A favorite target for cyberattacks, user accounts are the best way into IS when they are poorly protected.
Today's CIOs and CISOs know that the biggest challenge is the user. This human factor is very difficult to anticipate and manage.
Authorization or privilege management can be applied iteratively, or by following a series of steps and carrying out an extensive project. Fortunately, there are solutions that automate much of the work.
I've given you an ideal process for implementing privilege management, but rest assured that a fairly simple project is already effective. There are, however, a number of essential points to consider when managing privileges, such as a single repository, a review of authorizations and the alignment of rights, which you must respect.
Some sectors are more closely monitored than others, and are therefore obliged to implement privilege management. Banks, for example, are obliged to have a process for controlling a person's authorizations. This must be regularly re-evaluated, and identities must be traced. Privilege management acts as a safety valve, with validation bodies external to the supervised professions and, above all, no self-authorization.
But first of all, if you'd like to know what the CNIL has to say about authorization management, click here.
Managing authorizations involves asking these questions:
- Who are my users (internal and external)?
- What applications do they have?
- What rights do they have?
- Are these rights justified?
- Are these rights still relevant today?
This can be summed up as 'who has what and why'?
1. A single user repository
Having a directory of internal and external individuals is essential. To create this unique user repository, IT needs to work closely with HR to create this file. Some tools automate this repository by synchronizing the HRIS with the AD.
If you do it yourself, make sure you haven't forgotten anyone, and don't confuse employees with users. The file must be correctly created and up to date 😉
⚠️ Don't just do it once, pat yourself on the back and move on. Unfortunately, this repository needs to be kept up to date.
2. Segment users
Once your repository has been designed, it's time to segment your users. To design these typologies, rely on the knowledge of managers to better define your groups. IT will also have a say in the timing of certain access or application requests. You can use RBAC segmentation, which is the most popular.
Keep a close eye on external users, as they can easily fall through the cracks. Not having a contractual relationship with the company, they will be less likely to know the rules, and may not have the same awareness of cybersecurity risks.
3. Principle of least privilege
Following on from the previous point, managers will need to define application requirements for each user group, and control access rights. The principle of least privilege is to give the minimum number of rights and accesses to employees, in order to avoid any overflow and facilitate access monitoring. This point is covered in greater detail in the article on authorization management. To reduce security risks, users are given only what is strictly necessary.
4. Define who validates rights and access
A strict rule must be applied: no-one can assign rights and accesses to themselves. Self-authorization is strictly forbidden, so it is necessary to define a hierarchical superior who will validate the request. Segregation of duties means that a user cannot have all the rights to a single task: creation, validation, supervision.
It's not IT's job to validate everything - managers are perfectly capable of doing that. On the other hand, they must define, in partnership with IT, what can be accepted and what must be studied in collaboration with IT.
5. Tracking mobility
Beware of mobility in general: arrival processes are well in place, but there's a lack of clarity when it comes to internal mobility. When it comes to departures, things are just as chaotic, with IT having difficulty in obtaining real-time information on departures.
Controlling the user lifecycle is a crucial aspect of authorization management. If you have to apply just a few of them, take this one.
As employees evolve within a company, they often don't stay in the same position, unless the structure is small. In the event of an evolution being feasible, care should be taken to ensure that the user always has the right alignment of rights.
6. Set up a formal, auditable authorization process
An empowerment process must be in place and known to all, so that it can be applied. It must not be too restrictive, as it will obviously be circumvented if it is.
For example, a new arrival must be integrated into one of the pre-defined groups, a change of position must be accompanied by a change of group, or new rights or applications must be discussed between managers and IT. You'll find the right process for your employees and your company.
This process must be clear so that it can be audited and questioned if necessary.
7. Prioritize
Not all applications require the same level of attention and intensity. That's why you need to segment resources according to their degree of sensitivity to the company's security. This work is long and tedious, but necessary.
We can also apply this rule to the various business lines within the company, by carrying out a risk analysis to manage sensitive information.
When it comes to privilege management, there's a tendency to want to do everything perfectly and in its entirety. This is a mistake; it's better to start by monitoring the most sensitive applications and groups. It's possible to readjust later and deploy gradually by defining other groups.
Of course, if you can, define all your groups at once - it'll be easier anyway. But if you can't, take the most sensitive users and set up authorization management for this 'test' group.
8. Traceability
Privilege management also means knowing who has what.
Depending on how you run your strategy, you can find out this information easily if you're using an IAM (identity and access management) solution, or according to an Excel file if you're working on it.
Whatever the case, you need to know all the authorizations a person has to carry out audits, to ensure security within your company or to facilitate exchanges with it.
Privilege traceability means: a unique identifier attached to a user.
You may also need to keep track of a user's various connections, and thus trace their accesses. This will enable you to control access management.
9. Control and challenge
An authorization management plan is not set in stone; it needs to be questioned and evolve over time. The company's resources evolve, as do its users, and the external context also plays a fundamental role, as we saw with the health crisis.
As we saw in point 7, groups can evolve, so don't hesitate to review your strategy regularly. Businesses evolve too, so you need to adapt.
Unfortunately, this management also implies control and sanctions in the event of non-compliance with the company's established rules. Controls must be put in place upstream to validate or reassess authorizations, and downstream to monitor access.
A malicious user will have to be punished, at the risk of jeopardizing the company's security.
On the other hand, control must be commensurate with the risk involved. There's no point putting a lot of pressure on a user with limited access and rights.
10. Raising awareness and convincing
For the plan to work, it has to be accepted by everyone. If IT imposes, managers will resist. Managers and users are a human variable, i.e. unpredictable.
Training, awareness-raising and reminders must be part of the daily routine when managing authorizations.
IT, management and HR are also essential to the success of the project. The single user repository must be created in partnership with HR. In addition to validating and financing the project, management must be convinced of the need to ensure corporate security and save time in user management.
Well-managed privilege management creates a calmer relationship between IT and managers. Information flows better, and everyone benefits. IT is aware of arrivals and departures, as well as users' needs, and can therefore better manage its IT. Managers find it easier to communicate their needs, and obtain the right access for their staff.
A few tips to help you manage your business:
These 10 points are an ideal way to achieve privilege management, but make your process flexible, otherwise you'll soon give up.
Attention ⚠️: we're not calling the whole organization into question, we're reorganizing it.
Define a monitoring process for your applications. It will take time to integrate all your applications into your management tool. As soon as a new application is set up in your company, apply the authorization processes, so you won't have to come back to it a second time.
In short, access traceability + authorization control = successful management.
