Identity and Access Management

Posted 24 January, 2022 at 13:44

Author Kevin Hawkins on behalf of H2 Cyber Risk Advisory Services Ltd


Those of you who have managed to plough your way through some of my earlier stuff, will know that I am very big on user awareness training for staff at all levels, believing as I do, that it is arguably one of the biggest wins that an SME can gain, to protect themselves against cybercrime.  There is however a very close second, and that is identity and access management.

There is mounting evidence that the message is getting through that, although passwords are very important, they most certainly aren’t the panacea that many think they are.  We can see many organisations moving to 2 factor authentication as a norm now.  A charity I volunteer for has recently done just that and not before time, considering the amount of personal data they are holding.  But is that enough?

Compromised credentials are very high on the list of cybercrime related incidents that we see and have to deal with.  Protecting these identities can be a very technical issue and advice and guidance will be needed to ensure that you are adequately covered.  However it needn’t be overly expensive, neither need it be overly complicated.  In fact, I’m a great believer in that the simplest solution is often the best solution.  I’m an adherent of the KISS principle – Keep It Simple Stupid.

Questions to ask yourself include:

  1. Are your user accounts configured with the minimum level of privilege they need to do their job?
  2. If an employee needs additional privilege to carry out a one off job, how do you ensure that once it’s completed, the privilege is revoked?
  3. What is a privileged account?  Typically it’s someone who needs additional privileges as part of their daily tasks, such as adding/removing users, auditing actions, access to more secure areas of the network (finance, management data etc), etc etc.  Are you limiting by policy the roles within your organisation that need privileged accounts, and are you specifying explicitly what those privileges are, by role?
  4. Are your privileged accounts subject to greater levels of auditing and scrutiny?
  5. Do you have a joiners and leavers process to manage active accounts?
  6. Do you have a movers process ie employees that change roles and require different levels of access to carry out their new role, either adding or removing privilege?

Another issue that you may need to consider is any accounts that exist on your network that may be used by third party suppliers.  Many companies use ‘just in time’ supply management which can require third parties to have access to their network.  Another example is people like me who, when carrying out things like vulnerability assessments, may be given privileges to scan the network.  Is that revoked at the end of the scan?  And of course, there is the IT company you may have under contract who actively have access to your network to carry out maintenance and might actually also have a contract for controlling user privilege.  Or perhaps the company you have under contract maintaining your alarms and security cameras which you didn’t know were actually using your network to connect to each other and their control room.

What about logging?  What is logging?  Every system has a set of logs which can be switched on or off.  I often come across networks where logging has been switched off or never activated because its consider to be an overhead you can live without.  Well, I disagree with that, quite vehemently.  Logging helps you to determine what normal looks like.  For example user profiles carry out certain functions within their role.  If a user is stepping outside of that profile, you need to find out why.  Is it a user who is doing something they simply didn’t realise they shouldn’t, or is it something more serious?  Is it an identity that has been created or hi-jacked by a cybercriminal who has managed to gain access?  Examination of these logs will help you understand that.  There is of course software on the market that will be of great help with this.

And of course, what do you do if you are suspicious of an activity or action by a user?

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.

 

To learn more about the services we provide please click here https://www.hah2.co.uk/

Alternatively, please feel free to give us a call or email

T: 0845 5443742

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Trust H2 – Making sure your information is secure

What our customers say about us

 

“We asked H2 to examine our Cyber Security and Data Protection posture, including policies, processes and technical configuration and controls. We found their Cyber Maturity Assessment to be very comprehensive in discovering the threats and vulnerabilities to our systems and describing them in terms of business risk.  The policies and processes developed were again, comprehensive and all encompassing, and designed to fit in with the style and presentation of our other policies and handbook.”

Teresa McGuire, Administration Manager, PAVEMAC

More from H2 Cyber Risk Advisory Services Ltd

The New Normal
Article

The New Normal

17 May 2022
BREAKING NEWS - H2 WIDENS ITS E-LEARNING ACADEMY TO ENCOMPASS DATA PROTECTION
Video

BREAKING NEWS - H2 WIDENS ITS E-LEARNING ACADEMY TO ENCOMPASS DATA...

02 May 2022
Consequences of a Cyber-Attack
Article

Consequences of a Cyber-Attack

28 April 2022
The Cost of Getting Data Protection Wrong
Article

The Cost of Getting Data Protection Wrong

20 April 2022
Card image cap
user

H2 Cyber Risk Advisory Services Ltd

SME

Profile Feed
Established in 2016, H2 Cyber Risk Advisory Services is a specialist cyber security and data protection company that focuses on providing innovative and robust security solutions to the UK SME sector. Its founders, Kevin Hawkins and Bob Hay, are amongst the best qualified and most experienced...

56

Press Releases