0

I work in a financial institution and we're planning a protocol about access guarding. After a lot of discussion we brake into the question: how to ensure that the accesses (users, passwords, tokens...) are really secure and only the right person has it?

How to ensure that this person won't change the access (password of a service for example) without permission from a superior?

And many, many questions about passwords, accesses...

I don't want to reinvent the wheel, so I'd like to know which protocol is followed by large corporations to protect their access and create elevations for them.

Victor França
  • 103
  • 2
  • 1
    This is really broad - there are lots of different options, and different options might be suitable for different systems. For example, you might use a package which sets time limited system passwords for servers, with permission from multiple others to verify access, but then have encrypted per-user password safes for applications that users need direct access to. – Matthew Oct 17 '17 at 12:51
  • Ok, I agree that this can be done in many ways, but i wanna know if there are any "generic protocol" about the situations that needs a process to ensure the security about access. For example, if a person with access to a high priority service is dismissed from the corporation, how to manage these safes and accesses known by this person? Is there anything like a "treaty" about access management? – Victor França Oct 17 '17 at 13:09
  • Not in a generic sense. That kind of thing should be part of the HR processes, and tied into the systems which the specific business has. These will be very different in different types of business. – Matthew Oct 17 '17 at 13:15

2 Answers2

1

Use a 3rd party system to handle access. Users authenticate to the 3rd party system, then it grants the user access to the target system. There is auditing and other useful controls by implementing this extra layer.

In some tools, the access system changes the password once the user is finished connecting.

The term you are looking for is "Privileged Access Management"

schroeder
  • 123,438
  • 55
  • 284
  • 319
0

This subject is called "mandatory access controls" in the CS literature, and things like "the two-person rule" in business.

In principle, some things should be prohibited, and when they must happen, should require two people to agree.

For example, adding me to a privileged group who can shut down the corporate network should be implemented by a sysadmin, and then be approved by a security administrator.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
davecb
  • 313
  • 1
  • 6