This article is part eight in a twelve-part series on information security fundamentals for small and medium-sized businesses.
Access management is one of the more complex areas of information security management. Users and passwords, systems and applications, servers and workstations, wired and wireless networks, physical locations and Internet-facing systems… access management covers all of these elements and more.
If you’ve been following this series, you’re keenly aware of the importance of information security policies. Until you document your security expectations in policy, you can’t realistically expect your employees to meet those expectations. Multiple policies are critical to access management, including:
- User Access Control – Who can access what? How is access granted and removed?
- Password Management – What are your password requirements?
- Network Access Control – What are the rules for granting systems access to the network?
- Remote Access – What are the rules for remotely connecting to the internal network?
- Mobile Computing – What are the rules for accessing company data via mobile devices?
- Clean Workspace – What company information can users have on their desks and walls?
Whether you capture your expectations in one policy or in many, you need to ensure that you cover each one of these topics.
In general, the best preventative access management control you can implement is the principle of least privilege. Simply stated, users should only have access to systems and applications that they need to access in order to get their work done. Business owners stray from this requirement at their own peril.
Unnecessary access often results when a user transfers from one department to another, or when a new hire’s access is modeled after someone in your organization who already has more access than he or she needs. You can curb this through a detailed onboarding procedure, as well as through quarterly user access rights reviews.
At the system level, this principle of least privilege is sometimes referred to as the one function per server rule. Database, file, web, and mail servers should all have their own real estate, whether physical or virtual. If you require a server to perform too many functions, the end result may be an insecure configuration that exposes everything on the server to unauthorized access.
One way to hamstring the principle least privilege is through the use of shared accounts. Permitting an office administrator to have the owner’s password (just in case) and permitting IT administrators to use a shared account for system administration are two quick ways to invite misuse. Prohibiting shared accounts and requiring strong passwords are excellent countermeasures, particularly for accounts with access to sensitive systems and applications.
On that note, passwords for all systems and applications need to adhere to your Password Management Policy. Requiring complex passwords that change every few months is a sound security practice, although I’m personally a fan of passphrases. A passphrase −like TheWolverineswillfallonNovember24!− is much easier to remember than kAspuG58H3, and it is much harder for an attacker to crack.
These access management controls apply to systems and network devices as well. That’s why you need to segregate your networks. Your wireless network shouldn’t have access to your entire wired network, especially if you grant wireless access to non-employees. If you have credit card data on your network, the PCI standard specifically prohibits using payment card applications over wireless.
Most organizations are likely to have a minimum of four networks:
- Employee wired
- Employee wireless
- Guest wireless
- DMZ (for Internet-facing systems)
Some organizations may also have a Virtual Private Network, which allows employees to connect to internal systems from a remote location. If you grant remote access rights to your employees, you should absolutely require multi-factor authentication for those connections. Multi-factor authentication includes a combination of something you know, something you have, and/or something you are (biometrics). These other factors can include certificates, one time passwords, and even phone calls or text messages to the user’s smartphone.
Finally, network access control is another preventative control that business owners should investigate. Although NAC may be considered a dirty word by some IT professionals, the technology is getting better. A well-implemented NAC solution should be able to detect when an unmanaged device connects to your network and then quarantine that device, prohibiting it from accessing any network resources until your IT administrator authorizes it.
To recap, every business owner should do the following:
- Document relevant access management policies
- Adhere to the principle of least privilege
- Perform quarterly user access rights reviews
- Implement the “one function per server” rule
- Prohibit shared user accounts
- Require strong, rotating passwords (or passphrases)
- Segregate networks
- Require multi-factor authentications for remote access
- Implement network access control
In the next article, we’ll tackle Information Security Systems Management.