Does your company handle large amounts of data at all times?
Do different users, ranging from employees to customers, need permanent or periodic access to that data?
Then you have to set up and perform a regular User Access Management Audit.
User Access Management (UAM) — also known as Identity and Access Management (IAM) — is a protocol made to ensure users connected to one network have the correct access to necessary resources within it.
It incorporates the processes of granting, revoking, and overviewing access to tools and information to said users in compliance with company policy and the law.
A simple goal of UAM can be defined as:
Everyone has or can easily request access to what they need
Nobody has access to what they don’t need
UAM Audits are important for the safety of not just your business but your employees and customers as well.
Performing them regularly minimizes the risk of potential threats to your data security.
Regulating access management is a necessary prevention method against cyber-attacks.
1) Create a company-wide UAM policy
The first step to securing company information access is creating an official policy document.
It should go without saying that said policy has to comply with government regulations in your country.
Once that’s done, choose a way to collect everyone’s “signature”.
If you prefer the pen-and-paper approach, make sure you scan the documents after.
Having a clear-cut policy in place will help you:
- Easily map out which users need access to what
- Identify possible security flaws in company information access (IA)
- Make sure employees (or customers) are properly informed
- Protect your company from and help enforce legal action if ever necessary
2) Separate responsibilities between managers
Once the policy is in place, it’s important to assign a chain of responsibilities to corresponding managers.
Depending on the company size, you may want to split responsibilities to specific people for additional security.
This is known as the Segregation of Duties principle (SoD).
For example, the manager of one sector should not have the access privileges of another sector, and vice versa, unless they go through a proper request procedure.
Some access requests may go in a direct line from the employee to IT.
However, it will most likely be the manager’s job to request access in the name of an employee or pre-approve (sign) it before it lands in the IT inbox.
It’s not the job of the IT managers to know each employee’s authority level and make sure no policy is broken.
They should have clear information that if said manager approves the request, it’s valid.
How you set this procedure up will depend on the number of employees you have and the sensitivity of the information you carry.
3) Only keep the basic access
When granting network privileges to an employee, you must start small.
It’s much easier and safer to gradually increase than decrease their access.
Access to resources that aren’t necessary for a regular employee workday should only be granted per approved request.
Ideally, it should also be revoked as soon as the usage period is over unless an official request for an extension is approved.
Do not leave it to the employee to inform you they’re done with said info, this is the easiest way to forget.
Similarly, never give full access to information or software an employee will likely use, but does not need immediately.
In the best-case scenario, it will be a small inconvenience to reset everything.
In worst-case scenarios, it can result in an unintentional security breach, information leak, etc.
4) Manage unused accounts
It should go without saying that accounts that are no longer in use should be permanently deleted.
While most of this is done retroactively when an employee leaves the company or changes positions, a manual checkup should be performed periodically, just in case.
By-monthly is a common recommendation, but you may want to consider even closer checkups depending on the employee turnover rate and any company restructuring that might be going on.
You’ll likely have a couple of bot/test accounts lying around waiting to be used, as well.
Stick to the same policy for them as for all users:
- If the account is in use, keep it on minimal privileges
- If it’s not in common use, remove all access or delete it completely
5) Do not give out actual login credentials to common apps
For software meant to be used full-time, employees will be assigned or have to create their personal accounts with unique credentials.
However, when it comes to shared applications, never give out the actual login credentials to users.
This could lead to leakage or misuse, intentional or not.
A much safer option for quick app sharing is using a password encryption tool, like the one found in AppsCo One.
It will allow you to safely share login access without the need to disclose credentials.
6) Document any changes
All changes within the law require your immediate attention and adaptation.
Any change that might cause a loophole or undermine the company policy must immediately be addressed and documented.
These can range anywhere from management restructuring, changing company software, new job positions, etc.
While hackers in movies tend to use super-computers to disable network protection, in real life, it tends to be a lot simpler.
Seizing a user account with one too many network privileges and abusing it to gain deeper access is a common form of data breaching.
This is why performing regular User Access Management Audits and keeping access privileges to a minimum is important.
In data breach scenarios, it makes sure the intruders can’t get away with too much before they’re identified and dealt with.
Also, it makes it easy to narrow down where the attack came from.
The best method of managing user access is a secure administrative tool.
AppsCo One provides a user-friendly access management platform.
Equipped with a completely customizable interface, it allows you to implement your company policy within the app.
Users with AppsCo One access do not have to perform additional logins to apps and services you’ve already granted access to.
The AppsCo One IT Dashboard has everything your network administrators will need:
- Manage all employee apps from one place
- Grant or revoke user privileges in a few clicks
- Create custom groups for easier group access management
- Quickly disapprove unauthorized logins
- Add two-factor authentication (2FA)
- Single Sign-On (SSO) for quick access
- Share login access without revealing credentials
- Easily onboard and offboard employees