Best Practices for User Access Management

Many organizations have policies in place that restrict internal access to information, but are they truly optimized for security and efficiency? In an age of sophisticated, ever-evolving infrastructure and equally sophisticated attacks, it’s time to get serious about user access management. In order to do so, you’ll need to take a SecOps approach, automating processes wherever possible and prioritizing strong security that is built in from the start. In this way, you can reduce the risk of human oversight and ensure that the correct policies are being followed consistently.

With the right user access management system in place, you can decrease costs and increase efficiency when it comes to hiring, onboarding, and security. Read on for best practices to help get you there.

Set up Centralized Authentication and Identity Management

With today’s infrastructure spread across different CSPs, cloud servers, containers, and SaaS providers, a centralized system of identity management has never been more critical. Assigning a separate identity management protocol to each IT resource would not only be a waste of your security team’s precious time; it would also pose a significant risk to your systems.

A single sign-on (SSO) simplifies user authentication by assigning a single set of credentials to allow access to multiple applications, which, in turn, is helpful for logging user activity and monitoring accounts. To secure SSO services, however, it’s important to choose a well-known name that has been vetted in the industry and to use two-factor (2FA) or multi-factor authentication (MFA).

In order to use SSO, you’ll first need to make sure that user data is stored in a secure and organized manner. Hence, there is a growing need for a strong directory service. Perhaps, the best known of these protocols is LDAP, which is what we use at Threat Stack. Other protocols that work with SSO services include Kerberos and the Security Assertion Markup Language (SAML).

These solutions integrate user access management across your cloud and on-prem infrastructure so you have a single identity across all systems. The result is a more streamlined and secure identity management.

Segment Your Network Into Role-Based Groups

Even the least security-savvy organizations know that it’s probably not the best idea to give administrator-level access to everyone in the office. But, living out the principle of least privilege is often easier said than done. The principle of least privilege should not only be top of mind and modeled into policies — it should also be embedded into tools and day-to-day processes.

Handling security administration manually is quite difficult to do, as administrators would need to specify access control lists for each user on the system individually. It’s a time-consuming and costly effort that is often prone to error.

Role-based access control (RBAC), on the other hand, allows you to assign users to a role and to assign privilege based on the assigned role. While an administrator writes policies that handle the assignment of roles, a good, automated system could handle complexities that arise due to mutually exclusive roles or role hierarchies. What’s more, certain systems could grant temporary access to people or groups, if access is only needed for a limited amount of time. In keeping with the principle of least privilege, each role-based group is only given the minimum access necessary so members can do their jobs effectively.

Since RBAC allows you to easily implement roles across operating systems, it reduces the need for much of the paperwork and password changes that come with employee onboarding, thereby significantly cutting down on costly and time-consuming administrative tasks. RBAC also serves to maximize operational efficiency by streamlining your access controls.

Apply RBAC to the Provisioning of Infrastructure Resources

Much of what we talk about when we discuss SecOps maturity is automation, and that’s because automation reduces the potential for human error. Nowhere is that truer than with the provisioning of new infrastructure resources.

Whether provisioning 50 or 1,000 AWS instances, humans make mistakes. Suddenly, a junior engineer finds himself with administrator access to a critical part of your infrastructure, and the principle of least privilege has gone out the window.

In order to be far more secure, we need to create a ruleset, writing it down once, and provisioning new resources across servers with the push of a button. That’s where automation via configuration management comes into play. Tools such as Chef, Puppet, Ansible, and Salt dramatically reduce the human element and replace it with repeatable processes that are less time consuming and more cost effective — not to mention far more secure.

Most of these tools use RBAC to determine whether a user is authorized to perform a certain action, which is one more way to ensure that user access management best practices are being followed. For example, Chef follows this authorization process:

1. Check whether the user has permission to the object type
2. If the answer is no, recursively check whether the user is a member of a security group that has permission to that object.
3. If the answer is yes, allow the user to perform the action

Final Thoughts

Replacing time-consuming and costly ad hoc processes with automation eliminates (or at least drastically reduces) the potential for human error, thereby significantly decreasing your organization’s risk. As the gatekeeper, of sorts, to your systems, user access management is a logical area to focus on to begin your journey towards SecOps maturity. After all, preventing unauthorized access is half the battle.

To learn more about integrating security into your DevOps workflows for user access management and across all areas of your business, download a copy of our SecOps Playbook now.