Cyber-attacks have become rampant due to increased connectivity and proliferation of devices across consumers at large. Everyday there are reports about cyber-attacks on organizations. Security breaches can’t happen unless someone get access they shouldn’t have. Access is totally within the organization’s control(or should be), and, while there’s no list to guarantee you will never be victim of a breach, there are some simple best practices to make you a harder target, and minimize the damage if someone does get in.
It starts with authentication and authorization. Identity and access management 101 explains that access is the combination of authentication (providing you who are who claim you are) and authorization (limiting what you can do based on who you are). Too often, access is executed haphazardly, taking a path of least resistance approach that secures things appropriately as long as it’s not too difficult. It’s well worth the investment. However, to establish rights correctly, ensuring that every user has access to everything they need to do their job, and nothing else. Here are some tips to make this elusive goal more achievable:
- Treat data security as a single issue, not several separate issues. The knee-jerk reaction to regulations and security it. The result is a distinct approach that’s neither efficient bot consistently secure. A better approach is to unify the things that control access (policy, identity, authentication, provisioning, role, etc.) and get it right once. If a single role definition includes all the appropriate access rights for a group of employees, the risk of someone going rogue, or someone doing something bad with stolen credentials, goes way down. If they can’t get it, how can they abuse it?
- Put the right people in control. The vast majority of access controls are set up by people with know how to manage the system, rather than those with most at stake. It usually is at the front line of implementing access controls, because they have the rights, tools and knowledge necessary to set up access for individuals and groups. But, it typically lacks the context to know what access individuals should have. That’s the property of line of business personnel. Find a way to put the line-of-business in control of access rights and as much of the management process as possible.
- Don’t forget about your administrators. Finally, the “super user” credentials associated with every system area the crown jewels of access. Someone logging in with these shared, anonymous, and all powerful sets of rights, can do anything and everything they want, from planting malware to stealing data. Technologies exist that remove the shared nature and anonymity of administrative credentials, and audit all activities performed with them. This one practice alone could prevent the majority of high profile breaches permeating the news. Just because you trust your employees doesn’t mean you shouldn’t implement access control on them – all of them.
