Cyber Essentials: User Access Control

Protecting user accounts and helping prevent misuse of privileged accounts is essential for any cyber-secure system or network. User accounts, particularly those with special access privileges (e.g. administrative accounts), should be assigned only to authorised individuals, managed effectively, and provide the minimum level of access to applications, computers and networks.

Any organisation whose employees connect to the Internet needs some level of access control in place. Access controls authenticate and authorise individuals to obtain information that they are permitted to see and use. Without appropriate access control there is no data security.

Put simply, access control is the selective restriction of access to data. It consists of two elements:

1. Authentication – a technique used to verify the identity of a user.
2. Authorisation – determines whether a user should be given access to data.

To be effective, access control requires the enforcement of robust policies. This can be difficult when most organisations operate in hybrid environments where data is mobile and moves between on-premises servers to the Cloud, offices and beyond.

Organisations must determine the most appropriate access control model to adopt based on the type and sensitivity of the data they are processing.

Accounts with privileged access are a prime target for cyber criminals. This is because they offer more access compared to normal users, enabling unrestricted access to sensitive information as well as administrative rights to gain control of the network.

Convenience sometimes results in many users having administrative rights, which can create opportunities for exploitation. User accounts with special access privileges should only be assigned to authorised individuals and managed effectively.

The UK government’s Cyber Essentials Scheme provides a set of five controls that organisations can implement to achieve a baseline of cyber security, against which they can achieve certification in order to prove their compliance.

Certification to the scheme provides numerous benefits, including reduced insurance premiums, improved investor and customer confidence, and the ability to tender for business where certification to the scheme is a prerequisite.

New to the Cyber Essentials scheme? Find out more

One of the scheme’s five controls is User Access Control. This can help your organisation confirm that user accounts are assigned to authorised individuals only, and that they provide access only to those applications, computers and networks required for the user to perform their role.

For secure access control, your organisation should routinely:

• Authenticate users before granting access to applications or devices, using unique credentials;
• Remove or disable user accounts when no longer required;
• Implement two-factor authentication, where available;
• Use administrative accounts to perform administrative activities only; and
• Remove or disable special access privileges when no longer required.

Learn more about Firewalls

Learn more about Patch management

Learn more about Malware protection

Learn more about Access control

Learn more about Secure configuration