October 17. Access Control: Managing User Privileges

In cybersecurity, access control for users is about ensuring that only authorised individuals can access specific systems, applications, and data, and only to the extent necessary for their role. This principle is often referred to as the "principle of least privilege"  – granting users the bare minimum permissions required to perform their job functions, and nothing more.

Why is managing user access so critical?

• Minimising Attack Surface: Limiting access reduces the number of entry points an attacker can exploit.

• Containing Breaches: If a regular user account is compromised, the damage an attacker can inflict is restricted compared to compromising an administrator account.

• Reducing Insider Threats: It helps prevent unauthorised data access or malicious activity by disgruntled or careless employees.

• Ensuring Compliance: Many regulatory frameworks require strict access controls to protect sensitive data.

• Improving Accountability: Clear access logs help track who accessed what, when.

Key aspects of user access control:

1. Unique User IDs and Strong Authentication:

   • Every user should have a unique ID.

   • Enforce strong password policies and mandatory Multi-Factor Authentication (MFA) for all user accounts, especially for administrators and those with access to sensitive data.

2. Principle of Least Privilege:

   • Users should only have access to the data and systems absolutely necessary for their role. Don't give everyone administrative rights "just in case."

   • Regularly review user permissions to ensure they are still appropriate for their current role and ensure it is part of your leavers and onboarding process.
     
     

3. Role-Based Access Control (RBAC):

   • Define roles (e.g., "HR Manager," "Marketing Coordinator") and assign specific permissions to each role.

   • Assign users to roles, rather than granting individual permissions, simplifying management and ensuring consistency.

4. Segregation of Duties:

   • Divide critical tasks among multiple users so that no single individual has complete control over a process. This prevents fraud and errors.

5. Regular Account Reviews:

   • Periodically review all user accounts. Disable or remove accounts for terminated employees immediately. Ensure it is part of your leavers procedures.

   • Identify and remove "dormant" or inactive accounts that could be exploited.

6. Privileged Access Management (PAM):

   • Implement specialised solutions to secure and monitor highly privileged accounts (e.g., system administrators, root accounts), which are prime targets for attackers.

7. Audit Logs and Monitoring:

   • Maintain detailed logs of user access and activities. Regularly review these logs for suspicious patterns or unauthorised access attempts.  Keep a log of any changes to admin accounts.

By meticulously managing user access, organisations create a more secure environment, significantly reducing the risk of both external breaches and internal misuse of data. It's a cornerstone of any robust cybersecurity program.

Notes for schools or colleges

Regularly reviewing access control in line with job roles ensures that only those that have access to data and systems are those that require it.   The DfE Meeting Digital and Technology Standards in Schools and Colleges document advises that accounts should only have the access they require to perform their role and should be authenticated to access data and services.  

In the DfE Cloud Solutions Standards there is further guidance about access management, particularly around centralising control over user access and permissions.

Successful cyber attacks target user accounts with the widest access and highest privileges on a network as this gets the widest impact with the most sensitive data and information.  You should limit the numbers and access of network and global administrative accounts.

If a single staff member controls account access, then another senior school staff member or governor should approve that staff member's own account.

Different accounts with specific rights for different purposes or have IT service providers and administrators enable just-in-time access, giving individuals time-limited privileges as required.

Watch our free micro learning video about Access Control:


We have more resource, support and guidance and trackers for all the DfE Digital Standards. 

Review: NCSC Identity and Access Management

💡Today's Cyber Tip: Secure Offboarding – Don't Forget Leavers' Access!

When an employee or volunteer leaves your organization, securing their access is just as crucial as onboarding them. Today's tip is: Ensure your leavers' procedures include immediate and comprehensive removal of all digital access.

This means revoking network logins, disabling email accounts, removing access to shared drives and cloud services, and if applicable, deactivating physical access cards. Failing to promptly remove access creates significant security gaps, potentially allowing former personnel or even external attackers to access sensitive data long after they've left.

DPE Knowledge Bank Guidance and Support:

For schools and colleges, six of the DfE Digital Standards are now mandatory. We have a DfE Digital Standards Tracker tool help you track your cyber resilience and your progress: 

   

Review our Cyber Security Best Practice Area for micro learning, support, guidance and policies:

Cyber Security Best Practice Area

Why not have a look at our 'specialist' trainer Harry the Hacker :