up process in place that looks for any accounts that have been inactive for more than 30 days. Then raise these accounts with HR and establish whether they are still needed.
4. Emailing credentials
When was the last time someone sent you your username and password by email? For me, it was last week. Some online service or another evidently felt that was a good idea. Yet we see this in the corporate world, too.
A password should never be written down. It’s a word that must exist in someone’s head only, otherwise the whole authentication model falls apart. Emailing credentials is about as good as writing them down on Post-It notes and slapping them on your monitor. Don’t do it.
My advice: while it’s OK to email a username, use another channel for the password – text message, Skype, Facebook message, whatever. As long as it’s not in the same channel. Ensure your systems mandate a password change the first time this password is used (because remember, you’ve “written” it down in a text message).
5. Shared user accounts
The word “account” appears in “accountability” for a reason. It’s a means to hold someone accountable for their actions. It means a named individual can be held to account for doing something wrong, or not following process.
As soon as you share accounts, or passwords to accounts, you no longer have any accountability. Users can do what they want, and get away scot free. Your audit trails get broken because you can no longer tell which individual did something.
My advice: don’t do it. One exception might be a generic Administrator or Root account, because there is no way to disable this. The password should be written down, put in an envelope, stored in a fireproof safe and protected with dual controls, so two people are needed to open the safe. If the envelope is ever opened, this means you should change the password that is within it.
I hope this is all basic, common stuff that you are all doing already, and hope this article helps to reiterate the importance of access control. As with any other security control, it can degrade, people get lazy and human error slips into the equation, so make sure systems are subject to regular audit to help your company stay on top of the game.
Tim Holman is CEO at 2-sec security consultancy.........................................................................................................