How can I protect my applications?
Step 1: Involve data owners
Only data owners have the authority to decide which users should have access to certain applications. The first step is, therefore, to determine these data owners: select the persons from different departments whom you wish to be in charge of approving or rejecting access to applications. This guarantees that only persons who actually need access to certain data in order to perform their specific job tasks are actually given these access rights.
Step 2: Recertify access rights
A key part in protecting your applications is to keep those access rights up to date – constantly. Otherwise, your staff members will just gather privilege upon privilege, while obsolete privileges are never removed. Unfortunately, most companies lack a structured process for deleting those unneeded privileges. It is therefore key to establish such a process, which ensures that data owners regularly review and adapt application privileges accordingly.
Step 3: Keep track
Are you aware of who has access to applications in your company and who does not? If the answer is no and you feel that your access landscape is slowly overflowing into a sea of chaos, this is cause for alarm – and not just for security reasons! You are also disobeying legal regulations, like the GDPR. To counteract, you should immediately set up a reporting system in order to maintain a complete overview of all access rights.
Step 4: Use profiles
People who are part of the same group of users usually require the same access rights to applications. To simplify the process of assigning these access rights and also make the process more transparent, you can define so-called “access profiles”. Here, all access rights required by a certain user group are compiled into one profile. Users can then be assigned to one or more profiles (for instance the profiles “IT department“ and “Team leader”).
Step 5: Document processes
Once a data incident occurs, the search for causes soon begins. To be able to track precisely why a user has a particular access right to an application, you must ensure that all requests, approvals, and changes are documented in detail. This way, you will always be able to see why a user has been granted a certain permission and by whom.