Making multiple keys to your home and giving them to all of your friends is a sure way to get burgled. It’s not malicious intent on the part of the keyholders, rather the odds of someone who has one doing something stupid and giving up access. In a previous article, we went in to detail on why you should lock down privileged accounts. Now let’s go through four checks you should be doing on your system to maintain its integrity.
Step 1: Authenticate
Wrote the poet Eminem, “I am whoever you say I am.” In security, we need to ensure that is the truth. For the last three decades, this has come down to being assigned a username and setting up a password. Which is great up until the point when the password hasn’t been changed in years and has been used repeatedly across a variety of systems.
Ultimately, we just need to balance the need for verification against the ease-of-use for the primary users and the expense to the business.
You often hear stories of people in businesses who were faced with regulations—put in for their safety—who, for ease-of-use, found a workaround that put the business or individual at risk. Propping open a secure door because remembering the code was too hard. Using a rotating password system because it’s hard to remember the random ones.
If you create a Byzantine system that keeps things absolutely secure for your business but burdensome for your employees, it’s not going to work.
Step 2: Review Authorisation
In the same way that not everyone should have keys to everything, not everyone in your business should or needs access to all of your systems. Most users are given blanket access unless they require certain features.
Setting up more than a few, standard categories will help you keep people sorted and a better handle on permissions as business needs evolve.
Step 3: Access Control
In a similar way to authorisation, you need to close off certain areas to limit liability and damages in the chance that access is compromised. Limiting access in this way can also provide you information on user habits and give you something of an early-warning system in case someone is acting in a way that deviates from the norm. Which brings us to:
Step 4: Audits
Deviations are a signal of something being wrong. Unexpected incidents should be automatically logged and notes be sent to relevant personnel. By automating shut-downs you’ll relieve the burden of real-time monitoring by an administrator and help answer questions in the future.
Your policies need to be clear and your permissions exact to help keep your network secure.