On a high level, it is the process to ensure that an organization only provisions accounts that are authorized to access data or infrastructure. Remember that this effort goes beyond accounts for staff – think vendor access, contractors, service accounts for background tasks, API keys for system integrations, etc.
Consider the following safeguards when starting an account management effort:
Create an inventory of accounts - Include information such as the user’s full name, role, username, department, account status, account platform, etc. Review the inventory regularly (quarterly or more frequently).
Enforce unique and strong passwords - Best practices follow a 14-character length requirement. If possible, enforce multi-factor authentication (MFA).
Disable dormant accounts - After reviewing the account inventory, deactivate accounts no longer in use. If your systems allow it, have accounts automatically disabled if reports show no login activity for 45 days.
Use the “least privilege” approach – General tasks for daily business operations should be done under a non-privileged / non-admin user account. Reserve administrative permissions to dedicated IT staff, not the general user base.
Benefit: This approach fosters good “IT hygiene” by controlling access credentials. It enables the detection of rouge or unauthorized accounts in the environment and gives a good overview of what platforms have what kind of accounts.
Have questions? Schedule a 20 minute call https://tiny.proactivediscovery.com/book-cyber-call