How to provide secure access practices for a business application?

A magical question for all organizations due to nearly there are no organizations carrying on their business without an application.

Hence organizations benefit from diverse business applications to conduct their works with ease, stay competitive in the field and maximize their gains. Then, what happens if an application providing these comforts have malign access security postures. Of course, it may damage advantages obtained by its existence and usage.

In order to cure these improper access practices, we put forward a model in several steps. For all interested parties who wants to grasp topic easily, please have a look at the first image “the dark one” to see “Curses” of an application and the second one displays “Blisses”. To explore further details and reasonable explanation about our model, please visit texts below images.

Never forget that we all know you can discover additional items in the list. As the old saying goes “ars longa, vita brevis”. 🦉 That’s why, we mentioned a couple of them considering time matters. Yet, we would be delightful if you share with us. Cheers. ✌️

Image 1. Curses

Image 2. Blisses

Locating application — the key point for access is where the application resides. If everyone on the internet can reach it, all security practices may fall for weak passwords, shared credentials, reusing a leaked password for an account, not revoking an unnecessary account. When people also use their personal devices with powerful rights, your enterprise data surely be in danger.

• If possible, you should definitely apply multi-factor authentication to prevent access breach.
• If not, restrict application access with your enterprise IP range.

Defining accounts — the second vital factor is directory which accounts created and authorized. When applications use different sources for account creation then you have inconsistencies, you cannot decide which one reflects the real usage activity. Additionally, you have to govern each of them separately. Do not pretend that directories only consist of employee accounts moreover vendors, third parties, integration for services, maybe public personal accounts (gmail, yahoo, outlook etc.). They are all obstacles to be tackled. Some questions may arise such as “Is vendor contract expired? or personnel left the job”, “Who knows account credentials for the integration account?”

• If possible, built single account directory “a source of truth” to provide standardized account management.
• Disable generic and personal account definition, grant everyone a unique account which has complexity policies.

Admin rights — this is the knife cut the owner, 😅 if you do not perform enough diligence. For nearly all applications, an admin can grant administrative privileges for any one of other accounts. In IT realm, being an admin is a status symbol in this jungle. 🙈 I absolutely guarantee that you will hear dialogues like “He is admin, why I am not?” If this the approach, not surprised to have excessive number of administrator accounts. When being an admin is an ordinary thing, a third party can become an admin. It reminds me a quote from one of my favorite movies Goodfellas — “He is a good fella, one of us”

• If possible, only single super admin account can grant admin rights.
• Allow only required few of accounts have admin rights.
• Grant third party admin rights for specific time period they need. Since, you may miss revoking.

Powerful Actions — An admin is not admin because its name is admin, because of its privileges. Well, when a user access defined in an application and has critical actions like (download, edit etc.) and access valuable data by default, then it is also powerful account. Another nail in the coffin!

• If possible, hide critical data and actions for required and privileged accounts not for ordinary ones.
• You have to deny uncontrolled data changes and exporting data from the application. When these are considered common operations for business processes, you will lose your ground for the actual security situation.

Authorizing Accounts — Yep! This one is easy. A requester, an approver and a grantor walk into a bar. Requester and approver are on the same side and owns the place. They all drink like sponges but at the end of the night grantor pays the bill. In short, a requester cannot be an approver. Oh my god, I have to say it! If you are an access grantor you will face bypassing requests without any approval. As if you are not granting the access but selling drugs at jail.

• An access request should be made in a defined communication path and approved by data owner.
• If possible, grant by adding user in an access profile if not define access requirements for account specially. When copied from an existing user account, you may grant additional unnecessary access rights.
• Also, you can use pre-approved access right schema in order to grant access easily.

Leaves, Rotations and Terminations — Believe me, this is not so easy as you can imagine. An access revoking operation is not just performed for terminating the job. But also, organizational changes, departmental changes and transfers, promotions, annual leaves, vacation and its sometimes combined with national holidays and festivals, pregnancy and maternal leave, funeral leave, sick leave, investigational purposes, suspension from work etc. Be prepared for all of these in order to conduct successful account management. I should fairly state that I really appreciate people for their generous credential sharing while they are on leave. Such a marvelous thing. Besides, after a couple of departmental changes when previous access rights not revoked, some people become a Super Mario who has eaten a magic mushroom. Not just breaking everything on its way, also you are getting afraid of Mario comes out of television next to you and then beats you.

• All these organizational changes are performed in HR department, you should receive information timely.
• Revoke access timely and prevent account sharing in these cases for accountability purposes.

👁 Check — What the old says “Maradona is Good, Pele Better, George Best.” Oh no, now let’s correct the phrase “Trust is good, Control is better”. I cannot stop adding “Doing your own job is BEST”

• In fact, having better access management practices cover controlling your access rights.
• Record, store and preserve events by preventing log manipulation.
• In order to receive incidents timely, create an alerting mechanism for highly important access and authorization operations. (whether a revoked account trying to login or someone authorized to a privileged access etc.)

So many thanks for your time, I hope you enjoyed it. 🙏