A lot of time can be spent in an organization firming up authentication and access control systems to ensure greater levels of security to their network. All of this however is only one step to insuring a users credentials are not compromised. Considerations need to be made for post authentication. There are several things organizations can do to mitigate risk associated with post login activities.
First and foremost, training should be one of the top priorities of the organization. There must be a comprehensive training program for employees within different divisions of the organization (adjusted accordingly for the various levels of access and privileges). In terms of proper use of access control technologies (such as tokens, etc.), policies, and best practices, “Organization members (need to) know what questions to ask and how to find the services they need” (Johnson, E. M., & Goetz, E, 2007). They need to be aware that it is not acceptable, for example, to leave workstations unattended. Policies should be enforced ensuring that systems are locked down effectively when being left unattended.
At the level of failure where security training has not yielded in effective lock down processes by employees, the next layer of protection comes through the use of timeouts. Timeouts are probably one of the most common approaches used. They enable the system to automatically lock a workstation after a set amount of time. A typical setup involves a prompt to re-enter credentials in order to continue working within the system. While timeouts can be frustrating for the end-user, they provide a safe way of effectively locking down access that otherwise could have been left open.
Other technologies can be implemented, depending on the costs involved and the assets to protect. Active proximity cards contain a wireless transceiver that maintains a connection directly with the system the user is working with. If the user leaves the general vicinity, the connection is interrupted and the system automatically locks. UMUC (2013). Every organization will however be different and the type of data being protected will influence the overall choices in adoption of post-authentication procedures, technologies and techniques.
References:
Johnson, E. M., & Goetz, E (2007). Embedding Information Security into the Organization. IEEE Security and Privacy, pp. 16-24, May/June, 2007
UMUC (2013). Preventive and Protective Strategies in Cybersecurity. Retrieved from https://leoprdws.umuc.edu/CSEC630/1306/csec630_04/assets/csec630_04.pdf
