The PracticalCyberSecGuide

Access Management and Digital Identity

Accounts, sessions, privileges and online identities become safer when it is clear who enters, from where and with which permissions.

Operational brief

Objectives and practical frame

By the end of this module, the participant will be able to:

  1. 01

    explain why every account is a door to data, tools and responsibilities.

  2. 02

    distinguish personal, business, shared, administrative and critical accounts.

  3. 03

    recognize the practical risks of shared accounts and open sessions.

  4. 04

    check connected devices, recovery methods and access that is no longer needed.

  5. 05

    apply the principle of least privilege to files, cloud, business systems and accounts.

  6. 06

    choose safer behaviors when access is used from multiple devices.

3.1 What access management means

Managing access means deciding who can enter a system, with which credentials, from which devices and with which permissions. It is one of the most concrete activities in cybersecurity, because many incidents do not begin with breached technology, but with access that is misused, stolen, shared or left open.

Each account opens a different space. Sometimes it only allows someone to read information; other times it allows them to modify data, authorize payments, create users, download documents or delete files. This is why an account should not be judged only by the name of the service, but by what it actually allows someone to do.

Managing access well means connecting identity, reason, device, permissions and duration. It is not enough to know that an account exists: you need to understand who uses it, where they enter from, what they can do and when that access must be removed. Usernames, passwords, temporary codes, authentication apps, authorized devices, open sessions and account recovery are all pieces of the same control.

Note

If an account is weak, shared or too powerful, the problem does not concern only the person who uses it. It concerns all the data, services and decisions that account can reach.

3.2 Accounts, usernames and digital identity

An account is the position through which a person is recognized inside a digital service. It carries a username or email address, password, possible authentication factors, profile, permissions, history, connected devices and recovery settings.

The username identifies the account; passwords and other factors are used to prove that the person entering is authorized. In everyday work, however, an account is not only a technical element: it is also an operational identity. When a person sends an email, approves a document or modifies data with their account, that action is connected to them.

When several people use the same account, this relationship breaks. The system may show that the “administration account” modified a piece of data, but not which person actually did it. This is where initial convenience becomes a problem of traceability and responsibility.

Example

Change tracked with personal account

If a business system records that an order was modified by a person’s individual account, it is possible to reconstruct the context and ask for clarification. If instead the change comes from a shared account used by the whole office, reconstruction becomes much more fragile.

3.2.1 Personal and business accounts

Personal and business accounts must remain separate. Personal life includes tools tied to the individual: personal email, social networks, online banking, purchases, cloud, health apps, SPID or CIE. Work includes tools tied to the role: company email, business systems, CRM, accounting software, work cloud, customer or supplier portals and administration panels.

Separation prevents private data and work data from ending up in the same space. It helps the company manage permissions and responsibilities, makes it easier to revoke access when a person changes role or leaves the organization and reduces the risk that a personal problem becomes a business incident.

The critical point is not only using two different addresses. It is avoiding dangerous links: same password, same cloud, same uncontrolled devices, same recovery methods. If an old personal account is compromised, an attacker can try to use it as a foothold to reach work tools.

Mistake

“I use the same password at work too, so I can remember it.” It is only apparent convenience: if the password leaks from a personal service, it can become the key for trying access to business email, cloud or management systems as well.

3.2.2 Shared accounts: why they are risky

A shared account often starts from convenience: the office mailbox, the company social profile, access to the business system passed between colleagues, the common administrator account or the cloud created quickly to work together.

The first problem is the loss of traceability. If a file is deleted, a message is sent, data is modified or an operation is approved, the system shows the shared account, not the real person. When an incident happens, understanding what occurred becomes slower and less precise.

The second problem is the password that circulates. The more people know a credential, the more likely it is to be written down, saved, forwarded, said out loud or kept by someone who should no longer have it. When a person changes role or leaves the company, truly revoking access becomes complicated.

Attention

Shared accounts cannot always be eliminated immediately, but they must be treated as exceptions to govern: clear rules, strong passwords, MFA where available, limited permissions, periodic checks and a plan to replace them with individual accounts as soon as possible.

3.2.3 Administrator and standard accounts

Not all accounts have the same power. A standard account allows someone to work with authorized tools: reading email, using programs, consulting documents, entering data. An administrator account can instead modify important settings, install software, create users, change permissions or configure systems.

Administrator accounts are delicate because they amplify the consequences of an error or compromise. Whoever controls them can create new users, change passwords, disable protections, access more data or make it harder to discover that something is wrong.

For this reason, the most powerful account should not be the one used for browsing, reading email, opening attachments or carrying out ordinary activities. In daily practice, it is safer to use a standard account and use the administrator account only when it is truly needed.

Example

Malicious file opened from administrator account

If a person works every day with an administrator account and opens a malicious file by mistake, that file may have more opportunities to modify the system. With a standard account, some operations could be blocked or require additional authorization.

3.2.4 Accounts with access to sensitive data

An account can be critical even without being an administrator. This happens when it gives access to main email, online banking, accounting, invoices, CRM, company cloud, certified mailbox, website panel or password recovery for other services: if it is compromised, the impact can be very high.

