COVID-19: User Access Management Best Practices

Published May 20, 2020 by 4 min read

As cybercriminals step up their efforts during the COVID-19 crisis to infiltrate your information systems, identity and access management (IAM) processes are more important for cybersecurity than ever.

Aimed at preventing data breaches and unauthorized access to your systems, IAM becomes more critical as more of your employees perform their work from home.

The firewalls that protected your system perimeter won’t suffice any longer, because there is no perimeter. Users are dispersed, and user accounts and your business applications are in the cloud.

Identity and access management can be a complex process, especially if yours is a larger organization. But it’s a valuable component of risk management and required by many compliance frameworks. User access management should be a part of every entity’s risk management plan—especially now, when threat actors are relying on your being distracted by worries, changes in your business model, and other issues the coronavirus pandemic might create or exacerbate.

Upping Your Access Management Game

Whether you’re already using identity and access management and want to improve your access policies for new situations and new threats, or you’re looking to build a program from scratch, here are some steps to take now:

  1. Conduct a user access review. These important reviews consider whom in your organization has access to which parts of your system and its sensitive data, and whether they need it to do their job—otherwise known as the “principle of least privilege.” Under this principle, users should have access only to what they need, and no more.

Your user access review should include a risk assessment of each user, from onboarding through termination, one that assigns risk levels and monitors them periodically for changes, throughout the user’s “access lifecycle.”

Developers, third-party contractors, employees, and terminated employees all pose unique and specific risks, and your organization has, hopefully, been monitoring these groups before now.

Even if you’ve already been conducting these reviews, now is the time to update your review process to account for employees and vendors who are working from home. The risks they pose now may have changed.

  1. Assign role-based access control. Giving each user a role helps you to organize their level of privilege and assign and manage their access via user access provisioning and de-provisioning.  Role-based access control (RBAC) helps simplify identity management, generating an active directory of users and assigning their access level according to role: allowing privileged access to certain privileged users only, for instance, allowing only them to gain entry to privileged accounts. 

But RBAC can still be quite complicated: some users or groups may need permissions for a limited time; individuals’ roles, and their level of access, may change; people will join the organization and leave it; contractors come and go; some working at home now will not be doing so later.

To help keep track of all these moving parts, you may want to use software that will manage these functions automatically.

  1. Choose your IAM tools. IAM goes beyond mere password management. In addition to RBAC, IAM tools are available to help you govern and manage identity and access management throughout your organization, including:
  • Single sign-on(SSO), which allows one login to verify the user’s identity, permitting them to log on once and be authenticated automatically for the internal systems and applications to which they have assigned access.
  • Multi-factor Authentication (MFA), which adds a second step in authentication using email or text message verification, biometrics, or security tokens that generate a unique code for each sign-on.
  • Risk-based authentication, which calculates the risk of a user’s performing a specific action before allowing it to proceed. If the risk is too high, the tool blocks the action and notifies IT.
  • Identity analytics, which records logins, authorization attempts and events, and related activities for review and troubleshooting.

User Access Management and Compliance

Managing user access isn’t just a good idea for keeping your enterprise’s information and systems secure; it’s required for compliance with regulations.

The General Data Protection Regulation (GDPR)

To protect the privacy of data belonging to residents of the European Union, the GDPR requires organizations to use the following IAM features:

  • Access management
  • Access governance
  • Authorization
  • Multi-factor authentication
  • Identity management
  • Identity governance.

What is more, to be GDPR-compliant an IAM program or solution must track access to the personal data the enterprise has collected, and update access rights based on both changes in the organization and preferences of data owners.

The Sarbanes-Oxley Act (SOX)

This anti-fraud regulation requires all publicly traded organizations’ IAM programs to include

  • Centrally administered identity governance and access management
  • Enforcement of “segregation of duties”  
  • Periodic audits to verify user rights and permissions
  • Automatic, documented logging and tracking for compliance audits.

The Health Insurance Portability and Accountability Act (HIPAA)

To strengthen security of protected health information (PHI), HIPAA requires health care providers and other “covered entities” to include the following in their IAM program or solution:

  • The use of single sign-on (SSO)
  • Identity management that integrates health care business partners
  • Centralized access governance that pertains to the entire provider network
  • Automated access logging that tracks access to patient data
  • Automated reports for compliance auditing purposes.

The California Consumer Privacy Act (CCPA)

Every company with $25 million or more in revenue that collects personal information from California consumers must include the following features in its IAM program:

  • Identity management capable of linking consumers with their data and privacy requests
  • Access governance that tells a company where its data is located and who can access it
  • Multi-factor authentication
  • Centrally administered identity governance and access management.

Putting It All Together

Identity and access management tools are important. But in the end, you need someone—or something—to make sure you’re meeting your compliance needs, monitoring and managing risks, keeping track of third-party access and risks, managing workflows, and keeping a well-organized document trail for use come audit time.

Our ZenGRC software-as-a-service (SAAS) can step up your IAM game during the COVID-19 crisis by performing these compliance and audit tasks for you automatically—so you don’t have to. And our ZenConnect companion software lets you delve into activity on your enterprise applications for a complete, integrated risk and compliance picture that includes IAM.

You’ve got enough on your plate right now. Why not take the Zen approach to risk and compliance management? To learn more about GRC that’s worry-free, contact us today for your free consultation.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo