Identity and Access
Management
You only want people to have keys to your house if you trust them. The same goes for your systems. In cyber security we call this identity and access management and it’s all about making sure that the right people have access to the right things at the right time.
In a bit more detail:
At a high level, identity and access management is the creation, maintenance and deletion of identities to ensure that the right people have access to the right things at the right time. It’s important to your business as knowing who has access to what is a fundamental principle for most data protection laws and requires business skills not just technical expertise.
Here are 4 quick wins to start you on your cyber-health journey to improve in identity and access management; click on the icon or scroll down to see more detail:
Use a password manager
Keep admin accounts separate to normal accounts
Review who has access to systems (principal of least privilege)
Ensure accounts are closed when users leave your company
Use a password manager
User accounts are the keys into the information that your company needs to function, so making sure these are protected is important. For most businesses, losing access to systems such as email, financial data or intellectual property can be problematic.
If your business shares user accounts, such as logins to bank accounts or other services, making these passwords hard to crack is paramount. By using a password manager, you can set long complex passwords that are hard for hackers to break and your users only have to remember one password.
Some simple steps you can take to protect your user accounts are:
- Use an established password manager that provides strong security to encourage your users to set complex passwords (as they won't need to remember them)
- Make sure your users set a strong password to access their password manager as it should be the only one they need to remember
- Where needed, use a distributed password manager that allows passwords to be synced across devices and passwords for system accounts to be shared between authorised users (so no-one ever needs to write them down)
Keep admin accounts separate to normal accounts
Administration (Admin) accounts are user accounts that have the highest level of access to systems within your business. In the wrong hands, user accounts have the ability to damage data within your systems, however admin accounts have the ability to destroy entire systems.
Some simple steps you can take to protect your admin accounts are:
- Always use a separate ‘admin’ user account to carry out administrative tasks
- Don’t use accounts with admin privileges to carry out day to day tasks
- Only give admin access to those who people who actually need it
Review who has access to systems (principal of least privilege)
Most systems give you the ability to choose what level of access a user can have to them. In its most basic form, this can be, ‘read-only’, ‘edit’ and ‘full control’.
Making sure that your users have the right level of access to your systems means that mistakes are less likely (e.g., accidently deleting a file) and if a user account falls into the wrong hands, the amount of information the attacker has access to is reduced.
Some simple steps you can take to review access to systems are:
- Understand what each user in your business does and what they level of access they actually need
- Set up users with access to systems according to what their business role
- Review this access on a regular basis to make sure users only have the access they require to do their job
Ensure accounts are closed when users leave your company
One of the most common ways that a business is hacked is via user accounts belonging to ex-employees that have left the company.
Some simple steps you can take to combat this:
- Keep a record what systems a user has access to (this can be recorded as part of your asset register)
- Have a basic process to follow for when users leave, which include closing down or disabling accounts
- Make sure you include any cloud or external systems as these can be easily forgotten