Company can work with several services, and have several websites or applications, while it can have tens of employees and hundreds of thousands of buyers of goods or services. The question is how to organize access for different types of users at various sites so that the system can remain secure and invulnerable to hacker attacks and data leakage.
If you look at the situation in a simplified way, then to implement this process, you need to perform two steps:
- Deny access to outsiders.
- Fix system vulnerabilities.
The first step is to verify the user trying to log in to prevent third-party logins. This is done using authentication — a procedure for verifying the identity. It comes in several types.
Types of authentication
Authentication can be single-factor, two-factor, multifactor. Factors can be:
- Password login.
- Verification by certificate or electronic signature.
- Confirmation with one-time passwords.
- Login using a security key.
- Access to applications under a single account.
Interestingly, in a two-factor, multifactor authentication, two or more factors can be used in any order, and one-factor authentication may not necessarily be a password, which is considered the most vulnerable.
It can also be based on the use:
- hardware identifiers — smart cards, Touch Memory, USB keys;
- digital signature;
- OTP passwords;
- authorization through social networks;
- biometric authentication.
This is Important! Biometric authentication is interesting because it cannot be forgotten, exchanged or lost.
We figured out how to distinguish a user from unauthorized persons to grant him access; let’s now see how to avoid vulnerabilities in the system itself.
Why password authentication is the most vulnerable
Surely you have heard that cracking a password is easier than other factors. But to understand why to consider the types of password authentication vulnerabilities in web applications:
- The application allows you to save simple passwords.
- The web application does not protect against password brute-force attacks and does not block attacks.
- The web application does not allow the user to change the password.
- The web application has access to customer passwords and allows them to be stored in text (unencrypted) form in a table, while the list itself is accessed through employee accounts.
- The web application has a function to remind or generate a password. It sends it to the user by mail-in text form. However, the mailbox is not suitable for long-term data storage.
- The web application allows password recovery over an unencrypted channel and does not authenticate the user before resetting the password.
- When identifying a user, the system asks a secret question, the answer to which can be found in the public domain, for example, “when were you born?”.
- The web application does not terminate the connection when the session ends and does not offer to end the session.
This is Important! Authentication is needed not only for users but also for devices within the network. Therefore, you may need to whitelist them to connect.
Cloud account protection
Many companies work remotely. This was no longer unusual, even before the quarantine began in March 2020. And with his arrival, the trend of transition to this format intensified. At the same time, working in this mode increases the load on the corporate network, as the need for a CRM system, conference calls, increased file storage, etc., increases. Many companies resort to cloud storage services (SaaS/PaaS) to optimise server performance.
This requires additional attention to security. Let’s see what issues you need to pay attention to and how to solve them:
- Creation of accounts for employees. It should be automatic with the assignment of a user role. To do this, SaaS needs to build a corporate authentication system or an Identity Provider of the Identity and Access Management class. In it, you need to set a set of attributes for a particular role.
- Access rights management. To avoid the problems of controlling distributed data stores, administrators should have access to account management in the Identity Provider. If an attacker were to gain access to the administrator account, they would undoubtedly cause irreparable harm to your organization. Therefore, administrator accounts should be protected with multifactor authentication for greater security. The best thing is to allow them to log in through authorization tokens. These tokens need to be numbered. And after changing positions or completing work on a project, the employee must hand over the key.
- Protecting employee accounts. When employees work away from the office, the issue of data protection becomes more acute. At a minimum, employee accounts must be protected by two-factor authentication.
- Access for employees from different organizations. To provide access to resources to partner companies, you can configure authentication checks as in the consumer role. To give access to certain necessary resources, to close the rest.
- Timely revocation of access rights. Permanent employees can change positions, and they can move from department to department. The company may also employ seasonal workers. At the same time, their access may remain the same, which may threaten the corporation’s security.
- SaaS security audit. It is essential that administrators have centralized access to a log of all employee authentication attempts. In this case, it is possible to track and stop illegal actions.
Security rules for any organization
Since accounts are the most vulnerable channel for hackers to attack, security experts recommend establishing rules within each organization:
- Credentials are the property of the company. An employee cannot use them to register for other services.
- Conducting regular briefings to improve knowledge in the field of security. Employees must be aware of all possible vulnerabilities.
- Availability of safety regulations in constant access. New employees must be informed about the safety rules within the company and have access to them.
- Up-to-date antivirus software. The database of antivirus programs is regularly updated, so it is vital that employees have the latest version installed on their devices.
- Intrusion detection systems in the company’s computer network. Timely notification of cyberattacks can help to effectively stop them.
- Instructions on how to behave with visitors to the office. The rule is simple — you can not leave the room unattended. Someone from the staff must accompany the visitor. Otherwise, if it turns out to be an attacker, he can install a keylogger or, for example, steal documents and keys.
- Maximum restriction of user rights in the system. Each user of the system should have only those rights determined by their role.
- State-of-the-art security hardware. Today’s most reliable and convenient means of protection are YubiKey USB security keys with cryptographic encryption. You can read more about them here
If there are any questions
If you doubt that your corporate environment is sufficiently protected or need to investigate a data breach, please contact our specialists.
Check out our services.
- Information security diagnostics;
- Software for reliable identification and access control;
- YubiKey’s security keys are the best hardware security solutions.
We will be happy to help you improve security or develop security rules for the company.
Ready to build trust?