Access Management and Digital Identity
Accounts, sessions, privileges and online identities become safer when it is clear who enters, from where and with which permissions.
Objectives and practical frame
By the end of this module, the participant will be able to:
- 01
explain why every account is a door to data, tools and responsibilities.
- 02
distinguish personal, business, shared, administrative and critical accounts.
- 03
recognize the practical risks of shared accounts and open sessions.
- 04
check connected devices, recovery methods and access that is no longer needed.
- 05
apply the principle of least privilege to files, cloud, business systems and accounts.
- 06
choose safer behaviors when access is used from multiple devices.
3.1 What access management means
Managing access means deciding who can enter a system, with which credentials, from which devices and with which permissions. It is one of the most concrete activities in cybersecurity, because many incidents do not begin with breached technology, but with access that is misused, stolen, shared or left open.
Each account opens a different space. Sometimes it only allows someone to read information; other times it allows them to modify data, authorize payments, create users, download documents or delete files. This is why an account should not be judged only by the name of the service, but by what it actually allows someone to do.
Managing access well means connecting identity, reason, device, permissions and duration. It is not enough to know that an account exists: you need to understand who uses it, where they enter from, what they can do and when that access must be removed. Usernames, passwords, temporary codes, authentication apps, authorized devices, open sessions and account recovery are all pieces of the same control.
If an account is weak, shared or too powerful, the problem does not concern only the person who uses it. It concerns all the data, services and decisions that account can reach.
3.2 Accounts, usernames and digital identity
An account is the position through which a person is recognized inside a digital service. It carries a username or email address, password, possible authentication factors, profile, permissions, history, connected devices and recovery settings.
The username identifies the account; passwords and other factors are used to prove that the person entering is authorized. In everyday work, however, an account is not only a technical element: it is also an operational identity. When a person sends an email, approves a document or modifies data with their account, that action is connected to them.
When several people use the same account, this relationship breaks. The system may show that the “administration account” modified a piece of data, but not which person actually did it. This is where initial convenience becomes a problem of traceability and responsibility.
Change tracked with personal account
If a business system records that an order was modified by a person’s individual account, it is possible to reconstruct the context and ask for clarification. If instead the change comes from a shared account used by the whole office, reconstruction becomes much more fragile.
3.2.1 Personal and business accounts
Personal and business accounts must remain separate. Personal life includes tools tied to the individual: personal email, social networks, online banking, purchases, cloud, health apps, SPID or CIE. Work includes tools tied to the role: company email, business systems, CRM, accounting software, work cloud, customer or supplier portals and administration panels.
Separation prevents private data and work data from ending up in the same space. It helps the company manage permissions and responsibilities, makes it easier to revoke access when a person changes role or leaves the organization and reduces the risk that a personal problem becomes a business incident.
The critical point is not only using two different addresses. It is avoiding dangerous links: same password, same cloud, same uncontrolled devices, same recovery methods. If an old personal account is compromised, an attacker can try to use it as a foothold to reach work tools.
“I use the same password at work too, so I can remember it.” It is only apparent convenience: if the password leaks from a personal service, it can become the key for trying access to business email, cloud or management systems as well.
3.2.3 Administrator and standard accounts
Not all accounts have the same power. A standard account allows someone to work with authorized tools: reading email, using programs, consulting documents, entering data. An administrator account can instead modify important settings, install software, create users, change permissions or configure systems.
Administrator accounts are delicate because they amplify the consequences of an error or compromise. Whoever controls them can create new users, change passwords, disable protections, access more data or make it harder to discover that something is wrong.
For this reason, the most powerful account should not be the one used for browsing, reading email, opening attachments or carrying out ordinary activities. In daily practice, it is safer to use a standard account and use the administrator account only when it is truly needed.
Malicious file opened from administrator account
If a person works every day with an administrator account and opens a malicious file by mistake, that file may have more opportunities to modify the system. With a standard account, some operations could be blocked or require additional authorization.
3.2.4 Accounts with access to sensitive data
An account can be critical even without being an administrator. This happens when it gives access to main email, online banking, accounting, invoices, CRM, company cloud, certified mailbox, website panel or password recovery for other services: if it is compromised, the impact can be very high.
