How many doors have you left opened in your infrastructure?
I just received the most interesting email from WPML today after they helped with me a problem with my website.
WPML and M2i3 have a similar philosophy there: we don’t want access to something longer than it’s needed.
Yet, very often, client will give me their password so we can manage their accounts or help them troubleshoot issues.
In the best of world I would be able to have an account specific to me. Otherwise, I tell them to change it before they give it to us (since most people will reuse passwords) and to change it again after we are done.
Do I go and check if they truly have removed the accounts or changed the passwords?
No
That would be inappropriate and, to some extent, an attempt to breach their infrastructure. In any case I get to know if they have changed it the next time they ask for assistance.
So, I ask you this question: “how careful are you to remove accounts and change the passwords you have given to the suppliers who assist you?”
It matters quite a bit nowadays, if they are breached, your own infrastructure is exposed. Potentially your client’s data is exposed.
And, if you are in Québec, with Québec’s Law 25, you’ll be required to disclose the event which will impact your credibility. Not doing so can expose you to hefty fines (as if loosing credibility was not enough).
How can you close these doors?
There are a few things you can do to improve your security posture:
- change your password before and after giving it to a supplier (it’s actually a good practice to change passwords on a regular basis)
- create accounts specific for your suppliers when possible, make their name clear that they are suppliers (use the name of their organisation instead of the name of the person who is helping you).
- keep a registry of who you gave access, until when it’s needed and remove those accounts when they are no longer needed
- review who has access to which system on a regular basis. Remove anyone who should no longer have access.
With these little steps, your infrastructure and your data will be kept much safer.
—
Jean-Marc