Protect Access to Mission Critical Assets
Learning Objectives
After completing this unit, you’ll be able to:
- Explain the importance of implementing strong identity and access management.
- Describe the core security principles to manage privileged user access.
Implement Strong Identity and Access Management
As leaders, it’s important to identify your organization’s mission-critical assets, as well as who has access to them and what threats they might pose. Once you have considered all internal and external users, you should ensure your IT systems protect how those users access the organization’s most critical assets. Just as physical access controls manage who enters your organization and limits access to sensitive areas, strong identity and access management systems control access to your organization’s most critical technology assets.
Not all user access is created equal. It’s a good idea to implement the principle of least-privileged access, meaning that users are granted access only to the resources they need to do their jobs. For instance, a project engineer does not need access to an organization’s financial data. Building a strong identity and access management system begins with having a single trustworthy reference of all users and their roles within an organization. It is essential to have processes and automated systems in place to ensure appropriate access rights, including termination of access upon an employee’s departure or at the end of a project or engagement.
Manage Privileged User Access
A privileged account allows a user to perform administrative functions that an unprivileged user would not need to perform, such as changing configurations on network devices. Robust privileged-user access management requires a layered access mechanism for a privileged user to gain access to a mission-critical system. Each layer should be fortified with a different multi-factor authentication (MFA) mechanism based on the sensitivity of the information.
For example, an administrator logs in to a separate software platform using a username and password and authentication token sent to their mobile phone. She then checks out an administrative password to perform a function such as exporting data from a sensitive database. This provides a higher level of security beyond just traditional username and password alone. Gartner provides information on various tools available to manage privileged accounts.
Lastly, comprehensive alert and audit mechanisms should be a mandatory requirement of every identity and access management system. Additionally, reviewing privileges at regular intervals ensures that users do not have access to resources they no longer need to do their jobs, either because a project has ended or because they have changed roles, or even left the company. These steps are just as important as provisioning access, and often neglected.
Sum It Up
Building strong identity and access management practices is key to protecting your organization’s mission critical assets. In this unit, you’ve learned how to identify who has access to your network and associated data assets, the importance of implementing strong authentication technologies, how to apply the concept of least privilege, and how to manage privileged users. Next let’s turn to protecting against one of the most common threats that users face every day: phishing.
Resources
-
Trailhead: Protect Network Assets and Users
-
External Site: CIS Control 14: Controlled Access Based on the Need to Know
-
External Site: U.S. Department of Homeland Security: Protect the Organization’s Critical Assets