Top five access control mistakes
Access control has always been a hot topic in IT security conversations. With the growing reliance on cloud-based and mobile technologies, the challenges of access control and the need for access management tools (you can try this one) has increased.
Yet, access management isn’t something any organization can afford to treat lightly. The modern enterprise’s heavy dependence on technology means poor access control can facilitate fraud, damage reputation and paralyze operations. The following are the most common access control mistakes and how you can avoid making them.
1. Banking on Third Parties
Some companies place unquestioning trust in their vendors. This stems from an inability to see vendors as entities primarily driven by profit. There are suppliers who’ll have no qualms about lying if that’s what it will take for them to win a tender. The client company ignores the basic principles of due diligence and proceeds to hand over system credentials that give the vendor direct access to their servers and networks.
A good example of how catastrophic this can be is the major security breach that hit US retailer Target. A third party HVAC company with access to Target’s network was infiltrated by hackers who successfully gained access to customer data.
IT and Security heads should reject any suggestion to grant vendors access to the corporate network. In the rare event that such access must be granted, it should be strictly limited to the vendor’s function and automatically revoked once it’s no longer needed.
2. Granting Excessive Privileges
Access control can be an exhausting and time-consuming process especially for medium to large organizations with thousands of employees. For system administrators, the urge to take shortcuts can be difficult to resist. Shortcuts though can be far costlier in the long run compared to any short term convenience they may provide.
Treat every user account as one that may potentially be used for malicious purposes. Ergo, apply the principle of least privilege—users should be granted the minimum rights they require to perform their function. Each account must be securely provisioned and only given access to information on a need to know basis.
3. Continued Access for Employees Who’ve Left
When an employee leaves, their system access should be revoked without delay. In fact, in more sensitive industries such as banking, the departing employee’s system account is disabled a day or two before their official last day.
There’s no justifiable reason to keep the user accounts of people who’ve left active. It’s counterintuitive to the very purpose of assigning unique credentials to users. If these abandoned accounts are used for malicious purposes, who do you blame? The employee no longer works for you so you can’t fire or otherwise discipline them for it. They are outside your realm of control.
There should be clear (and preferably automated) channels of relaying information from HR to administrators so system credentials are disabled immediately but no more than 24 hours later. In addition, regularly review systems to identify any accounts that haven’t been in use for more than a month. Liaise with HR to confirm whether these accounts are still required.
4. Emailing Passwords
There was a time when sending new users their credentials via email was conventional practice. A surprising number of organizations and websites still rely on this method of communicating passwords. This violates one of the fundamental rules of good password management—passwords must never be written down. Ideally, passwords should only exist in the user’s head.
Emailing passwords isn’t too different from writing access credentials on a post-it note and sticking it on your computer screen. If you have to send a user their username and password, separate the two. If you email the username, send the password via SMS. In addition, the user must be forced to change this password the first time they use it.
5. Shared Credentials
It’s not a coincidence that the word ‘accountability’ is derived from ‘account. A user account is a means of holding individuals accountable for their system activity. They can be held responsible for wrongdoing or a failure to follow due process.
Once a system account is used by two or more people, there’s no longer clear accountability. Audit trails become meaningless because there’s no certainty as to who initiated an action. Never share credentials. If need be, create multiple accounts with identical rights for each individual that needs one.
By steering clear of these mistakes, you will ensure your organization is in a better position to protect its systems from attack, abuse and unauthorized use.