We consult and organize the security of your data and protection of your IT systems.
Leave us your email and we will contact you as soon as possible.
- Blog
- Secure Access & Identity Management: Why and How?
Secure Access & Identity Management: Why and How?
From an information security perspective, one of the critical components in protecting information systems is a well-designed Access & Identity Management (AIM). It helps ensure that sensitive data is accessible only to the right people and only to the extent necessary. An access control policy is a set of rules and procedures that defines how and to whom access is granted to various files, applications, networks, and databases. Its purpose is to protect an organization's information assets from unauthorized access, modification, or destruction.
Access control policies should also immediately include physical access, such as gate remote controls, access cards and various keys in order to manage all access centrally.
Core Principles of a Secure AIM Policy
- Principle of Least Privilege - Each employee or system should have only the permissions necessary to perform their job functions. Anything that is not explicitly permitted should be denied.
- Role-Based Access Control (RBAC) - Users are assigned permissions based on their job roles. This simplifies access management and reduces the risk of errors.
- Base permissions - The user is granted the right to authenticate and access certain systems; for example, an employee may have access to the organization’s intranet. At this stage, it should also be clearly defined whether base permissions allow only viewing or also editing and deleting documents.In terms of physical access, base permissions may include a key or keys that open only the main external door and the employee's office. Base permissions also typically include the employee's work email account and related access rights. Base permissions can define whether the employee is allowed to access the intranet and email while working remotely, or whether this should be limited to specific positions through special permissions.
- Role-based permissions – The user is allowed to use the information systems, applications, and physical access required to perform their job duties. For example, an Accountant may have the right to use financial software and make entries (i.e., modify data). A Sales Manager may also have access to the accounting system, but their role-based permissions may allow only viewing data and creating invoices.In terms of physical access, an Accountant might have access to the document archive, whereas a Sales Manager should likely not be able to enter it independently without an escort.
- Special permissions - These allow users to perform actions that would not normally be permitted within their standard job role, but which are granted due to a specific, objective reason. The requesting, use, and termination of special permissions must be strictly controlled, as misuse can compromise system security and data integrity.
- Regular Review and Auditing - Access rights should be reviewed regularly to ensure their continued relevance. For example, when an employee leaves the organization or changes roles, their permissions must be revoked or aligned with the new role. Regular reviews also help identify inactive user accounts and potential errors made during previous permission assignments.
- Time-Based Restrictions – All permissions should be granted with defined start and end dates. Permissions may be indefinite, meaning they end when the employment relationship ends and/or when the employee moves to a new position within the organization, at which point previous role-based permissions are revoked and new ones assigned. Permissions may also be time-limited, for example when an employee temporarily replaces a colleague during vacation or sick leave. Time-limited permissions are also commonly used for external partners.
- Multi-Factor Authentication (MFA) - To enhance the security of access rights, multiple levels of authentication should be used. Today, this should be considered a basic cyber hygiene requirement in every organization.
- Logging and Monitoring - Every access and modification attempt should be logged so that suspicious activities can be identified and responded to quickly.
Access Rights Management Processes
In day-to-day access management, all processes must be clearly defined and documented:
- Who is authorized to request the granting, modification, or revocation of rights and/or access?
- All processes for granting, modifying, and removing access rights should be clearly documented and easily traceable.
- Access requests should generally be submitted separately for each user.
- Who approves the granting of access rights within the organization, and how? Is it the employee's direct manager, or - for special permissions - the person responsible for information security?
- The assignment of special permissions requested by external partners should always be based on a signed contract under which the work is performed, and which explicitly addresses confidentiality and includes an NDA.
