A key part of protecting information is to make sure users only have access to what they need to do their job. Permissions need updating when the role of an individual changes. When they leave their account(s) need to removed or suspended in some way. In an ideal world there would be an email or signed form from an approved person for every change. In some companies that will always be the case, but for many there will be exceptions; such as the CEO on the phone late at night demanding a permission change so someone can urgently review and update the document needed to win some new business. The permission change is made, you make a note to follow it up in the morning, but then something else urgent happens, and it never quite gets to the top of the To Do list.
Regular permission reviews should be part of the audit cycle.
- Does everyone have the right permissions for their job?
- Are there records for new starters and leavers?
- Are there records of why changes have been made?
Now information is stored in the cloud as well as the corporate network the checks need to extend beyond reviews of Active Directory (or the equivalent). Even with single sign on, someone may have manually set up user logins in a cloud service. Part of the review should be random checks of all the cloud services being used – if you don’t have them in a whitelist this is the ideal time to create one – to confirm if everything is OK.
This may also reduce costs. Closing down a cloud account for someone that has left could get you to a lower cost threshold. If you are paying for each user there is an immediate benefit. It just goes to show that that improving security doesn’t always mean extra costs.