User access management is a key component of information security management. Giving authorized users access to your information systems and data, while locking out unauthorised users helps ensure your data remains confidential.
Robust User Access Management
Robust user access management ensures your systems are only accessed by people with a legitimate access need. Some users will need full access to all your systems, whereas partial access will suffice for all but the most high-level users. Access management is about giving people what they need to do their job and restricting access to what they don’t need.
A user working in HR will have vastly different requirements to a member of your finance team. They’ll both probably need access to some of the same systems, but will seldom need to access everything on the network. This is done to give people access to what they need and help safeguard important information from inappropriate use.
Robust user access management is all about control. Allocating access rights on a ‘need to know’ and ‘need to access’ basis is a key component of best-practice (see ISO 27001). It’s vital you have a way to effectively allocate, revoke and review access rights to ensure you’re always in control of your infrastructure.
Access management has become more complex thanks to a growing number of remote and mobile workers. Remote workers add an additional layer of complexity, pressing the case for a reliable user access management process.
The Importance of Robust User Access Management
- Give appropriate access rights (and restrictions) to all network users
- Block unauthorised access to confidential systems, data or business ‘secrets’
- Quickly allocate or revoke access rights as your needs change
- Remove access rights of past employees quickly
- Keep your data, systems, and information secure
- Prevent unauthorised changes to business critical systems
- User access management can cover almost any area of a network, but are typically administered for the following network components:
- Data and databases
- Configurations – e.g. by restricting access to settings
- Input/Deletion – Not all users will be given the ability to add or remove clients from a CRM system, for example.
ITIL, a widely accepted approach to IT Service Management (ITSM), provides clear guidance for user access management. ITIL states your user access management process should include:
- Requests for access
- Rights provisioning
- Access logging and tracking
- Revocation and restriction processes
A Robust System
The best way to manage user access rights is to use a mix of technology, process, and policy. A robust system will include:
- Full details of all user access rights
- Regular review processes (minimum 6 monthly reviews)
- Simple ways to revoke and grant access rights
- Details of where confidential information is held
- A user rights allocation and revocation process e.g. for new users or leavers
- Justification for all user access rights
- The ability to receive sign-off from senior management
- Policies around user access management
- Clear communication with all users
- Allow authorized changes to be made to systems
- Prevent unauthorised changes to systems
Systems for User Access Management
Market-leading providers like Microsoft, IBM, Oracle and RSA all have a share in the user access management market. We typically see most small to medium enterprises using Microsoft Active Directory for domain level access management and incorporating separate systems where a need arises.
Most line of business applications also allow rights allocation, privileges and restriction. For example, a product like Salesforce gives you the ability to grant either full or restricted access rights to separate users.
Microsoft Active Directory
Active Directory allows you to provide access via user and computer accounts and includes features like distribution and security groups. Active Directory includes features such as access control permissions, security identifiers (SID) and access control entry (ACE). Active Directory has become a market-standard for user access management and is widespread throughout the marketplace.
At iQuda we typically manage user access at a domain level, and then by application. Users are typically identified as either VIP or basic, and then allocated rights according to their job role and department. We usually develop a number of standardized profiles for our clients too, so they can quickly highlight employee access needs. As part of our service, we provide clear procedures for managing the process, and hold regular reviews to ensure access rights remain appropriate.
Help with User Access Management
Although user access management is critical, many businesses lack the resource or skill to manage it in-house. As a firm grows, it’s not unusual to see user access management falling by the wayside. At iQuda we make it our business to user access management remains a top priority. Our managed solutions make it easy to outsource this function and ensure it is professionally managed from start to finish.
How We Can Help:
Complete User Access Management
Our team reviews, redesigns, monitors, and manages your user access management processes from start to finish. We handle all aspects of user rights provision, allocation, revocation, and review to ensure you’re business critical systems are secure. We provide a full set of policies and procedures to ensure the process is well-managed, well communicated and above all simple. We process all user access requests on your behalf via our dedicated control center through request fulfillment automation.
User Access Management Consultancy
We’ll help you develop robust systems and processes to streamline user access management. Our team works with you to clearly define your goals, and then help you formulate a plan to make user access management work for you. We can consult on any aspect of user access management – from sourcing the right systems to developing your process and executing clear policies.
Our dedicated consulting team has decades of experience and a proven track record of IT management capability. We provide clear, precise consultancy on most aspects of enterprise-grade ICT.
Get in touch
For more information about our user access management solutions, please contact a member of our team today or book a free consultation.
Our head office is located in Maylands Business Park, Hemel Hempstead. From our central location, we work with firms throughout Hertfordshire, Bedfordshire, Buckinghamshire, and London.