CMS resources
CMS insights
Back to CMS insights

Brightspot security series: Why user management matters

illustration depicting the importantance of CMS user management

As part of an ongoing series addressing information security awareness, preparation and response, David Habib, our Chief Privacy & Security Officer, offers best practices and proven strategies, as well as pitfalls to avoid. In this article, he outlines how to configure user and role management capabilities to ensure the overall security of your system.

User and role management is one of the most important aspects of keeping a company's information safe. Ultimately, it's all about making sure the right people have access to the correct information and tools they need for their jobs—and no more. That way, it's much harder for someone to get into places they shouldn't be, which helps prevent data leaks or other security problems. It also makes it easier to keep track of who did what, so if something goes wrong, you can pinpoint exactly how it happened.

Brightspot’s user and role management capabilities are designed with this in mind, but it’s up to your team to configure and maintain the users and roles within Brightspot. You can find more information about how to manage users and roles in Brightspot on our website.
This guide will provide an overview of the best practices—the most common recommendations from experts—for managing accounts in Brightspot and your other cloud and Enterprise applications.

That said, your organization's policies and procedures should take precedence over any recommendations I make below.

Information security should always be a conversation, so I encourage you to talk to your IT and security teams, business leaders and us at Brightspot about your security goals.

Best practices for robust and secure account management

When adding a user, thoughtfully consider which role aligns with the principle of least privilege.

Principle of least privilege: This principle dictates that users should be granted only those access rights that are essential to performing their duties. For instance, a junior employee doesn't need the same access rights as the IT manager. Limiting access minimizes the risk of accidental or malicious misuse of the system.

Look at the roles you’ve created in Brightspot, and see if they reflect your workflow. Most organizations align into functions and review processes, and Brightspot is designed to work with how you work. Eliminate roles that are outdated or loosely defined.

Regular audits of user access: Routine audits are crucial. This means reviewing who has access to what within the system (users and roles), and then ensuring that this access is still necessary and appropriate. This practice is critical in dynamic environments where employee roles can change, in turn necessitating different access rights.

Brightspot recommends an annual user audit plus a review before any major event.
Operating in an environment that is a hybrid between centralized and decentralized identity is strongly discouraged because it’s hard to manage and very difficult to keep consistent.

Choosing between external and local identity stores: Companies must decide whether to use external identity providers (like OAuth or SAML services) or manage identity stores in Brightspot. Brightspot supports both models, though we recommend any organization larger than 10 people use a centralized identity management tool. This makes for cleaner and more reliable change management (onboarding, offboarding), as well as consistent policy management (password policies, MFA).

Enforcement of strong password policies: Implementing thoughtful password policies is fundamental, like installing a lock on a door. Organizations typically have established password guidelines, and you should ensure they’re enforced in either Brightspot or your identity management tool.

Brightspot recommends the use of passphrases: long, multi-word passwords. A sufficiently long passphrase (like thesetruthstobeselfevident) is easier to remember than a short and complex password (like 2bOr!2b), and is harder to "crack."

Implementation of multi-factor authentication (MFA): MFA significantly enhances security by adding a second layer of authentication beyond just the password. This could be a temporary code sent to a user's phone or a biometric verification. MFA is particularly important for access to sensitive systems or data.

Brightspot recommends using a mobile app such as Google Authenticator or Microsoft Authenticator as the “second factor.” Security questions as a second factor are discouraged, as are text messages, because these are more easily compromised.

Regular user training and awareness programs: Continuous education and awareness programs for users are a key component of your information security program. Did you know that essentially all successful ransomware attacks last year involved an insider ”falling for” a scam? When it comes to phishing, smishing, malicious ads and social engineering attacks, the best defense is a knowledgeable workforce.

Prompt response to security incidents: Rapid response protocols for suspected security breaches are crucial. This includes procedures for incident reporting, investigation and remediation. Quick action can mitigate the impact of a breach and prevent further compromise of the system.

Edward Murray
By Edward Murray
August 26, 2021
Learn how to approach multi-layered security to protect from external and internal threats.
4 Min Read

Ensure your users know what to look for and how to report anything that looks “fishy.” It’s advisable to review this message while you do your account reviews—again, once a year and before any major event.

Effective offboarding processes: Employees' access to Enterprise systems should be immediately revoked when they leave the organization. This prevents ex-employees from accessing sensitive information or systems, post-employment.

Use of role-based access control (RBAC): RBAC is a method where access rights are granted based on the user’s role within an organization rather than individual discretion. This means that a new employee’s level of access to Brightspot is predetermined according to their role in the organization rather than invented every time.

While RBAC tends to be a better fit for larger organizations, the concept is useful when considering your user management approach.

The bottom line

Remember that when planning and implementing a well-rounded security program, the best firewalls, intrusion detection systems and antivirus software are only optimal when accompanied by the effective management of the people who are allowed in.

Following these best practices will help ensure the security of your Brightspot application for years to come.

David Habib is Brightspot’s Chief Privacy & Security Officer. Brightspot customers can schedule "office hours" with David to discuss this, or any, infosec topic.

Brightspot manages updates, upgrades, security patches, storage, bandwidth and more, allowing you to focus on creating exceptional experiences for your customers.

image of Brightspot Chief Information Officer David Habib
About the Author
As Brightspot’s CSO, David is responsible for our DevOps, Security, IT and Customer Support functions as well as playing advisory roles in both the Gyro product line and Brightspot’s federal offerings. David has been the CIO since October of 2018.

Related resources

Let us give you a demo
Hear how Brightspot can turn your digital strategy goals into a reality and see how the lives of your content creators and developers will be changed using our platform.

Request Demo