Who is knocking at the door? A case for Identify management and access control

Our personal identity is unique to each of us, it makes us who we are and the thought that someone can take that away from us is morally and ethically disturbing.

Identity theft is not only a personal attack that robs us of who we are it is also a cause of personal financial loss. The same is true for organisations who embrace the adoption of digital strategies in response to the expectations of their customers and workplace stakeholder needs.  With expansion and growth comes the reality of increased vulnerability to cyber-attacks.

Identity management and access control into business systems is one of the ways organisations control who has access to their systems.  For many GDPR compliance and staying 1 step ahead of the ‘bad guys’ is an ongoing challenge. One breach could close the business, and many companies are saddled with significant cost and effort to protect their data.

Security concerns feature high on the list of reasons why companies are reticent to adopt cloud computing. It is imperative to dispel the notion that cloud computing is less secure than systems hosted on premise.  A personal example of this is when a small ISP I worked with many years ago had all their servers stolen out of the alarmed (linked to an armed response unit with a 2-minute response time), gated office.  Fortunately, we had offsite backups and a mirrored site.

When considering cloud hosting and physical security aside the cyber security protocols of all the leading cloud platform providers are by default more robust than most companies can otherwise afford.  While an organisations security is always the responsibility of the business the case for capitalising on the security available from cloud hosting providers is a compelling one.

Much like physical intrusion protection there are key actions and best practises that companies should have in place.  As leaders in the cyber security space AWS has published a list of best practices to help manage access to resources hosted on their platforms. Here are some of these recommendations.

Manage user access by assigning individual security credentials (using access keys, passwords). For an additional layer of protection, implement Multi-Factor Authentication – where usernames and passwords are complimented with a second level of security by way of an authentication code provided through a trusted medium such as email, text, or a secure authentication device

Manage permissions, specify access and grant permissions to entities (users, groups, and roles) by default these entities start with no permissions. In other words, entities can do nothing in AWS until you grant them the correct permissions.

Auditing and tracking: It is imperative that any activity on your infrastructure can be logged, monitored and recorded.

Roles:  allow you to define sets of permissions for making AWS service requests.  In other words, you can set up the permissions needed to perform a specific task or set of tasks and then assign that role to trusted users, thus ensuring they have all the permissions needed to perform the task.

Rotate security credentials regularly.  Like office and house keys, username and password info can get into the wrong hands. While users may see changing their details as an inconvenience (I know I do), the protection this offers outweighs the additional effort.

At 1Tech we have been focused on our client’s business needs for 20 years. We have first-hand knowledge and the experience of working with companies on defining and delivering on their security requirements. We know what pitfalls to avoid, how to best approach security.

To find out more about our services and how we can help you please visit www.1tech.co or contact us on info@1tech.co

 

Greg