Identity management should be considered an essential part of any business’s cybersecurity policy. No, it’s not the process of deleting your old college party photos from Facebook (although that’s not a bad idea). Instead, it’s a way to manage who has access to what information and when.
Misuse of credentials—either intentionally or unintentionally—is a prime vector for security issues. It would certainly be a lot easier to just give every employee access to all of your systems and files but having this sort of “open door policy” exposes your organization to serious risk. The Ponemon Institute’s Cost of Insider Threats report show that privilege misuse is an increasing cause of data breaches and costs organizations an average of $8.76 million.
To help prevent this, it’s important that any identity management policy a business uses should incorporate the concept of least privilege. This means exactly what it sounds like: every user should be given the least amount of privileges to applications and systems necessary to complete their work. And managing access privileges is not a one-time thing. If a user only needs access to certain information for a short period of time, you want to ensure to restrict that access once they no longer need it.
Low-Hanging Fruit
Along with employing a least-privilege policy, there are a few more simple steps every business should take when developing identity management practices:
- Make sure that only those who need it have administrator privileges. On top of this, those with administrative privileges should have a separate account to access systems and software which does not require privilege, such as email or, yes, Facebook.
- Require users with a greater risk-level to use multi-factor authentication (MFA). This includes those with administrative privileges and users who log-in remotely.
- Remove credentials for anyone who no longer needs access, such as ex-employees and short-term contractors and vendors.
- Require users to create long, complex and unique passwords. There is no need to reset passwords unless they’re forgotten or you suspect they’ve been compromised. Check out NIST’s password guidelines for more information on this.
Next Steps
While using various technologies throughout an organization streamlines activity, it also creates a more complex user environment, which poses its own security risks. To help mitigate these risks, there are a number of additional steps you can take, such as utilizing Single Sign–On (SSO) and Identity Management Systems.
Single Sign-On allows employees to use one set of credentials to access multiple applications. This may seem counter intuitive but limiting the number of credentials can actually improve security. Often, when users are required to keep multiple passwords, the overall strength of each password goes down, making it easier for credentials to be compromised. Focusing instead on maintain one strong password will help keep your systems more security.
Lastly, there are identity and access management systems which can help automate this process. Along with managing user access, these systems can monitor user activity and enforce organizational policy on data use and sharing across the board.