Who is allowed to do what?
Compromised user credentials are among the most popular attack vectors for cybercriminals, who use hacked identities to gain access to corporate systems and data – sometimes operating quietly, behind the scenes for long periods of time.
Sometimes to create more spectacular chaos by holding all or parts of an organization ransom. To avoid handing over control of your organization to the wrong people, it’s crucial to manage your users’ identities and access.
Things to consider
Automation and connectivity is great, but…
Today, most organizations base their operations on a large number of technologies that are all automated and interconnected – to each other, and to the outside world.
Connectivity is great – it gives organizations and their users huge flexibility and endless potential to adapt and learn. Automation is also great – it’s a powerful tool that saves resources and can ensure alignment across people, platforms and systems.
But automation and connectivity to the outside world also makes the organization more vulnerable, if the wrong person gains access.
To stop hackers and disgruntled parties from doing too much harm, once they are in your systems, identity management – controlling which user accounts are can do what – is critical to get right.
Who really needs access to those files?
Identity management is all about privileges: Who has privileges to access and do what?
It is about mapping what can happen to your organization, if someone gains access to any user account, and tries to gain access and privilege laterally or vertically.
Does the marketing manager need access to the CFO’s calendar or OneDrive files? Does his secretary? To all of them? Really?
What are your processes for external contractors – what access privileges do they have?
Are you reviewing access on an ongoing basis?
Do you shut down access and accounts when people leave the company, or change jobs? If user privilege is tied to user identity, rather than role, what are the consequences when people change roles within the organization?