The main email account deserves particular attention. Whoever controls the email can read private or business communications, receive password recovery links, reset access, send messages in the person’s name and convince contacts or colleagues to trust them.
The criticality of an account therefore depends on what it allows someone to do, not on the label we give it. A “simple” account can become central if it opens the way to other services or contains information that allows someone to make decisions, pay, recover access or impersonate someone.
Make a list of the accounts that allow you to recover other accounts or access financial, personal or business data. These should be protected before secondary accounts: unique password, MFA, updated recovery methods and session checks.
3.3 Open sessions and connected devices
When we sign in to a service, the session often remains open for convenience. We do not have to enter username and password every time, but that convenience can become a risk. An open session on a shared computer, a personal laptop, an unprotected browser or a smartphone without screen lock can allow access even to someone who does not know the password.
An open session is access that has already been authorized. The password may be strong, but whoever uses that device could read emails, download attachments, access the cloud, recover passwords for other services or modify settings.
Before thinking about complex controls, it is useful to put everyday habits in order: lock the screen when you step away, sign out of accounts on shared computers, avoid saving passwords on devices that are not yours and periodically check the list of connected devices.
Many services show the list of connected devices. It is a page to visit periodically, especially for email, cloud, social networks, banking and business accounts.
3.3.1 Account recovery: an often underestimated point
Account recovery is used to get back into a service when you forget the password or lose access. It can rely on a recovery email, phone number, backup codes, authentication apps, security questions, identity documents or support from the service.
This mechanism is useful, but it can become the weak point of the entire digital identity. If an attacker gains access to the recovery email or linked phone number, they can try to reset passwords for other services. A well-protected account can therefore fall through a forgotten secondary channel.
Recovery checks should not be done only when there is a problem. They should be done before: which emails are linked? Is the phone number up to date? Are old mailboxes still enabled? Are backup codes stored safely?
Weak recovery email
A person protects online banking well, but uses an old personal mailbox with a weak password as recovery email. If that mailbox is compromised, the attacker can try to recover other accounts and move from one service to another.
3.4.1 The principle of least privilege
The principle of least privilege says that every person, account, application or device should have only the permissions needed to perform its task, nothing more. It is a simple rule, but it reduces many risks because it limits what can happen when something goes wrong.
In practice, it means giving the supplier only the necessary file, the colleague read-only access if they do not need to edit, the temporary collaborator only the project folder and the administrator account only the time in which it is truly needed. At the end of a collaboration, permissions should be revoked, not left “just in case”.
Least privilege is not distrust toward people. It is a way to protect the organization also from errors, malware, credential theft and lost devices. The fewer unnecessary permissions exist, the less damage a compromised access can cause.
three folders, accounts or tools you use often
Choose three folders, accounts or tools you use often. For each one, indicate who has access, which permission they have, whether that permission is truly needed and whether there are old accesses to remove.
3.4.2 Access from different devices
Today the same account often moves through company computer, smartphone, tablet, browser, mobile app, personal computer or devices used while traveling. This flexibility is convenient, but every connected device enters the account’s security.
If a device is old, not updated, without screen lock, used by several people or connected to unreliable networks, it can become the weak point of the entire account. Protecting the password is not enough if the session then remains open on a device other people can use.
Before accessing an important account from a device different from the usual one, it is worth doing a quick check: is the device trustworthy and updated? Does it save passwords automatically? Will it remain accessible to other people? Will you be able to close the session after use?
A compromised account can open the way to many other services, especially if it is the main email account or an account used to recover passwords. Protecting devices, sessions and recovery methods is part of protecting digital identity.
“We share the account because it is more convenient.” Initial convenience can create lack of traceability, circulating passwords, unrevoked access and difficulty understanding who did what when a problem arises.
Each person should use their own account, each account should have only the permissions needed and each access that is no longer useful should be removed as soon as possible.
Account map
List at least ten personal or work accounts. For each one, indicate whether it contains important data, whether it can recover other accounts, which devices it is used from, whether it has MFA and what the impact would be if it were compromised.
Managing access means protecting the points through which data, tools and responsibilities pass. An account should be personal when possible, proportional to the role, checked across connected devices and removed when no longer needed. The rule to carry with you is simple: traceable access, minimum permissions, controlled sessions and protected account recovery.