Information technology has evolved dramatically over past decades. Employees are a lot more able to access and manage information from various information sources often centralized. This comes at a price in the security area of the IT organization and requires proper measures. Administrators use generic account to access all levels of the IT systems with a single account, anonymously manage sensitive data and then just properly remove any traces or at least scatter the proof of any forbidden activity defined by organization internal rules. So anyone with an intention to abuse and access the data can just focus on a single role that has an access to such account. The access information of these generic accounts often used in the production or live environments to quickly resolve issues are left to employees that leave or move to a different position. These emplyees can suddenly appear on the other side of the four-eye principle process (like those moving from a controlling role to a business role) and possibly use such account to self-approve possibly risky trades or transactions that would otherwise be declined with the proper approval process. With increasing number of services provided by the IT systems users are required to remember their login credentials to number of these systems where each follows its own policy on password management. Such burden users begun to overcome with their own creativity by laying out simple or guessable passwords, mark them down an a piece of paper or just about elsewhere. For these and many other reasons it is imperative for the IT environment to effectively manage privileges, access rights and passwords including proper identification, separation of duties and roles among users and administrators and limit access at the information source and not only at the interface to it. Best practices and recommendations are always provided by our consultants. Should you require more information in the infrastructure area contact us here.
