Small and Medium Organizations: Implement Access Control and Authorization
Modern computing devices often make it possible to grant individual users specific permissions. This ability to tightly control who can do what is beneficial within the context of IT security. However, your organization may find it challenging to provide and manage user access to network devices and applications. User access levels can vary greatly across your information systems and assets, and managing these varied accesses can be time consuming and costly.
How can my organization implement access control and authorization?
Just about all computing devices require the use of accounts (i.e. a username) so that users can access various functions and perform tasks. To ensure clear accountability, your organization should provide users with a unique individual account. Avoid using shared accounts.
Administrator accounts have elevated privileges. Cyber threat actors can exploit these accounts for malicious purposes. Your organization should use the principle of least privilege by assigning users the minimum level of access required to perform their tasks.
Your organization should limit administrator accounts from performing the activities of a regular user (e.g. browsing the Internet, checking emails, running applications that do not require elevated privileges). There is no reason to use an administrator account for such activities when a user account is enough.
Employees come and go, and so should their accounts. Implement a process and tools to manage the lifecycle of user accounts so that accounts are only active when they need to be.
Organizations should strongly consider implementing centralized authorization systems, such as Lightweight Directory Access Protocol or Active Directory.
Recommendations for your organizations:
- Assign unique accounts for each user
- Provide user accounts with the least privilege required to perform required functions
- Restrict administrator accounts to only perform administrative activities
- Consider implementing a centralized authorization system