Today is a typical January day, cold, wet and miserable.  I really didn’t feel like getting out of bed but hey, not a lot of choice until I become a multi-millionaire and pay someone to get out of bed for me – I wish.  I’m starting the day with a large coffee from Costa to try and kick start my creative juices and get this blog written. And no, I’m not writing it in Costa, it’s a takeaway.  I’ve written several pieces on the dangers of insecure coffee shop WIFI.

Those of you who have managed to plough your way through some of my earlier stuff, will know that I am very big on user awareness training for staff at all levels, believing as I do, that it is arguably one of the quickest wins that an SME can make, to protect themselves against cybercrime.  There is however a very close second, and that is identity and access management.

Before I get into that, let’s talk a bit about Zero Trust.  You might have heard the term but what exactly does it mean?  Zero Trust architecture is a security concept that emphasises the importance of continuous verification and strict access controls within a network environment. It operates on the principle of “trust no one” and assumes that no user or device should be inherently trusted, even if they are within the network perimeter. Instead, Zero Trust focuses on authenticating and authorising every access attempt, regardless of its source or location.

In a Zero Trust architecture, access controls are implemented based on various factors, such as user identity, device health, location, and other contextual information. This approach helps prevent lateral movement within a network, reduces the impact of potential breaches, and improves overall security posture.

Zero Trust architectures typically employ technologies such as multifactor authentication, encryption, micro-segmentation, and continuous monitoring to enforce access controls and detect anomalous behaviour. By adopting a Zero Trust mindset, organisations can enhance their security defences and better protect against modern cyber threats.

Getting back to Identity and Access Control, there is mounting evidence that the message is getting through that, although passwords are very important, they most certainly aren’t the panacea that many think they are.  We can see many organisations moving to 2 factor authentication as a norm now.  In fact, if you want to be accredited to Cyber Essentials or ISO 27001, it’s a requirement without which you won’t pass.  A charity I volunteered for has done just that and not before time, considering the amount of personal data they are holding.  But is that enough?

Compromised credentials are very high on the list of cybercrime related incidents that we see and have to deal with.  Protecting these identities can be a very technical issue and advice and guidance will be needed to ensure that you are adequately covered.  However it needn’t be overly expensive, neither need it be overly complicated.  In fact, I’m a great believer in that the simplest solution is often the best solution.  I’m an adherent of the KISS principle – Keep It Simple Stupid.

Questions to ask yourself include:

1. Are your user accounts configured with the minimum level of privilege they need to do their job?
2. If an employee needs additional privilege to carry out a one off job, how do you ensure that once it’s completed, the privilege is revoked?
3. What is a privileged account?  Typically it’s someone who needs additional privileges as part of their daily tasks, such as adding/removing users, auditing actions, access to more secure areas of the network (finance, management data etc), etc etc.  Are you limiting by policy the roles within your organisation that need privileged accounts, and are you specifying explicitly what those privileges are, by role?
4. Are your privileged accounts subject to greater levels of auditing and scrutiny?
5. Do you have a joiners and leavers process to manage active accounts?
6. Do you have a movers process ie employees that change roles and require different levels of access to carry out their new role, either adding or removing privilege?

Another issue that you may need to consider is any accounts that exist on your network that may be used by third party suppliers.  Many companies use ‘just in time’ supply management which can require third parties to have access to their network.  Another example is people like me who, when carrying out things like vulnerability assessments, may be given privileges to scan the network.  Is that revoked at the end of the scan?  And of course, there is the IT company you may have under contract who actively have access to your network to carry out maintenance and might actually also have a contract for controlling user privilege.  Or perhaps the company you have under contract maintaining your alarms and security cameras which you didn’t know were actually using your network to connect to each other and their control room.

What about logging?  What is logging?  Every system has a set of logs which can be switched on or off.  I often come across networks where logging has been switched off or never activated because its consider to be an overhead you can live without.  Well, I disagree with that, quite vehemently.  Logging helps you to determine what normal looks like.  For example user profiles carry out certain functions within their role.  If a user is stepping outside of that profile, you need to find out why.  Is it a user who is doing something they simply didn’t realise they shouldn’t, or is it something more serious?  Is it an identity that has been created or hi-jacked by a cybercriminal who has managed to gain access?  Examination of these logs will help you understand that.  There is of course software on the market that will be of great help with this.  And of course, what do you do if you are suspicious of an activity or action by a user?

This is a big and crucial issue that deserves attention, more attention that a short blog like this can give it.  So if you would like more information, we would be happy to oblige.