User Access Management
Access Control
Access Control is known as is certain restrictions on the access or use to data, information, configuration, resources or it can be any location. Providing access means authorizing someone to use. Access Control are used in place of physical security and information security. Authorization is the function of mentioning access rights or user access privileges to resources, which is related to information security.
Organizations must governor the appropriate access control model to adopt based on the type and sensitivity of data they are processing. The access control were divided as discretionary access control (DAC) and mandatory access control (MAC), Role based access control (RBAC) is the most common model today, and the most recent model is used at some places known as attribute based access control (ABAC).
A user access management system is used to manage and monitor user access permissions and access rights to files, systems, and services to help in protecting organization from data loss and security breaches. It is all about controlling the user access and right.
Many organizations who are working with proper process and adherence to ISO standards, they document a mandatory requirement known as User access policy. The User access policy defines all the users with their access level. The policy shall be reviewed in timely manner for effective control on place.
The user access management tool or solution can be implemented and should be capable of doing following activities;
- It should have capability to integrate with other security solutions including Firewall, IPS/IDS, etc.
- It can integrate with the proposed enterprise authentication methods – Active Directory, LDAP, RADIUS, TACACS etc.
- The solution should be able to authenticate, authorize and provide access control to all network devices such as switches, routers, firewalls, load balancers etc.
- It should have the latest technology such as inbuilt with 2-factor authentication or MFA (Multi factor authentication) mechanism in the form of Mobile OTP/ Email OTP.
- It should be designed to track privileged identities or privileged account activities distinctively.
- The solution should be able to perform auto discovery of privileged accounts on target systems and able to perform two-way reconciliation.
- The solution should contain a password vault, which should enable an administrator to define different password formation rules for target accounts on different target systems and supports the full character set including special characters that can be used for passwords on each target system.
- The solution should set unique random value anytime a password is changed.
- The solution must support parallel execution of password resets for multiple concurrent requests.
- The solution should archive session recording data to external storage/ media based on time and available space.
- The solution should have features, which enables to track the creation, rename, modification and deletion of files or folders in the specified directory on critical servers. In addition, it should send email alerts for these activities.
Just to be noted here that Identity Management and access management are two different concepts.
User access can be managed through regulatory compliances. ISO/IEC 27001 suggests the regulatory at section A.9 Access Control. The sub clauses are as;
- Access Control Policy
- Access to networks and network services
- User registration and de-registration
- User access provisioning
- Management of privileged access rights
- Management of Secret authentication information of users
- Review of user access rights
- Removal of access rights
- Use of secret authentication information
- Information access restriction
- Secure log in procedure
- Password management system
- Use of privileged utility programs
- Access control to program source code
No comments:
Post a Comment