Identity and Access

Management

You only want people to have keys to your house if you trust them. The same goes for your systems. In cyber security we call this identity and access management and it’s all about making sure that the right people have access to the right things at the right time.

Matt White, CEO XaaS Ltd

In a bit more detail:

At a high level, identity and access management is the creation, maintenance and deletion of identities to ensure that the right people have access to the right things at the right time. It’s important to your business as knowing who has access to what is a fundamental principle for most data protection laws and requires business skills not just technical expertise.

Here are 4 quick wins to start you on your cyber-health journey to improve in identity and access management; click on the icon or scroll down to see more detail:

Use a password manager

Keep admin accounts separate to normal accounts

Review who has access to systems (principal of least privilege)

Ensure accounts are closed when users leave your company

Use a password manager

User accounts are the keys into the information that your company needs to function, so making sure these are protected is important. For most businesses, losing access to systems such as email, financial data or intellectual property can be problematic.

If your business shares user accounts, such as logins to bank accounts or other services, making these passwords hard to crack is paramount.  By using a password manager, you can set long complex passwords that are hard for hackers to break and your users only have to remember one password.

Some simple steps you can take to protect your user accounts are:

Keep admin accounts separate to normal accounts

Administration (Admin) accounts are user accounts that have the highest level of access to systems within your business. In the wrong hands, user accounts have the ability to damage data within your systems, however admin accounts have the ability to destroy entire systems.

Some simple steps you can take to protect your admin accounts are:

Review who has access to systems (principal of least privilege)

Most systems give you the ability to choose what level of access a user can have to them.  In its most basic form, this can be, ‘read-only’, ‘edit’ and ‘full control’.

Making sure that your users have the right level of access to your systems means that mistakes are less likely (e.g., accidently deleting a file) and if a user account falls into the wrong hands, the amount of information the attacker has access to is reduced.

Some simple steps you can take to review access to systems are:

Ensure accounts are closed when users leave your company

One of the most common ways that a business is hacked is via user accounts belonging to ex-employees that have left the company.

Some simple steps you can take to combat this: