Control
|
Description
|
Automatic access deactivation
|
- Automatically deactivate all access when users leave an organization.
- Trigger from SoR where possible -- for example, employees.
- Trigger by request where there is no SoR, or where it is late
or unreliable.
|
Segregation of duties (SoD)
|
- Define a set of entitlements that should not be assigned
at the same time to any one user.
- Prevent users from acquiring new entitlements that would violate
the policy.
- Find users who already have rights that violate policy and
remediate their access rights.
|
Approval for access
|
- Pass all access requests through a workflow system.
- Require approval by business stake-holders for any requests
that represent material risk.
- Invite managers, policy owners or data owners to approve access.
- Effective for ensuring new rights are business-appropriate.
|
Access certification
|
- Periodically ask stake-holders to review users and their entitlements.
- Items are either certified (i.e., marked as acceptable) or
marked for revocation.
- Invite managers, policy owners and application/data owners to
perform reviews.
- Effective for finding inappropriate rights among existing entitlements.
|
Orphan, dormant accounts and profiles
|
- Find orphan accounts -- not associated with an owner.
- Find orphan user profiles -- which have no accounts.
- Find dormant accounts -- with no recent login activity.
- Find dormant user profiles -- which contain only dormant accounts.
- Automatically disable and/or highlight for manual review.
|
Risk scores
|
- Assign business risk scores to entitlements, number of
subordinates, frequency of transfers or other signals.
- Aggregate scores to identify high risk users.
- Adjust approval, certification processes when high risk users
are involved.
|
Password security
|
- Ensure that users change their passwords regularly,
choose hard-to-guess (but memorable) passwords and do
not reuse their passwords.
|
Authentication prior to IT support
|
- Reliably authenticate users prior to assisting them with
login problems, such as forgotten passwords or clearing
lockouts.
- Combine multiple factors, such as sending a PIN to the user's phone
and answering security questions.
|
Randomize and vault passwords
|
- Periodically change passwords to service accounts, app-to-app
accounts and administrator accounts.
- Set passwords to random strings and store in a secure vault,
where access can be controlled.
|
Control access to elevated privileges
|
- Authenticate and authorize access to shared, privileged accounts
or group memberships.
- Grant access for short time windows only.
- Pre-authorize frequent users and approve single-use requests
otherwise.
|
Audit elevated access
|
- Log requests and session initiation when elevated privileges are used.
- Record login sessions (video, key-logging, etc.) where required.
|
Multi-factor authentication
|
- Replace just-passwords or just-security-questions with multiple
factors, including tokens or PINs sent to smart phones.
- Leverage federation to extend strong authentication to applications,
especially SaaS.
|