Cyber Month: Thursday Thoughts with Thijs: account management
It’s already the third week of this cybersecurity month…. Time flies when you’re having fun! That means it is also time for my third musing.
During Cyber Month, we reflect on information security in its broadest sense. Throughout the month, several meetings, fairs and conferences have been organised by organisations and experts alike to discuss myriad topics – the list is endless considering how fast the industry (and threat landscape) moves and changes! I recently attended is the ONE Conference. What immediately struck me, when signing up, was the registration: I had to pre-register on the website and show my driving licence or passport for identification when entering. Here, an account serves as a gatekeeper, only with my details (identification) did they let me pass.
But what about these accounts? Every organisation has accounts for different purposes, but not every organisation is aware of the types of accounts and what access and rights they have – and remember, a little awareness can go a long way in cyber security. So, that’s what I would like to focus on today: the use and management of accounts within organisations.
Account management may not be a trendy topic but performing good account management can be vital within an organisation’s perspective. Think, for example, about hiring and leaving employees or a job change within an organisation. Here, it is important to consider who can or cannot log in (anymore) and whether they were (still) assigned the right permissions.
Think about it like this, if an employee starts as a project manager within an organisation and later changes role and becomes part of the sales team, the same rights and permissions they had within project management no longer apply in them new role, something which is often forgotten about or overseen. Thus, it is possible that this person has now too many rights as a salesperson which can lead to a variety of consequences, such as access to specific customer data that the employee shouldn’t have access to. A solid process within account management with periodic checks on the execution of this process, is therefore of great importance within an organisation.
The requirements of an account are also essential. Firstly, the account name should have a logical structure, e.g. ‘firstname.lastname’. More general, non-personal accounts such as email@example.com are also a possibility, usually created so that an entire department can access it. To keep on top of information security with such accounts, it is important to keep a read-only, or non-editable, register that notes who has access to which account and who manages it. Periodic checking and continuous monitoring is crucial with general accounts.
A common challenge within account management are accounts for externals and suppliers. Occasionally, a supplier may require an account within your organisation, for which (I hope!) you would have clear agreements about. Sometimes the employees’ Multi-factor Authentication (MFA) is extended to the externals or suppliers, or creating personal accounts for externals like ‘firstname.lastname@example.org’. Whatever you decide to do, be sure to include these accounts in the process of periodic checking and continuous monitoring.
Hopefully that was insightful for you! But these are the main points I want you to consider…
- Ensure a well thought-out, standardised process regarding incoming/outcoming and position changes of employees;
- Implement monitoring for abnormal behaviour on all accounts;
- Periodically review the various accounts and their assigned rights
Like I mentioned earlier, the sales team member who started as a project manager, do they now have the appropriate level of permissions?
- Make a list of (additional) requirements for accounts with external use
- Enforce MFA by default;
- Make these accounts part of the control process and assign an owner.
Of course, there are other aspects to streamline your account management. If you would like to discuss them or if you, as an organisation, need help in properly implementing, controlling or monitoring accounts, Resillion is happy to assist you. Contact us for more information.
Until the next Thursday Thought!