Identity & Access Management: User Security & Reviews
      Back to home
      1. Trustero Support
      2. Phase 3: Operationalize Controls
      3. Identity & Access Management: User Security & Reviews

      Managing User & Service Accounts

      This guide provides a structured approach to identifying, categorizing, and securing accounts.

      Introduction

      Managing user and service accounts is essential for securing your organization's systems and data. Understanding the different types of accounts, such as internal employee accounts, external user accounts, system-to-system (API) accounts, and service accounts, helps organizations establish effective access controls and maintain compliance with security frameworks.

      This guide provides a structured approach to identifying, categorizing, and securing accounts to align with regulatory requirements and mitigate risks associated with unauthorized access.

      Note: A common issue organizations face is the misuse of "group accounts" as individual user accounts. For example, accounts like sales@email.com, support@email.com, or security@email.com are often mistakenly set up as individual accounts instead of using the "group" email setup feature within modern Business Productivity and Collaboration Suites (e.g., Google Suite, Microsoft 365). This presents a security risk because individual accounts provide web-based login access, whereas group email accounts connect to existing individual accounts without direct login capability. To mitigate this risk, these misconfigured accounts should be deleted and properly set up using the "group" email option.

      1. Identifying In-Scope Accounts for Your Audit

      Identifying in-scope accounts involves understanding which accounts have access to sensitive or critical assets within your organization and who is responsible for managing user access per contractual agreements. Responsibility will usually lie in your organization, but it may also reside with your customers or clients, or even third parties.

      In-Scope Accounts

      These are accounts that your organization manages, including:

      • User Accounts: Regular accounts assigned to employees for daily operations.
      • Privileged Accounts: Accounts with administrative privileges capable of making system-wide changes.
      • Service Accounts: Used by applications or services to interact within on-premise and cloud environments.
      • System-to-System (API) Accounts: Enable automated interactions between systems, requiring strict authentication and security controls.
      • Group Email Accounts: Configured correctly within Business Productivity Suites to prevent unauthorized direct access while enabling secure collaboration.

      Out-of-Scope Accounts

      These accounts are managed by external parties, typically as part of contractual agreements:

      • Customer or Client Accounts: Used by external clients to access services or products, managed by the clients or third-party providers.
      • Incorrectly Configured Group Accounts: Individual accounts created for shared access (e.g., support@email.com) instead of using the proper group email feature. These should be reconfigured to enhance security.

      Note: Clearly define account management responsibilities in all contractual agreements to avoid compliance gaps.

      2. Categorizing Accounts

      Categorizing accounts ensures the correct security controls are applied based on access level and data sensitivity:

      • Internal Accounts: Used by employees and internal teams, requiring access reviews, password management, and multi-factor authentication (MFA).
      • Customer Accounts: Used by external clients to access services. Security controls should include data protection, privacy settings, and user consent management.
      • Temporary Test Accounts: Created for software development and testing. These must be tightly controlled and promptly decommissioned after use.
      • External Party Access: Provided to third parties for collaboration. These accounts must have limited, temporary access, with enforced monitoring and logging.

      Action Required: Conduct an internal review of all accounts to ensure proper categorization, enabling effective security control alignment.

      3. Connecting Accounts to Controls

      Once categorized, accounts must be linked to specific security controls to ensure compliance and reduce risks:

      • Access Control Policies: Define who can access data and services under specific conditions with authentication requirements.
      • Regular Audits and Reviews: Implement scheduled access reviews, particularly for privileged and service accounts.
      • Data Encryption and Masking: Ensure encryption for customer data in transit and at rest while employing data masking where necessary.
      • Incident Response Plans: Establish protocols for addressing security breaches involving compromised accounts.

      4. Special Considerations for Software Development

      • Temporary Test Accounts: Ensure these are governed by the Software Development Life Cycle (SDLC) policy, including guidelines for creation, use, and decommissioning.
      • External Party Access to Internal Folders: Use secure, time-limited sharing mechanisms with audit logs to monitor external activities.

      Conclusion

      Effective account management requires understanding the scope of all accounts, categorizing them based on risk, and applying stringent security controls. By following these best practices, organizations can significantly reduce the risk of unauthorized access and data breaches, ensuring system integrity and regulatory compliance.