Tip

IAM best practices for employees with varying degrees of access to the same computer

In our organization, several users often have to share access to applications and resources on a single PC. However, we need to make sure passwords and files remain secure. What's the best way to implement access management among employees who need varying degrees of access to the same computer? Is it best to have a fingerprint scanner? Does another technology make more sense?

The answer to protecting access to a single PC with multiple users is a combination of both policy and technical controls. On the policy side, make sure each user having access to this particular PC -- and any other workstation or server -- has a unique user ID and password. This should be stated clearly in the corporate IT security policy.

The idea behind unique user IDs is to be able to keep track of not only user logins, but also all user activity on the PC. If there is an incident, or other security breach, access can be traced to an individual. Shared user IDs, even if only for a small group, make this impossible.

Both Windows and Unix, including Linux, allow multiple user accounts on a single local machine. Each user has an account, whose access and activity should always be logged. This, again, is for tracking who might have accessed the machine in the case of malicious access.

As for technical controls, such as fingerprint scanners or smart cards, this should be driven by the risk level of the data being accessed and an organization's specific business needs and requirements.

    Requires Free Membership to View

Business risk should drive enterprise security controls, not the other way around.

Do a thorough risk analysis of the data being accessed on the PC. Is it sensitive customer information or proprietary company data? Or is it demographics for marketing purposes that can't be tied back to individual customers? The first is of higher risk and should be protected with stronger controls, and the second is lower risk that doesn't require such tight controls.

It also seems like this PC isn't connected to the network, meaning it can't really be controlled through any domain-level controls, such as those in Active Directory or LDAP. With that in mind, you'll have to rely on local controls on the PC itself and base access on the risk level of the files and data it holds.

Also, make sure that no one on the workstation has administrative access. Otherwise, each of the multiple users could have access to each other's files, defeating the purpose of having separate accounts on the PC.


This was first published in February 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.