Many suggest that the biggest vulnerabilities in a network environment are its users. If only there were some way to control those unruly users… Oh, but there is! By implementing a combination of different techniques, you can limit the damage that can be done by users (or attackers in users’ guise). I refer to those techniques as the “Four ‘As’ of Account Management”, as a mnemonic device to help me remember those aspects of user account wrangling.
This article is intended as a brief introduction to the various techniques, and how they interact to improve security in your network environment. In future articles, I will go in more depth about those techniques to give you a better idea of their specific applications and importance.
- Authentication – You are who you say you are
The first step of account management is the one we are all most likely familiar with: Authentication. This is how we establish an identity and show that we are who we say we are. In an online sense, this usually entails choosing a username and a password to be associated with our account. Each time we log into a website, app or other online service, we are verifying our identity by correctly entering that same set of credentials.
- Authorization – You are allowed access
After we prove who we say we are, we need to be allowed permission to do things in that network. All too often, this process happens automatically as part of establishing an identity; most of the time users are given blanket access privileges unless they’re required to pay for certain features. Authorization gives users approval to access particular resources such as: private, shared or sensitive files and directories, allotted amounts of storage space, or a limited duration of access. In a work environment, these permissions are often chosen based on a variety of factors including the user’s work group, their title or their role within that group, and specific job duties.
- Access control – Excluding access
Another part of defining appropriate user privileges is the exclusion of users from restricted areas. Access control allows an administrator to do that by excluding certain groups or people from resources and services that they do not have authority to use. Authentication can offer a sort of de facto access control, in that it can deny entry to those whose identities are not verified. Better yet, it can also allow administrators to limit users’ access only to those activities or resources that they need in order to carry out their daily tasks.
- Audit logging – Who did what, and when
Sometimes it is helpful to have more than just permissions and exclusions; indeed, because unwanted or unexpected things can happen, it’s a good idea to keep a log of all activities. Audit logging keeps a running record of what activities were done by whom, and at what time, so that an administrator or auditor has more specific data to examine.
While it may be easier to start from a position of allowing users the most expansive permissions, this is also a recipe for letting them run roughshod over our network. We have many tools available to limit the inherent risk of allowing users to access our network: establishing policies of limited permissions and greater exclusions, logging and monitoring activity, and then regularly managing accounts to make sure the access they have been granted is still at an appropriate level, can help us do this.
In future articles we’ll go into more depth regarding these techniques, to give you ideas for how they can be best used in your environment.
Author Lysa Myers, ESET