Why you should care about the TLA AAA!
Let’s start this post by outlining what I mean by AAA:
Authentication – Authorisation – Accountability
Authentication. For even the most basic cyber security you must authenticate every user who has access to your information. This should include making the use of multi-factor authentication (MFA) compulsory and, if possible, doing away with passwords altogether.
Multi-factor authentication (MFA) is also referred to as dual-factor authentication (DFA) and two factor authentication (2FA). All have the same function – to securely provide a one time password (OTP) only to the approved user, so they can get access to a service. Examples of services that implement MFA for added security are Microsoft 365, Google, WordPress and Amazon among many others.
When I use the word “user” above you must remember that a user could be a computer system accessing your information or a third-party. These rules apply to both of those types of users as well.
Authorisation. Once a user has proven to the system who they are, that identity must control what that user can access. Employ “The principle of least privilege” to decide how much access to give people. Authorisation is a key step in keeping your information secure (Jeurissen. 2020).
Fig.1 If you do not exercise control over your information, you could lose control over who sees what!
Accountability. The questions you need to answer are:
“Are the users who access your information accountable for what they do?”
“Could you prove to an annoyed client that it was not one of your team that had unauthorised access to their business secrets?”
Whatever solutions you use, they should be able to keep comprehensive logs of all the activity and from these logs you or your cyber security consultant must be able work out who accessed what from where and when.
How this works in the real world
Our IT support team have access to some of our and our clients’ most sensitive information – global administrator account credentials, logs of company activity, customer and accounts information etc. etc. etc. – they need it to do their job, but not everyone needs access to every piece of information.
Within our own company we implement complex passwords, enforce MFA and we will be migrating to a FIDO “no password” solution.
Once members of our team are in, the information is well organised and segregated, so our back-office team have no chance of accessing sensitive support information, and the IT support team cannot freely browse HR and accounts folders. We even implement a closely managed SharePoint solution when we need to share folders or information outside the organisation.
We also implement a strict Global Administrator access policy, internally, on our client accounts, in WordPress and other systems, which include some “secret” cut-outs to prevent spoofing.
All of this is logged and the logs securely saved just in case. We have also written some custom reporting procedures that monitor for special situations.
And we implement this level of security for clients as well…
Our situation may be extreme, but your information is your information and if you start to lose control of it by giving too much access then eventually it could creep out into the public domain (Jeurissen. 2020).
Clive Catton MSc (Cyber Security) – by-line and other articles
p.s. TLA = Three Letter Acronym
Next: How portable USB storage can or cannot fit into your cyber security planning.
Further Reading
Principle of least privilege – Wikipedia
Multifactor Authentication | MFA | Microsoft Security
Passwordlessness – Smart Thinking Solutions
References
Jeurissen, S., (2020, January). Enterprise content management: securing your sensitive data. Retrieved from https://www.compact.nl/en/articles/enterprise-content-management-securing-your-sensitive-data/
