Web hosts, Domain registrars, PayPal, Themes, Plugins, Website platforms, Email, …
Organizations have more digital assets than they often realize, and each of those assets have users. Large companies often have a person (and sometimes more than one person) whose job it is to take care of “permissions” to the various digital resource. Processes and procedures are in place to grant access to digital resources and to remove access to digital resources. But, most of the small organizations I work with don’t have even a record of their digital assets, much less who has access.
Why Is it Important to Manage Users
I have found that the following types of users often have access to digital resources:
- Tech support from various online service companies. These technologies may not even be used any longer.
- Former employees. You just hope they don’t have a grudge they will act on.
- Former developers. You just hope they don’t have a grudge they will act on.
- Former owners.
- Employees who have changed job descriptions.
Technical and security reasons aside, having to weed through a list of users is messy to work around and unprofessional. When the list is clean and both managers and workers know who has access to what, the hunt and search overhead is reduced.
Researching Technologies and Access to Technologies
A new client with an existing website rightfully assumes I want to talk to the about what they want on their website. I do. But, not first. First, I want to know how likely their site is to be hacked, or whether it has already been hacked. Unfortunately, I have had to start with a hacked site cleanup/rebuild on a number of new projects.
So, one of the things on my list of things check is who has access to what assets. I usually find out that website owners don’t realize how many digital resources they actually have. And, they don’t understand what each resource does. Neither, do they understand how the resources interact. Not only is it important to have a list, but it’s important to understand the meaning and function of access to each resource.
Education is an important part of the process. Understanding why access matters leads is part of documenting the existence and purpose of each resource and noting who has access and whether each person with access should be able to log in. When we find a resource that is no longer in use, we cancel and remove it. This also cleans up the number of doorways hackers can use.
Understanding Levels of Access
Treat lightly in all digital accounts. Not only can there be unintended consequences, but it is normal for the interface to change. Access = Responsibility and Liability.
As an example, I prefer not to have access to any resource where company credit card information is available, not because I will abuse it, but because it is a potential liability. That means, that the type of access I prefer to a web hosting account is the lowest level of access that allows me to do my job, but not make any changes to the services.
Another situation is not to give an untrained employee the tools to go in and destroy what has been built. It has always been my policy that a client’s owners have access to everything. It’s their asset. But, that means that they have to pay to repair anything they break.
The SiteGround hosting service has “Collaborator” accounts. Other services have similar structures.
Being Careful with the Cleanup Process
The first step should always be to understand what levels of access are offered with each digital access. It is possible that only one type of login is available with some digital assets.