User accounts, a favorite target in cyberattacks, are the best entry point into the IS when poorly protected.
Today, CIOs and CISOs know that the biggest challenge is the user. This human factor is very difficult to anticipate and manage.
Entitlement management or privilege management can be applied iteratively or by following the steps below and carrying out a large project. Fortunately, there are solutions that automate much of the work.
I'm giving you an ideal process for managing entitlements, but rest assured that even a fairly simple project is already effective. However, there are essential points that make up privilege management, such as a single repository, a review of entitlements, or the alignment of rights that you will need to respect.
Some sectors are more closely monitored than others and have an obligation to manage privileges. The banking sector, for example, is obliged to have a process for controlling a person's entitlements. This must be regularly re-evaluated, and identities must be traced. This management acts as a safety valve with validation instances external to the monitored businesses and, above all, no self-authorization.
But first of all, if you want to know what the CNIL says about permissions management, it's here.
Entitlement management involves asking these questions:
- Who are my users (internal and external)?
- What applications do they have?
- What rights do they have?
- Are these rights justified?
- Are these rights still up to date?
Can this be summarized as 'who has what and why'?
1. A single user repository
Having a directory of internal and external individuals is essential. To create this unique user repository, IT needs to work with HR to create this file. Some tools automate this repository by synchronizing the HRIS with the AD.
If you do it yourself, make sure you haven't forgotten anyone and don't confuse employees and users. The file must be correctly created and up to date 😉
⚠️ Don't just do it once, pat yourself on the back and move on. Unfortunately, this repository needs to be kept up to date.
2. Segment users
Once your repository is designed, you need to segment users. To design these typologies, rely on the knowledge of managers to better define your groups. IT will also have its say in moderating certain access or application requests. You can use RBAC segmentation, which is the most popular.
Maintain increased monitoring of external users, as they can easily slip through the cracks. Lacking a contractual relationship with the company, they will be less likely to know the rules and may not have the same awareness of cybersecurity risks.
3. Principle of least privilege
This point follows on from the previous one; it will be appropriate to define the application requirements for each group of users with the managers and to control access rights. The principle of least privilege is to give employees the minimum rights and access in order to avoid any overreach and to facilitate access monitoring. This point was discussed in more detail in the article on entitlement management. In order to reduce security risks, the user receives what is strictly necessary.
Besoin d'échanger sur vos processus ?
15 minutes pour voir si on peut vous simplifier la vie côté accès. Sans pression, sans engagement.
4. Define who validates rights and access
A strict rule must be applied; no one can assign rights and access to themselves. Formal prohibition of self-authorization, so it is necessary to define a hierarchical superior who will validate the request. The separation of tasks implies that a user will not accumulate all rights on the same task: creation, validation, supervision.
IT is not intended to validate everything; managers are entirely capable of doing so. However, they must define in partnership with IT what can be accepted versus what should be studied in collaboration with IT.
5. Track mobility
Pay attention to mobility in general; the arrival processes are well in place, but there is some ambiguity in internal mobility. For departures, it's also chaotic; IT struggles to get real-time information about departures.
Mastering the user lifecycle is a crucial point in entitlement management. If you were to implement only a few, take this one.
An employee evolves within a company and often does not stay in the same position unless the structure is small. In cases where an evolution is feasible, care should be taken to ensure that the user always has the correct alignment of rights.
6. Implement an authorization process: formalized and auditable
An entitlement process must be put in place and known to all so that it can be applied. It should not be too restrictive, because, of course, in this case, it will be bypassed.
For example, a new arrival must imperatively be integrated into one of the pre-defined groups, any change of position must be accompanied by a change of group, or new assignments of rights or applications must be discussed between managers and IT. You will find the process that suits your employees and your company.
This process must be clear so that it can be audited and questioned if necessary.
7. Prioritization
The same level of attention should not be given to all applications. Therefore, resources should be segmented according to their degree of sensitivity to the company's security. This work is lengthy and tedious but necessary.
This rule can also be applied to the various professions within the company by conducting a risk analysis to manage sensitive information.
When embarking on privilege management, there is a tendency to want to do everything perfectly and comprehensively. This is a mistake; it is preferable to monitor the most sensitive applications and groups first. It is possible to readjust later and deploy gradually by defining other groups.
Of course, if you can, define all of your groups at once; it will be easier anyway. But if you can't manage to do it, take the most sensitive users and set up entitlement management on this 'test' group.
Besoin d'automatisez vos accès sans chantier IT ?
En 60 minutes découvrez comment Youzer fiabilise vos onboarding et offboarding pour gagner plusieurs heures par semaine côté IT.
8. Traceability
Privilege management also means knowing who has what.
Depending on how you manage your strategy, you can easily know this information if you use an IAM (identity and access management) solution or an Excel file if you work with it.
In any case, you need to know all of a person's entitlements to carry out audits, to ensure security within your company, or to facilitate exchanges with them.
Privilege traceability means: a unique identifier that will be linked to a user.
You may also need to track a user's different connections and therefore trace their accesses. This will allow you to control the proper management of accesses.
9. Control and questioning
An entitlement management plan is not fixed; it must be questioned and evolve over time. The company's resources evolve, and so do the users; the external context also plays a fundamental role, as we have seen with the health crisis.
As we saw in point 7, groups can evolve, so don't hesitate to review your strategy regularly. Businesses also evolve, so you have to adapt.
Unfortunately, this management also implies control and sanctions in case of non-compliance with the rules established in the company. Control must be put in place upstream to validate or re-evaluate authorizations and downstream to monitor access.
A malicious user must be sanctioned to avoid jeopardizing the company's security.
However, the control must be in line with the risk incurred. There is no point in putting a lot of pressure on a user with little access and few rights.
10. Awareness and Persuasion
For the established plan to work, it must be accepted by everyone. If IT imposes it, managers will resist. Managers and users are a human variable, that is to say, unpredictable.
Training, awareness and reminders should be a daily part of entitlement management.
It is also important to look at the IT department, management and HR, which are essential elements in the success of the project. The single user repository must be created in partnership with HR. Management validates and finances this project, and must also be convinced of the need for the company's security and the time savings in user management.
Well-managed privilege management fosters a more harmonious relationship between IT and managers. Information flows better, and everyone benefits. IT is aware of arrivals and departures as well as user needs and can therefore better manage its IT. Managers find it easier to communicate their needs and obtain the correct access for their employees.
Some tips to facilitate your management:
These 10 points are ideal for privilege management; bring flexibility to your process, otherwise you will quickly give up.
Warning ⚠️: we are not questioning the entire organization, we are reorganizing.
Define a monitoring process for your applications. It will take time to integrate all your applications into your management tool. As soon as a new application is in place in your company, apply the authorization processes, in this way, you will not have to come back to it a second time.
In summary, access traceability + authorization control = successful management.
