In this blog, the Grant McGregor team explain how to get it right.
We've shared an earlier version of this blog before but we think this topic is worth repeating as it's an essential step in IT security. Security begins by knowing what or who you're trying to protect; data, people, devices.
So why is managing user accounts properly so important? Well in so many cases, old user accounts are still in place for employees who left the organisation over a year ago. Badly managed user accounts can include permissions poorly set up and done in hurry, no audit trail of request changes, admissions or deletions, which all equals security chaos.
User Account Management describes the ability for administrators to manage (to create, remove, update and maintain) user access to various IT resources. These include networks, systems, applications, devices, cloud services and so on.
User accounts reside in some form of directory which is an electronic representation of your organisation’s people and structure. The management of user accounts is a core aspect of any system and is a cornerstone of essential IT security for all organisations.
We’ve discussed in previous blogs how, when we’ve taken on the IT management for a new customer, a quick look at Active Directory has revealed active user accounts for people who left the company months – or even years – ago.
Obviously, this creates a risk to the organisation.
Perhaps you’re exposed to a disgruntled employee who has left the business but, still being able to access the business systems, decides to wreak some revenge? Or perhaps it’s someone who has moved on to pastures new but just fancies helping themselves to your data? Or maybe it’s a hacker who has found some old user account details for sale on the dark web and has struck the jackpot with an older user account that hasn’t been updated or had a password change since the employee left your business?
These types of scenarios illustrate just why staying on top of user account management is so essential. So why isn’t everyone doing it?
The truth is that it can be a time-consuming and tricky task if you don’t put the right processes and procedures in place.
Good user account management requires your HR people to pass staff changes ASAP to IT to have good visibility of joiners, movers and leavers.
This means that managing user accounts is, at least partly, dependent on HR.
Whether you decide to link up via processes or automatically via IT systems, IT must be informed by HR of all new starters, all role changes, access changes and all leavers in a prompt and timely way.
If all this information resides in your HR system, then creating an automated report or directly integrating HR data with your Active Directory or other user account management solution is the easiest way to ensure prompt action.
A proactive IT partner will help you manage this process or integration and can even advise on which is going to be the most appropriate approach for your organisation.
We also recommend that you implement some kind of monitoring solution to check that accounts are still active and still relevant. This way, if there are any changes that your HR system isn’t tracking, you can ensure that your IT permissions and user account management still reflect them.
Furthermore, you’ll want to ensure that your IT partner retains management information in logs that can be audited or produced as evidence of good user account management if necessary.
It might feel like it is easier just to request users are deleted off the system in an ad-hoc phone call, but how do you then ensure the action has been taken? How do you evidence your good practice in the event of a data breach?
Taking the time to implement automated or well-documented processes will pay off.
Not only is this best practice in terms of data hygiene and essential in IT security, it can also save you money over the long term. Just think about the number of systems and applications that a typical user has access to in the course of their working life. How much money could you be wasting on licences and subscription fees for users that left your organisation months ago?
User account management shouldn’t just extend to your human users either. Robotic process automation (RPA) has confused the picture considerably – with robots requiring access to systems and user licences to carry out the automated actions they have been designed to do. When RPA software applications are retired, or the processes around them change, your user accounts and privileges also need to be reviewed again to ensure that you aren’t leaving your systems unnecessarily exposed or that you are paying for licences that aren’t being used.
Managing user accounts effectively goes hand in hand with the principle of least privilege. This is a security approach that denies access rights unless they are absolutely necessary as part of the individual’s day-to-day work.
You can find out more about the principle of least privilege on our recent blog.
Essentially, the more you lock down, the more you can reduce your potential attack surface – in the same way that if you delete inactive users you are reducing your potential attack surface.
If you’re interested in improving your own user account management, we recommend that you put in placed the following:
• implementing an effective joiners, movers, and leavers policy
• the best way to work with HR
• automating processes as far as possible
• monitoring user accounts and permissions
• keeping logs of changes and updates
• licence and subscription reviews
The Grant McGregor team are, as always, on hand to answer any questions you may have on this topic. Please reach out to our team on 0808 164 4142.
Or download our 12 step security checklist here: