Enforcing Authentication
Authentication is the first line of defence in any secure system – it verifies that users are who they claim to be before granting any access. Strong authentication practices go beyond simple passwords; they include enforcing multi-factor authentication (MFA), setting minimum password complexity requirements, and implementing account lockout policies after repeated failed login attempts. Organisations should also adopt modern standards such as OAuth 2.0 or SAML for federated identity and, where possible, move toward passwordless methods, such as hardware security keys or passkeys. Regularly auditing active accounts and disabling dormant credentials ensures that orphaned accounts – a common attack vector – don’t become entry points for adversaries.
Controlling Access Permissions
Once a user is authenticated, the principle of least privilege (PoLP) should govern what they can actually do. This means granting each user, service, or application only the minimum permissions necessary to perform their role – nothing more. Role-based access control (RBAC) provides a structured way to manage this at scale, grouping permissions by job function rather than assigning them individually. Privileged access, such as admin or root-level rights, should be tightly restricted, time-limited where possible, and subject to additional logging and review. Permissions should be reviewed periodically – especially after role changes or employee departures – to prevent privilege creep, where users accumulate access rights over time that they no longer need or should have.