Access management basics

Peter Strempel

My experience with access management goes back to domain and active directory account management, extending forward into IT security management principles and knowledge management priorities.

In summary, access management is about determining which information should be accessible by what user or user groups. My approach is multi-dimensional, covering information resource classification, access groups for each category, and then individual account verification and access management.

IT security management is a professional discipline in its own right, and not one of my specialties. However, I recommend that even smaller organisations collecting, storing, and accessing information consider some basic security issues.

Figure 1 on the right shows a simple access management process that should be practical for most IT infrastructure resources.

Access permissions
FIGURE 1: access permissions have to be managed after they are granted.

As illustrated, the process involves not just creating a user account, but making sure that account is linked to specific access permissions. For example, an accounts clerk should probably not have access to personnel records. Moreover, the account for the clerk should be monitored for access patterns with simple logging routines, and the account should not be shared, or remain active if the clerk leaves the organisation. If there are two or more clerks, an organisation might consider establishing a permissions group, creating separate access accounts, and linking those to the group.

A really common problem for many organisations is users not keeping password or other authentication methods secure. Yellow sticky notes on monitors showing passwords, or passwords like 123456789, password, or even the user’s name. These are easy to see by chance, or crack by any determined hacker.

In the era of privacy laws and cybercrime, these considerations have potentially huge price tags attached to negligence or carelessness.

But access permissions are pretty meaningless if they aren’t matched to information objects.  In other words, not everyone should have access to every organisational information object.

There are many ways to classify information objects, including high security methods.  To choose which is appropriate for your needs is not as simple as picking from a list.  It deserves careful thought about your legal privacy obligations, for employees as much as customers, and your knowledge management strategy. What information would you not like unauthorised people to be able to access? How can such access be prevented?

Knowledge management is a separate discipline, but it relates to security concerns in that employees should have enough information about how an organisation functions, and how it provides products or services to clients and customers to help them do their jobs well. On the other hand, most employees have no need to access information about, for example, banking details, client personal contact details, or credit history and ratings information.

Not planning decisions on how to restrict and grant access increases the chances of accidental or intentional misuse of information, potentially creating legal liability, direct financial loss, and exposure to cybercrime.

If you’d like to discuss how to create access controls and an information security policy, contact me for a discussion of your needs.