The main email account deserves particular attention. Whoever controls the email can read private or business communications, receive password recovery links, reset access, send messages in the person’s name and convince contacts or colleagues to trust them.

The criticality of an account therefore depends on what it allows someone to do, not on the label we give it. A “simple” account can become central if it opens the way to other services or contains information that allows someone to make decisions, pay, recover access or impersonate someone.

Good practice

Make a list of the accounts that allow you to recover other accounts or access financial, personal or business data. These should be protected before secondary accounts: unique password, MFA, updated recovery methods and session checks.

3.3 Open sessions and connected devices

When we sign in to a service, the session often remains open for convenience. We do not have to enter username and password every time, but that convenience can become a risk. An open session on a shared computer, a personal laptop, an unprotected browser or a smartphone without screen lock can allow access even to someone who does not know the password.

An open session is access that has already been authorized. The password may be strong, but whoever uses that device could read emails, download attachments, access the cloud, recover passwords for other services or modify settings.

Before thinking about complex controls, it is useful to put everyday habits in order: lock the screen when you step away, sign out of accounts on shared computers, avoid saving passwords on devices that are not yours and periodically check the list of connected devices.

Note

Many services show the list of connected devices. It is a page to visit periodically, especially for email, cloud, social networks, banking and business accounts.

3.3.1 Account recovery: an often underestimated point

Account recovery is used to get back into a service when you forget the password or lose access. It can rely on a recovery email, phone number, backup codes, authentication apps, security questions, identity documents or support from the service.

This mechanism is useful, but it can become the weak point of the entire digital identity. If an attacker gains access to the recovery email or linked phone number, they can try to reset passwords for other services. A well-protected account can therefore fall through a forgotten secondary channel.

Recovery checks should not be done only when there is a problem. They should be done before: which emails are linked? Is the phone number up to date? Are old mailboxes still enabled? Are backup codes stored safely?

Example

Weak recovery email

A person protects online banking well, but uses an old personal mailbox with a weak password as recovery email. If that mailbox is compromised, the attacker can try to recover other accounts and move from one service to another.

3.4 Authorizations and permissions

Authorizations define how much room for action a person has inside a system. They may be limited to reading or extend to editing, deletion, sharing, approval, data export, payment management, user creation or full administration.

In a company, permissions should follow the person’s real role. Someone who only needs to consult a document should not be able to modify it. A temporary collaborator should not see the entire archive. A cloud link should not allow editing when reading is enough.

Permissions that are too broad increase risk even when the person is trustworthy. If their account is compromised, the attacker inherits the same permissions. Limited access reduces damage; total access multiplies the consequences.

Example

Cloud permissions too broad

A manager shares a cloud folder with an external collaborator and grants edit permission on the entire folder, even though only one file needed to be read. If the collaborator makes a mistake or if their account is compromised, the impact affects the entire folder, not only the necessary document.

3.4.1 The principle of least privilege

The principle of least privilege says that every person, account, application or device should have only the permissions needed to perform its task, nothing more. It is a simple rule, but it reduces many risks because it limits what can happen when something goes wrong.

In practice, it means giving the supplier only the necessary file, the colleague read-only access if they do not need to edit, the temporary collaborator only the project folder and the administrator account only the time in which it is truly needed. At the end of a collaboration, permissions should be revoked, not left “just in case”.

Least privilege is not distrust toward people. It is a way to protect the organization also from errors, malware, credential theft and lost devices. The fewer unnecessary permissions exist, the less damage a compromised access can cause.

Exercise

three folders, accounts or tools you use often

Choose three folders, accounts or tools you use often. For each one, indicate who has access, which permission they have, whether that permission is truly needed and whether there are old accesses to remove.

3.4.2 Access from different devices

Today the same account often moves through company computer, smartphone, tablet, browser, mobile app, personal computer or devices used while traveling. This flexibility is convenient, but every connected device enters the account’s security.

If a device is old, not updated, without screen lock, used by several people or connected to unreliable networks, it can become the weak point of the entire account. Protecting the password is not enough if the session then remains open on a device other people can use.

Before accessing an important account from a device different from the usual one, it is worth doing a quick check: is the device trustworthy and updated? Does it save passwords automatically? Will it remain accessible to other people? Will you be able to close the session after use?

Attention

A compromised account can open the way to many other services, especially if it is the main email account or an account used to recover passwords. Protecting devices, sessions and recovery methods is part of protecting digital identity.

Mistake

“We share the account because it is more convenient.” Initial convenience can create lack of traceability, circulating passwords, unrevoked access and difficulty understanding who did what when a problem arises.

Good practice

Each person should use their own account, each account should have only the permissions needed and each access that is no longer useful should be removed as soon as possible.

Exercise

Account map

List at least ten personal or work accounts. For each one, indicate whether it contains important data, whether it can recover other accounts, which devices it is used from, whether it has MFA and what the impact would be if it were compromised.

In summary

Managing access means protecting the points through which data, tools and responsibilities pass. An account should be personal when possible, proportional to the role, checked across connected devices and removed when no longer needed. The rule to carry with you is simple: traceable access, minimum permissions, controlled sessions and protected account recovery.