There are a number of steps to consider (on the assumption complacency has been put to one side!). First of all, the CIO or other senior executive in the organisation must ask themselves some very straightforward questions: who are our users? What do they have access to? Who approves this access? And what do they do with their access right? If they have all the answers to these questions, they’re in great shape—and one of the few organisations that can claim to be totally secure.
If, on the other hand, there are more questions than answers to these questions—the senior executive must urgently be tasked with implementing a best practice identity and access management strategy. This can be achieved in three stages. First, to standardise administration of users, authoritative sources of identity information are identified and connected to the access management, user management and provisioning processes. In stage two, policy-based automation of approval processes and user self-service for requesting password changes, access privileges, and directory information updates enhance the user experience and enforce security policy. And, in stage three, monitoring actual user behaviour in the context of security policy and business controls is efficient and consistent when based on a set of automated, integrated identity management processes.
The fundamental fact remains that the risk of passwords being compromised is becoming greater and greater, because it's becoming easier to download tools that will crack them. And industry is not doing enough to tackle the issue. The centralised management of identities and access privileges enables the policy-based management of enterprise identities and their corresponding access privileges, and it strengthens the organisation’s ability to establish, monitor, and validate access policies. Start now—before it’s too late.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.