User and role management is one of the most important aspects of keeping a company's information safe. Ultimately, it's all about making sure the right people have access to the correct information and tools they need for their jobs—and no more. That way, it's much harder for someone to get into places they shouldn't be, which helps prevent data leaks or other security problems. It also makes it easier to keep track of who did what, so if something goes wrong, you can pinpoint exactly how it happened.
Brightspot’s user and role management capabilities are designed with this in mind, but it’s up to your team to configure and maintain the users and roles within Brightspot. You can find more information about how to manage users and roles in Brightspot on our website.
This guide will provide an overview of the best practices—the most common recommendations from experts—for managing accounts in Brightspot and your other cloud and Enterprise applications.
That said, your organization's policies and procedures should take precedence over any recommendations I make below.
Information security should always be a conversation, so I encourage you to talk to your IT and security teams, business leaders and us at Brightspot about your security goals.
Best practices for robust and secure account management
Principle of least privilege: This principle dictates that users should be granted only those access rights that are essential to performing their duties. For instance, a junior employee doesn't need the same access rights as the IT manager. Limiting access minimizes the risk of accidental or malicious misuse of the system.
Look at the roles you’ve created in Brightspot, and see if they reflect your workflow. Most organizations align into functions and review processes, and Brightspot is designed to work with how you work. Eliminate roles that are outdated or loosely defined.
Regular audits of user access: Routine audits are crucial. This means reviewing who has access to what within the system (users and roles), and then ensuring that this access is still necessary and appropriate. This practice is critical in dynamic environments where employee roles can change, in turn necessitating different access rights.
Choosing between external and local identity stores: Companies must decide whether to use external identity providers (like OAuth or SAML services) or manage identity stores in Brightspot. Brightspot supports both models, though we recommend any organization larger than 10 people use a centralized identity management tool. This makes for cleaner and more reliable change management (onboarding, offboarding), as well as consistent policy management (password policies, MFA).
Enforcement of strong password policies: Implementing thoughtful password policies is fundamental, like installing a lock on a door. Organizations typically have established password guidelines, and you should ensure they’re enforced in either Brightspot or your identity management tool.
Implementation of multi-factor authentication (MFA): MFA significantly enhances security by adding a second layer of authentication beyond just the password. This could be a temporary code sent to a user's phone or a biometric verification. MFA is particularly important for access to sensitive systems or data.
Regular user training and awareness programs: Continuous education and awareness programs for users are a key component of your information security program. Did you know that essentially all successful ransomware attacks last year involved an insider ”falling for” a scam? When it comes to phishing, smishing, malicious ads and social engineering attacks, the best defense is a knowledgeable workforce.
Prompt response to security incidents: Rapid response protocols for suspected security breaches are crucial. This includes procedures for incident reporting, investigation and remediation. Quick action can mitigate the impact of a breach and prevent further compromise of the system.
Ensure your users know what to look for and how to report anything that looks “fishy.” It’s advisable to review this message while you do your account reviews—again, once a year and before any major event.
Effective offboarding processes: Employees' access to Enterprise systems should be immediately revoked when they leave the organization. This prevents ex-employees from accessing sensitive information or systems, post-employment.
Use of role-based access control (RBAC): RBAC is a method where access rights are granted based on the user’s role within an organization rather than individual discretion. This means that a new employee’s level of access to Brightspot is predetermined according to their role in the organization rather than invented every time.
While RBAC tends to be a better fit for larger organizations, the concept is useful when considering your user management approach.
The bottom line
Remember that when planning and implementing a well-rounded security program, the best firewalls, intrusion detection systems and antivirus software are only optimal when accompanied by the effective management of the people who are allowed in.
Following these best practices will help ensure the security of your Brightspot application for years to come.
David Habib is Brightspot’s Chief Privacy & Security Officer. Brightspot customers can schedule "office hours" with David to discuss this, or any, infosec topic.
