The Principle of Least Privilege means users only have the right to access systems, applications, and data required to complete their job, nothing else. The number one cybersecurity threat vector is user accounts, following the principle reduces your risk. The Principle seams straight forward until implementation, it requires strong leadership and clear procedures. Things to consider during implementation:
- Data access: Organize data with classifications, type, and other meta information. (See Data Management Blog). Leverage File and Directory systems to organize data simplifying access rights. Grant access only to required data.
- System Access. Leverage user management configuration tools embedded inside most applications and SaaS (Software as a Service) solutions.
- Time of day/day of the week. Do users require 24×7 access, or can you limit access to standard shift? Time restricted access also decreases the threat vector.
- Remote access. Do users require remote access? If so, consider limiting by devices type and location-based access. Practice geofencing, a set of boundaries limiting access to systems. For example, users can only access the system from the US, thus reducing the threat vector of worldwide access. Exceptions can be made if a company asset needs to travel outside
- Multi Factor Authentication (MFA). Implement on as many systems as possible. It should be a foundational requirement for restricted, confidential, or private data and associated solutions.
- Strong Passwords. Consider passwords of 10+ characters with a combination of uppercase, lowercase, numbers, and symbols. Avoid dictionary or common words.
- Establish normal and elevated/administrative access user accounts. Normal accounts are used for standard daily activities. Elevated/administrative access accounts are only used when completed system administrative tasks. All elevated/administrative accounts must be MFA enables with complex passwords. Use just-in-time activation for elevated/administrative account tracking the need/approval for administrative rights and only allow access during the permission time.
How to get started with a strategic user and access management plan:
- Inventory all systems and data storage. Refer to your Business Impact Analysis (BIA) to identify systems and criticality.
- Roles and responsibilities. Create roles that group employees with similar access rights. Add roles to solutions and users to the roles. It is easier to manage roles than individual users. Work with HR and business units to establish what role-based access requirements. Document each user, user group, permission level, and system/data allocation.
- Validation. You can either create and implement all at once or implement over time. We recommend implementing one user group at a time. This minimizes user impact while allowing the organization to learn and adjust data management and implementation plans.
- Regulations and standards. Ensure your user management plan aligns with current regulations or other adopted standards. For example, HIPAA (Health Insurance Portability and Accountability Act) limits access to patient data. Most EMRs (electronic medical record) systems have integrated user access management aligned with HIPAA requirements.
- Use a user access management SaaS. You can track users through complex spreadsheets or through an Identity Access Management (IAM) solution. IAM features, complexity, and price vary by product and business requirements. Most IAMs offer more than just user management, many include user provisioning, single sign on, self-service password reset, and password management. Correctly deployed, new users are almost instantly provisioned and removed from the system upon termination.
Conduct periodic reviews. User, roles, and system provisioning should be periodically reviewed validating user allocations and system changes. IAM systems provide user or solution/system level reports supporting regulatory review requirements.
Correct User Management simplifies user on/ off-boarding activities, helps align with regulatory requirements, decreases risks, while decreasing your threat vector profile.
Do not do it alone. Connect with us to help you.