We’re not saying trust no-one, but that’s exactly what we’re saying. Paranoia aside, when it comes to data security, a zero-trust culture is where it’s at. ‘Zero trust’ operates on the principle of “Never trust. Always verify,” which is IT-speak for “make sure users are who they say they are.” So get your teeth ‘round five identity and access management best practices that’ll secure your network, data, and files wherever they find themselves.
You’re Not a Castle Anymore
Traditional protections like firewalls throw a ring of protection around your IT ecosystem, but when that ecosystem goes feral – for instance, through remote working – you’ll need another way to protect data. A zero-trust environment protects data where the data is – and your data could be on your own office servers, in a public cloud, or in your Head of Logistics’ kids’ den. Identity and access management control focuses on verifying the user rather than the ecosystem.
P.S.: You still need firewalls.
Why You Need Decent Identity Management and Access Control
There are so many risks of not having decent identity management and access control that we can’t even. But here are some for starters:
| Risk | Why You Should Be Scared |
| Identity Theft | Cyber-baddies assume the identities of legitimate, non-baddy people in order to do bad things. |
| Insider Threats | Resentful ex-employees access corporate data to steal, create havoc, or whatever else they feel like doing. |
| Data Breaches | Bad people use brute force attacks and other means to get their hands on your access credentials. Bye-bye, intellectual property! |
| Compliance Violations | Losing your compliance accreditation could cost you clients, e.g., through HIPAA. Ouch. |
| Credential-Stuffing Fun | Bad people with access to usernames and passwords for one platform use them to attempt to infiltrate other platforms. You’re stuffed. |
Identity and Access Management Are Not The Same
Identity management and access management are not the same, but they are related.
Identity management verifies that a person is actually who they say they are.
Access management manages what systems, networks, or data a person – legitimate or not – can access (or not).
5 Identity and Access Management Best Practices To Have Fun With
1. Multi-Factor Authentication (MFA)
Multi-factor authentication is an identity management best practice that forces someone to prove, in two or more ways, that they’re a legitimate user. Typically, MFA requires someone to validate their identity using:
- Something they know, e.g., a passcode, username, or password and
- Something they have, e.g., a smartphone for a one-time code
- Something they are, e.g., for biometric recognition such as voice recognition or a fingerprint for touch access.
Requiring multiple methods for proof of identity cuts the risk of cybercriminals being able to hack your people’s accounts.
MFA is even more useful when it’s centrally integrated into your systems through the cloud services you use or as part of a federated identity management system.
2. Role-Based Access Control (RBAC)
This cheeky little best practice is based on everybody’s favorite principle – that of least privilege. Start by mapping access privileges to specific roles and responsibilities. Then your RBAC configuration will assign the access and level permissions you’ve decided to your legitimate users based on their roles. For instance, Ismail, your HR junior, gets access to the payroll admin files but won’t have the authority level to access performance management data on the same system. His pal Moira, over in Logistics, won’t have access to any of it because it’s not her role.
3. Cloud Single Sign On (SSO)
Allied to MFA is cloud SSO, which is a magical protection against poor password management as well as a high-five for your people who’d much prefer to access all their cloud accounts with one single password (or MFA) than try to remember five hundred child-or-pet-based ones. And because cloud SSO centralizes your people’s identities, it makes it easy for IT leads to manage access privileges and accounts.
4. Mobile Device Management (MDM)
Yup, you didn’t think you’d get so far into a blog without us mentioning MDM, but it really is the Thing of Awesome in the world of data security. It’s easy to configure your entire fleet to control access to it. For instance, any device that’s lost, stolen, or misplaced is barred from connecting to your corporate stuff through remote lock or data wipe.
5. Secure and Timely Offboarding
Leaving ex-hires’ corporate accounts open and active is a welcome mat to abuse. Not just from a disgruntled ex-hire, but any account hanging around is vulnerable to cyber attacks from anywhere. One of your many offboarding best practices is to promptly deactivate and close those accounts. Hey, here’s an idea: jot it down on your offboarding checklist now!
Feel Like Stopping The Baddies Getting All Up In Your Business?
Good for you! We’re in that kind of mood, too. These identity and access management best practices are the biggies, but there are other methodologies to add to the pot, too. Getting it all together doesn’t need to be that special kind of nightmare that leaves you sweating vinegar, and we’ll show you how to do it if you’ll let us. Give us a call, because we’d love you to tell us about your business. And then we’ll tell you at least four tiny things you can do today to keep the baddies out and data in.
Ignition is Silicon Valley’s best (and friendliest) IT security, compliance, and support team. Contact us now – chatting about IT support and cybersecurity is our favorite thing to do!