Two Access Credentials Best Practices to Adopt Right Now

by

To solidify business continuity, IT Teams, IT Steering Committees, and their MSPs should embrace two durable and future-proof access credentials best practices.

Access credentials AKA “email addresses and passwords” are the proverbial combinations for each master lock protecting every endpoint in your IT infrastructure: hardware, software, applications, and anything with an IP address that’s integrated with the corporate network.

  • Do you have a comprehensive inventory of your administrative access credentials?
  • Do you know where these administrative access details are stored?
  • Does more than one trusted custodian have access to these critical codes?
  • Do you want greater freedom to audit your systems?

If you’re familiar with the rationale for writing a will – storing it in a safe place, making backup copies in different formats, and assigning primary, secondary, and tertiary executors/beneficiaries/representatives with power of attorney – you’ll appreciate this business case for taking a strategic approach to managing administrative access credentials.

Learn More: Credential Management

 

#1 – Take Inventory of Access Credentials

Taking inventory of your access credentials is step one. Select members of your IT team and MSP need this information for several reasons:

  • Day-to-day administration
  • Activating new services
  • Cybersecurity insurance application questionnaires
  • Compliance initiatives
  • Technical assessments from third parties
  • Onboarding new IT personnel in oversight roles

The Highest Priority Access Credentials

While our default recommendation is unsurprisingly strict: store all access credentials for your entire digital estate in one place, the following four categories are your highest priority.

  • Firewall Administrator (Controls the gates to the castle.)
  • Domain Administrator (Holds the local master key to every device on the network.)
  • Global Administrator (M365, SharePoint, OneDrive, and Google Workspace)
  • Backup Solutions (The local hardware, software, and cloud services that back up your data. Local host passwords apply to physical servers and virtual machines (VMs) on the physical server.)

Learn More: Microsoft Global Administrator

The Second Highest Priority Access Credentials

The following credentials and the last exhibit are significant, but less so than the four biggies mentioned above.

  • DNS and domain registrars for your website(s)
  • Wi-Fi devices
  • Switches
  • Line of Business Applications
  • Printers, printer support
  • Email systems
  • Network diagrams (A graphical depiction of your network loved by IT enthusiasts and largely overlooked by IT users and administrators. When you switch MSPs, the new provider usually prefers to create an updated diagram versus taking the word of another MSP.)

If someone on your IT team, IT Steering Committee, or MSP needs access to anything on the list from DNS to email platforms, but doesn’t have credentials, an IT specialist can “jailbreak” their way into these systems.

However, this workaround is only recommended as a last recourse. It’s far from ideal.

 

#2 – Lock Down and Share Access Credentials with Your Inner Circle

That’s why we advocate compiling a comprehensive list of administrative access credentials and locking them down in a vault AKA a password manager like 1Password.

This access credential management best practice helps you avoid any single points of failure. So, you’re all set for worst-case scenarios.

The Show Must Go On

When a few people at your company and your MSP have controlled access, the show will go on, with no ands, ifs, buts, or regrets if:

  • Your IT director ends up in the ICU and he’s the only one with administrative access credentials. Unfortunately, this is a recent example from real life.
  • You want to get a second opinion on the cybersecurity fitness of your network but worry you may upset your current IT provider.
  • Your MSP gets hit and locked down with ransomware or goes out of business.
  • Your cyber insurance or cyber liability insurance policies are up for renewal, and you can’t get access to key system details to complete the policy renewal questionnaire.
  • A new employee joins your company and doesn’t have visibility into critical service details to work with your MSP and partner on service updates that require dual administrative access.
  • There’s a fire, flood, emergency, or another worldwide health scare.

 

Your Agile Business Continuity Journey

The most advanced IT environments are vulnerable if IT teams and their MSP partners don’t have a resilient and repeatable plan A, B, C, and D.

If you have a few sets of car keys, extra batteries for your garage door opener, and a short list of medical specialists on the radar (because your current roster is nearing retirement), you’re ready to take the same approach with your IT systems.

Adopt this mindset and you’ll never be held hostage.

Please schedule a discovery session to learn more about access credentials best practices, and more.

 

 

 

 

Jed is a Solution Advisor at Integris who has specialized in MSP solution development, sales, and marketing communications since 2003.

Keep reading

How to Run Governance on Your Security Awareness Training Program

How to Run Governance on Your Security Awareness Training Program

Has your company decided to take the plunge, and start a regular schedule of monthly online security awareness trainings for your employees? Great! You’ve just taken a big step toward hardening your cybersecurity defenses. Now what? Chances are, you’ve purchased a...

What Can Cybersecurity Awareness Training Do for My Company?

What Can Cybersecurity Awareness Training Do for My Company?

Global spending on employee cybersecurity awareness training is predicted to exceed $10 billion USD by 2027, up from around $5.6 billion USD in 2023, according to the latest estimates from Cybersecurity Ventures. Why? Because more companies than ever are realizing...

Third Party Vendor Risk Management: A Guide for Law Firms

Third Party Vendor Risk Management: A Guide for Law Firms

You've bought the cybersecurity tools your MSP recommended to manage your cybersecurity. You use a permission-based platform to transfer client files back and forth. Your firm should be covered for data breaches, especially third-party vendor risk, right? Tell that to...