![kynd-logo-200-1.png]](https://help.kynd.io/hs-fs/hubfs/kynd-logo-200-1.png?height=40&name=kynd-logo-200-1.png){kind=logo}
User Authentication & Privilege: A Guide
Users on a network need to be identifiable, verifiable, and limited. In the same way parts of your premises are only authorized to certain members of the team, your digital environment has areas that are off limits to some users.
What is authentication?
You must be able to identify whether the users and devices on your network are supposed to be there, and are who they say they are. Like a building security guard, you want to have a list of people who should have building keys (aka passwords) and ensure they have valid ID when asked (MFA - multi factor authentication). You also should be able to rebuff users who don’t have the correct credentials and ID.
Authentication: passwords.
You should have a password policy document that outlines your requirements for complexity, creation, resetting, and storage. This must be brought to the attention of all users. Tools like password managers can help users create complex passwords, and store them securely. Your IT team can also enforce password complexity for some devices and software from their admin panel. If you suspect users are not in compliance with your policy - this can be an option.
Authentication: MFA
All users must use MFA for remote access to the network. Nobody should have unauthorized access in and out of your digital environment. If the password is your building key, then this is the video doorbell or photo ID checking that the person with the key is the person you authorized. MFA needs to be rolled out universally to be effective, as any user account could be taken over by a threat actor. If users do not wish to use MFA then there will be consequences for their remote access to the network.
User privileges.
User accounts should only have access to what is essential for performing their roles. This is referred to as “the principle of least privilege" (PoLP). Ordinary users should not have access to sensitive data or systems. Privileged users who do have that access should be documented and must undertake additional training to equip them for the additional cyber security threats they face. You must have rules and processes around granting additional privileges, review account privileges regularly , and have a process to revoke privileges quickly in an emergency.
Service account privileges.
Service accounts are user accounts that do not have a human user. You may have these on your network as accounts that perform repeating technical tasks such as making the regular network back ups. Because service accounts do not have human intelligence and awareness behind them, they are easily compromised by attackers. Your IT team should be reviewing service accounts to prevent them from becoming over privileged and ensure that they have interactive logins disabled by default.
Acceptable Use Policies (AUP).
Rules around how privileges are assigned and how authentication is implemented should be outlined in your “Acceptable Use Policy” (AUP). Set out what the rules are for how your organization authorizes users on the network, and expectations around responsible use of privileged access. You should also set out the consequences for not adhering to organizational policies on authentication and for abusing privileges.
Authentication, privileges, and insurance.
Not being able to verify your users are where they should be, and who they say they are is high risk behavior and looked upon poorly by insurers. Technologies such as MFA have been commonplace for years, and most insurers will be inclined to decline cover in part or in whole to applicants who do not have some method of authentication comprehensively rolled out to their users.
Checklist
When reviewing authentication and privileges, consider:
You must be able to identify whether the users and devices on your network are supposed to be there, and are who they say they are. Like a building security guard, you want to have a list of people who should have building keys (aka passwords) and ensure they have valid ID when asked (MFA - multi factor authentication). You also should be able to rebuff users who don’t have the correct credentials and ID.
Authentication: passwords.
You should have a password policy document that outlines your requirements for complexity, creation, resetting, and storage. This must be brought to the attention of all users. Tools like password managers can help users create complex passwords, and store them securely. Your IT team can also enforce password complexity for some devices and software from their admin panel. If you suspect users are not in compliance with your policy - this can be an option.
Authentication: MFA
All users must use MFA for remote access to the network. Nobody should have unauthorized access in and out of your digital environment. If the password is your building key, then this is the video doorbell or photo ID checking that the person with the key is the person you authorized. MFA needs to be rolled out universally to be effective, as any user account could be taken over by a threat actor. If users do not wish to use MFA then there will be consequences for their remote access to the network.
User privileges.
User accounts should only have access to what is essential for performing their roles. This is referred to as “the principle of least privilege" (PoLP). Ordinary users should not have access to sensitive data or systems. Privileged users who do have that access should be documented and must undertake additional training to equip them for the additional cyber security threats they face. You must have rules and processes around granting additional privileges, review account privileges regularly , and have a process to revoke privileges quickly in an emergency.
Service account privileges.
Service accounts are user accounts that do not have a human user. You may have these on your network as accounts that perform repeating technical tasks such as making the regular network back ups. Because service accounts do not have human intelligence and awareness behind them, they are easily compromised by attackers. Your IT team should be reviewing service accounts to prevent them from becoming over privileged and ensure that they have interactive logins disabled by default.
Acceptable Use Policies (AUP).
Rules around how privileges are assigned and how authentication is implemented should be outlined in your “Acceptable Use Policy” (AUP). Set out what the rules are for how your organization authorizes users on the network, and expectations around responsible use of privileged access. You should also set out the consequences for not adhering to organizational policies on authentication and for abusing privileges.
Authentication, privileges, and insurance.
Not being able to verify your users are where they should be, and who they say they are is high risk behavior and looked upon poorly by insurers. Technologies such as MFA have been commonplace for years, and most insurers will be inclined to decline cover in part or in whole to applicants who do not have some method of authentication comprehensively rolled out to their users.
Checklist
When reviewing authentication and privileges, consider:
- Ensure rules and requirements for accessing the network are documented for users.
- Roll out an authentication method across all users leaving no gaps
- Limit users to the principle of least privilege, and only what they need to access for their role
- Have documented processes in place about granting and revoking additional privileges
- Document a Password Policy and AUP and distribute to all users for signing.
- Check your service accounts are not over privileged and don’t allow interactive logins by default